RU
21 - 23.09.2027 | VDNH EXPO, Moscow
Main
Participation
Visiting
Energy forum
Press center
Contacts
Main
Participation
Visiting
Energy forum
Press center
Contacts

PERSONAL DATA PROCESSING POLICY

concerning websites administered by Gefera Media LLC

1. GENERAL PROVISIONS

1.1. This Personal data processing policy concerning websites administered by Gefera Media LLC (hereinafter referred to as the “Policy”) has been developed in pursuance of Clause 2, Part 1, Article 18.1 of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” (hereinafter referred to as the “Personal Data Law”) for the purpose of ensuring the protection of human and civil rights and freedoms in the processing of Personal Data, including the protection of rights to privacy and personal and family secrecy.

1.2. The Policy applies to all Personal Data processed by GEFERA MEDIA LLC (hereinafter referred to as the “Operator”), which the Operator may obtain from a Personal Data Subject.

1.3. The Policy applies to relations concerning the processing of Personal Data that arose with the Operator both before and after the approval of this Policy.

1.4. In pursuance of the requirements of Part 2, Article 18.1 of the Personal Data Law, this Policy is published in public access on the Internet at the following link: https://en.heatelectro.ru/privacy.

1.5. The Operator does not verify the accuracy of the Personal Data received from the Personal Data Subject.

1.6. The Operator ensures protection of the processed Personal Data against unauthorized access and disclosure, unlawful use or loss in accordance with the requirements of the Personal Data Law.

1.7. The Personal Data Subject agrees to this Policy by providing consent to the processing of Personal Data.

2. TERMS AND ACCEPTED ABBREVIATIONS

2.1. For the purposes of application and interpretation of this Policy, the following basic terms shall apply (unless otherwise expressly stated in the Policy). In the text of the Policy, these terms may be indicated in uppercase or lowercase, in singular or plural forms, as well as in abbreviated form.

2.1.1. Personal Data means any information relating directly or indirectly to an identified or identifiable individual (Personal Data Subject);

2.1.2. Personal Data Operator means GEFERA MEDIA LLC (TIN: 7705365187, PSRN: 1027700211417, registered address: Premises IV, Office 43, Floor 2, Building 2, 72 Leningradsky Prospekt, Moscow, 125315), which is the owner and administrator of the Websites and independently or jointly with other persons organizes and/or performs the processing of Personal Data, as well as determines the purposes of Personal Data processing, the scope of Personal Data subject to processing, and the actions (operations) performed with Personal Data;

2.1.3. Websites administered by the Operator (hereinafter referred to as the “Websites”) mean a set of computer software and other information contained in an information system, access to which is provided via the Internet information and telecommunications network by the administrator and owner, which is the Operator.

2.1.4. Personal Data Subject (hereinafter referred to as the “Subject”) means an individual whose Personal Data is processed by the Operator or by a third party on behalf of the Operator on the Websites administered by the Operator;

2.1.5. Processing of Personal Data means any action (operation) or set of actions (operations) performed with Personal Data using automation tools or without the use thereof. Processing of Personal Data includes, inter alia:

2.1.5.1. collection;

2.1.5.2. recording;

2.1.5.3. systematization;

2.1.5.4. accumulation;

2.1.5.5. storage;

2.1.5.6. clarification (updating, modification);

2.1.5.7. retrieval;

2.1.5.8. use;

2.1.5.9. transfer (provision to a limited group of persons; access by a limited group of persons);

2.1.5.10. distribution;

2.1.5.11. depersonalization;

2.1.5.12. blocking;

2.1.5.13. deletion;

2.1.5.14. destruction.

2.1.6. Storage of Personal Data means a process involving the keeping of Personal Data in a systematized form at the disposal of the Operator.

2.1.7. Collection of Personal Data means the targeted process of obtaining Personal Data by the Operator directly from Personal Data Subjects.

2.1.8. Automated Processing of Personal Data means processing of Personal Data using computer equipment;

2.1.9. Non-Automated Processing of Personal Data means processing of Personal Data contained in a Personal Data information system or extracted from such system, which shall be deemed performed without the use of automation tools if actions such as use, clarification, distribution, and destruction of Personal Data in relation to each Personal Data Subject are performed with direct human participation;

2.1.10. Mixed Processing of Personal Data means processing by a human with the use of computer equipment;

2.1.11. Provision of Personal Data means actions aimed at disclosing Personal Data to a specific person or a specific group of persons;

2.1.12. Blocking of Personal Data means temporary cessation of Personal Data processing (except where processing is necessary for clarification of Personal Data);

2.1.13. Destruction of Personal Data means actions resulting in the impossibility of restoring the content of Personal Data in a Personal Data information system and/or actions resulting in destruction of tangible media containing Personal Data;

2.1.14. Depersonalization of Personal Data means actions resulting in the impossibility of determining, without additional information, the belonging of Personal Data to a specific Personal Data Subject;

2.1.15. Personal Data Information System (hereinafter referred to as “PDIS”) means a set of Personal Data contained in databases and the information technologies and technical means ensuring their processing.

2.1.16. Cross-Border Transfer of Personal Data means transfer of Personal Data to the territory of a foreign state, to an authority of a foreign state, a foreign individual, or a foreign legal entity.

3. CONDITIONS FOR PERSONAL DATA PROCESSING

3.1. The Operator processes the Subject’s Personal Data using automated means or without such means during the periods necessary to achieve the processing purposes. Grounds for termination of Personal Data processing by the Operator may include achievement of processing purposes, withdrawal by the Subject of consent to processing of Personal Data, withdrawal of consent to distribution of Personal Data, termination of the Operator’s activities (reorganization or liquidation), termination of operation of one or more Websites, termination of an agreement between the Operator and the Subject, dismissal of the Operator’s employee, or identification of unlawful processing.

3.2. The Operator’s policy regarding the processing of Subjects’ Personal Data is that Personal Data shall be processed only in cases established by law, based on the Operator’s main areas of activity and taking into account the balance of interests of the Operator and the Subject. Processing of Personal Data by the Operator shall be carried out with due regard to the necessity of ensuring protection of the Subject’s rights and freedoms, including the right to privacy and personal and family secrecy, on the basis of the following principles:

3.2.1. Processing of Personal Data shall be carried out by the Operator on a lawful and fair basis;

3.2.2. Processing of Personal Data shall be limited to achievement of specific, predetermined, and lawful purposes;

3.2.3. Processing of Personal Data incompatible with the purposes of collection of Personal Data shall not be permitted;

3.2.4. Only Personal Data corresponding to the purposes of processing shall be processed;

3.2.5. The content and scope of processed Personal Data shall correspond to the declared purposes of processing; excessive Personal Data in relation to the declared purposes of processing shall not be permitted;

3.2.6. Storage of Personal Data shall be carried out in a form enabling identification of the Subject no longer than required by the purposes of processing of Personal Data. Processed Personal Data shall be destroyed upon achievement of the processing purposes or if the need to achieve such purposes ceases to exist, unless otherwise provided by law.

3.3. Processing of Personal Data shall be carried out by the Operator in compliance with the principles and rules stipulated by the Personal Data Law in the following cases:

3.3.1. with the consent of the Personal Data Subject to processing of their Personal Data;

3.3.2. where processing of Personal Data is necessary for performance of an agreement to which the Personal Data Subject is a party, beneficiary, or guarantor;

3.3.3. where processing of Personal Data is necessary for the Operator to exercise and fulfill functions, powers, and obligations imposed by the legislation of the Russian Federation;

3.3.4. where processing of Personal Data is necessary for protection of life, health, or other vital interests of the Personal Data Subject if obtaining consent is impossible.

3.4. The Operator shall not have the right to obtain and process Personal Data of the Subject containing information regarding racial or ethnic origin, political opinions, religious or philosophical beliefs, or health status, except with the written consent of the Subject.

3.5. The Operator does not process special categories of Personal Data or biometric data.

3.6. Subjects familiarize themselves with this Policy on the Websites when providing consent.

3.7. Provision of the Subject’s Personal Data upon request of state authorities (local self-government authorities) shall be carried out in accordance with the procedure established by the legislation of the Russian Federation.

3.8. Control over compliance with the requirements of this Policy shall be exercised by an authorized person responsible for organization of Personal Data processing at the Operator.

3.9. Liability of the Operator for violation of the legislation of the Russian Federation in the field of processing and protection of Personal Data shall be determined in accordance with the legislation of the Russian Federation.

3.10. Only employees of the Operator whose job duties include processing of Personal Data shall be permitted to process Personal Data. The list of employees permitted to process Personal Data shall be established by the Operator.

3.11. Disclosure of Personal Data to third parties and distribution of Personal Data without the consent of the Personal Data Subject shall not be permitted unless otherwise provided by federal law. Consent to processing of Personal Data permitted by the Personal Data Subject for distribution shall be executed separately from other consents to processing of Personal Data.

3.12. Procedure for obtaining Personal Data:

3.12.1. Collection of Personal Data, except publicly available Personal Data, shall be carried out by the Operator directly from Personal Data Subjects or persons duly authorized to represent the interests of Subjects. If the Subject’s Personal Data may only be obtained from a third party, the Subject shall be notified thereof or written consent shall be obtained from the Subject.

3.12.2. Upon obtaining Personal Data, the Operator shall inform the Personal Data Subject of:

3.12.2.1. the purposes for obtaining Personal Data by the Operator;

3.12.2.2. the list of Personal Data requested by the Operator;

3.12.2.3. the list of actions the Operator intends to perform with the Personal Data;

3.12.2.4. the period during which the Subject’s consent to processing of Personal Data remains valid;

3.12.2.5. the procedure for withdrawal of consent to processing of Personal Data;

3.12.2.6. the consequences of refusal by the Subject to provide consent for obtaining and processing of Personal Data.

3.13. Documents containing Personal Data shall be created by:

3.13.1. copying original documents (passport of a citizen of the Russian Federation, education certificate, taxpayer identification certificate, pension certificate, SNILS certificate, etc.);

3.13.2. entering information into registration forms;

3.13.3. obtaining original required documents (passport of a citizen of the Russian Federation, income certificate, employment record book, medical certificate, reference letter, etc.).

3.14. Processing of Personal Data for each processing purpose specified in Clauses 5.3–5.7 of the Policy shall be carried out by:

3.14.1. Obtaining Personal Data orally, in writing, and electronically directly from Subjects;

3.14.2. Entering Personal Data into journals, registers, and information systems of the Operator;

3.14.3. Using other methods of processing Personal Data depending on the processing action.

4. RIGHTS AND OBLIGATIONS

4.1. Obligations of the Operator:

4.1.1. To organize processing of Personal Data in accordance with the requirements of the Personal Data Law;

4.1.2. To respond to appeals and requests of Personal Data Subjects and their legal representatives in accordance with the requirements of the Personal Data Law;

4.1.3. To provide the authorized authority for protection of the rights of Personal Data Subjects (Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor)) with necessary information upon request within 10 business days from receipt of such request. This period may be extended by no more than five business days. For this purpose, the Operator shall send Roskomnadzor a reasoned notice indicating the reasons for extension of the period for providing the requested information;

4.1.4. To ensure interaction, in the manner established by the federal executive authority authorized in the field of security, with the state system for detection, prevention, and elimination of consequences of computer attacks on information resources of the Russian Federation, including informing it of computer incidents that resulted in unlawful transfer (provision, distribution, access) of Personal Data;

4.1.5. Where Personal Data was not obtained from the Personal Data Subject, to notify the Subject of the fact of obtaining the Personal Data by the Operator;

4.1.6. To explain to the Personal Data Subject the consequences of refusal to provide Personal Data;

4.1.7. To publish or otherwise ensure unrestricted access to the document defining the Operator’s policy regarding processing of Personal Data;

4.1.8. To take necessary legal, organizational, and technical measures or ensure their adoption to protect Personal Data from unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution, and other unlawful actions with respect to Personal Data.

4.2. The Operator shall have the right to:

4.2.1. Independently determine the composition and list of measures necessary and sufficient to ensure fulfillment of obligations stipulated by the Personal Data Law and adopted regulatory legal acts, unless otherwise provided by the Personal Data Law or other federal laws;

4.2.2. Entrust processing of Personal Data to another person. A person processing Personal Data on behalf of the Operator shall comply with the principles and rules of Personal Data processing stipulated by the Personal Data Law;

4.2.3. In the event the Subject withdraws consent to processing of Personal Data, continue processing of Personal Data without consent if grounds specified in the Personal Data Law exist.

4.3. The Subject shall have the right to:

4.3.1. Receive information concerning processing of their Personal Data, except in cases provided by federal laws. Information shall be provided by the Operator in an accessible form and shall not contain Personal Data relating to other Subjects except where there are lawful grounds for disclosure of such Personal Data. The list of information and procedure for obtaining it are established by the Personal Data Law. Information may include:

4.3.1.1. confirmation of processing of Personal Data by the Operator;

4.3.1.2. legal grounds and purposes for processing of Personal Data;

4.3.1.3. purposes and methods of processing of Personal Data used by the Operator;

4.3.1.4. name and location of the Operator, information about persons (except employees of the Operator) having access to Personal Data or to whom Personal Data may be disclosed on the basis of an agreement with the Operator or federal law;

4.3.1.5. processed Personal Data relating to the relevant Personal Data Subject and the source of obtaining such data, unless another procedure for provision is established by federal law;

4.3.1.6. periods of processing of Personal Data, including storage periods;

4.3.1.7. procedure for exercising rights provided by the Personal Data Law;

4.3.1.8. information on completed or proposed Cross-Border Transfer of Personal Data;

4.3.1.9. name or full name and address of a person processing Personal Data on behalf of the Operator, if processing has been or will be entrusted to such person;

4.3.1.10. other information stipulated by the Personal Data Law or other federal laws.

4.3.2. Provide prior consent to processing of Personal Data for the purposes of promotion of goods, works, and services on the market;

4.3.3. Require the Operator to clarify, block, or destroy Personal Data if such Personal Data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the declared processing purpose, and take measures provided by law to protect their rights;

4.3.4. Appeal unlawful actions or omissions of the Operator regarding processing of Personal Data to Roskomnadzor or in court.

5. PURPOSES OF PERSONAL DATA PROCESSING, CATEGORIES OF SUBJECTS, CATEGORIES OF PROCESSED PERSONAL DATA, AND METHODS OF PROCESSING

5.1. Processing of Personal Data shall be limited to achievement of specific, predetermined, and lawful purposes. Processing of Personal Data incompatible with the purposes of collection of Personal Data shall not be permitted.

5.2. Only Personal Data corresponding to the purposes of processing shall be processed.

5.3. Purpose of Personal Data processing: Preparation, conclusion, and performance of a civil law agreement regarding participation of visitors in exhibitions and events.

Categories of processed Personal Data:

  • surname, first name, patronymic;
  • region of residence;
  • position;
  • email address;
  • phone number.

Categories of Subjects: Visitors of the Operator’s Websites, visitors of exhibitions (events).

Legal basis for Personal Data processing:

  • processing of Personal Data is carried out with the Subject’s consent;
  • processing of Personal Data is necessary for performance of an agreement to which the Subject is a party, beneficiary, or guarantor, as well as for conclusion of an agreement at the initiative of the Subject or an agreement under which the Subject will be a beneficiary or guarantor. An agreement concluded with the Subject may not contain provisions restricting the rights and freedoms of the Subject.

List of actions for processing Personal Data:

  • collection;
  • recording;
  • systematization;
  • accumulation;
  • storage;
  • clarification (updating, modification);
  • retrieval;
  • use;
  • depersonalization;
  • blocking;
  • deletion;
  • destruction;
  • transfer.

Methods of processing: mixed; with transfer via the internal network of the legal entity; with transfer via the Internet.

Period of processing and storage of Personal Data:

  • term of the agreement;
  • grounds for termination of processing may include achievement of processing purposes, withdrawal of consent, termination of the Operator’s activities (reorganization or liquidation), identification of unlawful processing, expiration of processing periods.

5.4. Purpose of Personal Data processing: Distribution of advertising and informational messages. Categories of processed Personal Data:

  • surname, first name, patronymic;
  • year of birth;
  • month of birth;
  • date of birth;
  • gender;
  • email address;
  • phone number;
  • profession;
  • position.

Categories of Subjects: Contractors; representatives of contractors; visitors of the Operator’s Websites; beneficiaries under agreements.

Legal basis for Personal Data processing:

  • processing of Personal Data is carried out with the Subject’s consent to processing of Personal Data and consent to receive advertising and informational messages.

List of actions for processing Personal Data:

  • collection;
  • recording;
  • systematization;
  • accumulation;
  • storage;
  • clarification (updating, modification);
  • retrieval;
  • use;
  • depersonalization;
  • blocking;
  • deletion;
  • destruction;
  • transfer (provision, access).

Methods of processing: automated; with transfer via the internal network of the legal entity; with transfer via the Internet.

Period of processing and storage of Personal Data:

  • period of validity of consent to processing of Personal Data;
  • period of validity of consent to receive advertising and informational mailings;
  • grounds for termination of processing may include achievement of processing purposes, withdrawal of consent, termination of the Operator’s activities (reorganization or liquidation), identification of unlawful processing, expiration of processing periods.

5.5. Purpose of Personal Data processing: Use of information collected through the Yandex.Metrica analytics program.

Categories of processed Personal Data:

  • information collected through analytics programs. Categories of Subjects: visitors of the Operator’s Websites. Legal basis for Personal Data processing:
  • processing of Personal Data is carried out with the Subject’s consent.

List of actions for processing Personal Data:

  • collection;
  • recording;
  • systematization;
  • accumulation;
  • storage;
  • clarification (updating, modification);
  • retrieval;
  • use;
  • transfer (provision to a limited group of persons; access by a limited group of persons);
  • depersonalization;
  • blocking;
  • deletion;
  • destruction.

Methods of processing: automated; without transfer via the internal network of the legal entity; with transfer via the Internet.

Period (and conditions for termination) of processing and storage of Personal Data:

  • period of validity of consent to processing of Personal Data;
  • grounds for termination may include achievement of processing purposes, withdrawal of consent, termination of the Operator’s activities (reorganization or liquidation), termination of operation of one or more Websites, identification of unlawful processing, expiration of processing periods.

5.6. Purpose of Personal Data processing: Publication of information about employees of the Operator and partners of the Operator on the Websites administered by the Operator.

Categories of Personal Data permitted by the Subject for distribution:

  • surname, first name;
  • photograph;
  • position;
  • work phone number;
  • work email address.

Categories of Subjects: employees, representatives of the Operator’s partners.

Legal basis for Personal Data processing:

  • processing of Personal Data is carried out with the Subject’s consent to processing of Personal Data and consent to distribution of Personal Data.

List of actions for processing Personal Data:

  • collection;
  • recording;
  • systematization;
  • accumulation;
  • storage;
  • clarification (updating, modification);
  • retrieval;
  • use;
  • depersonalization;
  • blocking;
  • deletion;
  • destruction;
  • transfer;
  • distribution.

Methods of processing: automated; with transfer via the internal network of the legal entity; with transfer via the Internet.

Period (and conditions for termination) of processing and storage of Personal Data:

  • period of validity of consent;
  • period of validity of consent to distribution;
  • grounds for termination may include achievement of processing purposes, withdrawal of consent to processing or distribution, termination of the Operator’s activities (reorganization or liquidation), termination of operation of one or more Websites administered by the Operator, termination of an agreement, dismissal of an employee, identification of unlawful processing, expiration of processing periods.

5.7. Purpose of Personal Data processing: Participation of speakers in exhibitions and events conducted by the Operator and publication of information about them on the Websites administered by the Operator.

Categories of processed Personal Data:

  • surname, first name (subject to publication);
  • company name;
  • region of residence;
  • position (subject to publication);
  • email address;
  • phone number.

Categories of Subjects: persons invited as speakers to exhibitions and events conducted by the Operator.

Legal basis for Personal Data processing:

  • processing of Personal Data is carried out with the Subject’s consent to processing of Personal Data and consent to distribution of Personal Data.

List of actions for processing Personal Data:

  • collection;
  • recording;
  • systematization;
  • accumulation;
  • storage;
  • clarification (updating, modification);
  • retrieval;
  • use;
  • depersonalization;
  • blocking;
  • deletion;
  • destruction;
  • transfer;
  • distribution.

Methods of processing: automated; with transfer via the internal network of the legal entity; with transfer via the Internet.

Period of processing and storage of Personal Data:

  • period of validity of consent;
  • period of validity of consent to distribution;
  • grounds for termination may include achievement of processing purposes, withdrawal of consent, termination of the Operator’s activities (reorganization or liquidation), identification of unlawful processing, expiration of processing periods.

6. ANALYTICS PROGRAM DATA AND TECHNICAL DATA

6.1. The Websites administered by the Operator use the Yandex.Metrica analytics program for statistical purposes. Information processed through analytics programs includes:

  • information about hardware and software devices used by visitors of the Websites, including operating system model and version, unique identifiers of devices used to access the Websites;
  • information recorded in server logs, including cookie data, IP address, and system failure information;
  • information about the geographical location of Website visitors (country, region);
  • visited pages/sections;
  • number of page visits;
  • information about movement through pages/sections of the Websites;
  • session duration;
  • entry points (third-party websites from which a visitor accesses the Websites through a link);
  • exit points (links from the Websites through which a visitor accesses third-party websites);
  • Website visitor’s provider;
  • Website visitor’s browser data.

6.2. The Service uses Cookie technology.

6.3. Information processed and collected through cookies includes:

  • identification number;
  • date and time of visit;
  • viewed pages;
  • visitor’s region;
  • type of device used for the visit and its operating system. The Operator also processes technical information. Technical information means information automatically transmitted to the Operator during use of the Service, namely:
  • IP address;
  • internet browser;
  • other technical information that does not constitute Personal Data.

7. TRANSFER OF PERSONAL DATA

7.1. The Operator transfers Personal Data to third parties in the following cases:

7.1.1. the Personal Data Subject has provided consent to such actions;

7.1.2. transfer is provided for by Russian or other applicable legislation within the procedure established by law.

7.2. The list of persons to whom Personal Data is transferred shall be established by the consent to processing of Personal Data provided by the Subject or by mandatory provisions of applicable law.

7.3. Provision of the Subject’s Personal Data upon request of state authorities (local self-government authorities) shall be carried out in accordance with the legislation of the Russian Federation.

7.4. When collecting Personal Data, including through the Internet information and telecommunications network, the Operator ensures processing of Personal Data of citizens of the Russian Federation using databases located within the territory of the Russian Federation, except for cases specified by the Personal Data Law.

7.5. The Operator does not independently carry out Cross-Border Transfer of Personal Data.

8. UPDATING, CORRECTION, DELETION, AND DESTRUCTION OF PERSONAL DATA; RESPONSES TO SUBJECT REQUESTS FOR ACCESS TO PERSONAL DATA

8.1. Procedure for reviewing requests of Subjects:

8.1.1. Confirmation of the fact of processing of Personal Data by the Operator, legal grounds and purposes for processing, and other information specified in Part 7, Article 14 of the Personal Data Law shall be provided by the Operator to the Subject or their representative within 10 business days from receipt of the request. This period may be extended by no more than five business days. For this purpose, the Operator shall send the Subject a reasoned notice indicating the reasons for extending the response period.

8.1.2. The information provided shall not include Personal Data relating to other Subjects, except where lawful grounds for disclosure exist.

8.1.3. The request shall contain data enabling identification of the Subject and the Subject’s signature, and where signed by a representative, a document confirming the representative’s authority.

8.1.4. The request may be sent electronically and signed with an electronic signature in accordance with the legislation of the Russian Federation.

8.1.5. The Operator shall provide the information specified in Part 7, Article 14 of the Personal Data Law in the same form in which the request was submitted unless otherwise specified in the request. If the request does not contain all information required by the Personal Data Law or if the Subject does not have rights of access to the requested information, a reasoned refusal shall be sent.

8.1.6. The Subject’s right of access to their Personal Data may be restricted in accordance with Part 8, Article 14 of the Personal Data Law, including where such access violates the rights and legitimate interests of third parties.

8.2. If inaccurate Personal Data is identified upon request of the Subject, their representative, or Roskomnadzor, the Operator shall block the Personal Data relating to the Subject from the moment of such request during the verification period, provided such blocking does not violate the rights and legitimate interests of the Subject.

8.3. If the inaccuracy of Personal Data is confirmed, the Operator shall clarify the Personal Data within seven business days from provision of relevant information and remove the blocking.

8.4. If unlawful processing of Personal Data is identified upon request of the Subject, their representative, or Roskomnadzor, the Operator shall block unlawfully processed Personal Data within three business days from receipt of the request.

8.5. If the Operator, Roskomnadzor, or another interested party identifies unlawful or accidental transfer (provision, distribution, access) of Personal Data resulting in violation of rights of Subjects, the Operator shall:

8.5.1. within 24 hours notify Roskomnadzor of the incident, the presumed causes of the violation, the presumed harm caused to rights of Subjects, and measures taken to eliminate consequences, and provide information about the person authorized to interact with Roskomnadzor regarding the incident;

8.5.2. within 72 hours notify Roskomnadzor of the results of the internal investigation and provide information about persons whose actions caused the incident (if any).

8.6. Destruction of Personal Data:

8.6.1. Upon achievement of the purpose of processing Personal Data or withdrawal by the Subject of consent, Personal Data shall be destroyed unless:

8.6.1.1. otherwise provided by an agreement to which the Subject is a party, beneficiary, or guarantor;

8.6.1.2. the Operator is entitled to process Personal Data without consent on grounds stipulated by the Personal Data Law or other federal laws;

8.6.1.3. otherwise provided by the legislation of the Russian Federation.

8.7. Personal Data stored on electronic media shall be destroyed by erasing it from computer memory or formatting computer memory.

8.8. Destruction of documents (paper media) containing Personal Data shall be carried out by burning, shredding, chemical decomposition, or conversion into shapeless mass or powder. Use of a shredder is permitted.

8.9. Destruction of Personal Data shall be carried out by a commission established by order of the Operator’s General Director.

8.10. The period for destruction of Personal Data shall be 10 business days from occurrence of one of the events specified in Clause 8.6 of this Policy.

9. MEASURES TAKEN BY THE OPERATOR TO PROTECT PERSONAL DATA

9.1. In accordance with regulatory requirements, the Operator has established a Personal Data protection system consisting of legal, organizational, and technical protection subsystems.

9.2. The legal protection subsystem constitutes a set of legal, organizational, administrative, and regulatory documents ensuring establishment, operation, and improvement of Personal Data protection systems.

9.3. The organizational protection subsystem includes organization of management structure of Personal Data protection systems, authorization systems, and information protection when working with employees, partners, and third parties.

9.4. The technical protection subsystem includes technical, software, and hardware-software means ensuring protection of Personal Data.

9.5. The main Personal Data protection measures used by the Operator include:

9.5.1. Appointment of a person responsible for processing of Personal Data, who organizes processing, training, instruction, and internal control over compliance with Personal Data protection requirements;

9.5.2. Identification of current security threats to Personal Data during processing in Personal Data information systems and development of protection measures;

9.5.3. Development of this Policy;

9.5.4. Establishment of access rules for Personal Data processed in Personal Data information systems and ensuring registration and accounting of all actions performed with Personal Data;

9.5.5. Establishment of individual employee passwords for access to information systems according to job duties;

9.5.6. Use of information protection means that have passed conformity assessment procedures in accordance with established procedures;

9.5.7. Certified antivirus software with regularly updated databases;

9.5.8. Compliance with conditions ensuring preservation of Personal Data and preventing unauthorized access thereto;

9.5.9. Detection of unauthorized access to Personal Data and taking measures;

9.5.10. Recovery of Personal Data modified or destroyed due to unauthorized access;

9.5.11. Instruction of employees directly processing Personal Data regarding provisions of the legislation of the Russian Federation on Personal Data, including Personal Data protection requirements, documents defining the Operator’s policy regarding processing of Personal Data, and local acts regarding processing of Personal Data;

9.5.12. Internal control and audit;

9.5.13. Employees whose positions involve processing of Personal Data shall be granted access only after signing a non-disclosure undertaking;

9.5.14. Job descriptions of employees processing Personal Data shall include provisions regarding the necessity to report any unauthorized access to Personal Data.

9.6. During processing of Personal Data, the Operator ensures:

9.6.1. implementation of measures aimed at preventing unauthorized access to Personal Data and/or transfer thereof to persons not entitled to access such information;

9.6.2. timely detection of unauthorized access to Personal Data;

9.6.3. prevention of impacts on technical means of automated processing of Personal Data that may disrupt their functioning;

9.6.4. possibility of immediate recovery of Personal Data modified or destroyed due to unauthorized access;

9.6.5. continuous control over the level of protection of Personal Data.

9.7. The Operator conducts internal investigations in the following situations:

9.7.1. upon unlawful or accidental transfer (provision, distribution, access) of Personal Data resulting in violation of rights of Personal Data Subjects;

9.7.2. in other cases provided by legislation in the field of Personal Data.

9.8. The employee responsible for organization of processing of Personal Data exercises internal control over compliance by authorized employees with requirements of legislation regarding Personal Data and local regulatory acts.

9.8.1. Scheduled internal inspections shall be conducted based on an annual plan approved by the Operator’s General Director.

9.8.2. Unscheduled internal inspections shall be conducted by decision of the employee responsible for organization of processing of Personal Data. Grounds for such inspections include information regarding violations of Personal Data legislation received orally or in writing.

9.8.3. Based on results of an internal inspection, a memorandum shall be prepared for the General Director. If violations are identified, the document shall include a list of corrective measures and implementation deadlines.

9.9. The Operator uses technical means and software for processing and protection of Personal Data.

9.10. The above technical means and software are located in offices and premises of the Operator or premises of other persons engaged by the Operator.

9.11. All persons admitted to work with Personal Data and associated with operation and technical maintenance of PDIS are familiarized with this Policy.

9.12. The Operator has organized training on use of protection means operated by the Operator. Such training has been completed by persons having permanent access to Personal Data, persons operating technical and software means of PDIS and protection means of PDIS, and persons responsible for operation of information protection means of PDIS.

9.13. Employees shall immediately notify the relevant official of the Operator regarding loss or shortage of media containing Personal Data, as well as reasons and conditions for possible leakage of Personal Data. If third parties attempt to obtain Personal Data processed by the Operator from an employee, the employee shall immediately notify the relevant official of the Operator.

9.14. When working with software of the Operator’s automated system implementing functions of viewing and editing Personal Data, display of screen forms containing such data to persons lacking relevant authorization shall be prohibited.

9.15. Storage of Personal Data:

9.15.1. Personal Data of Subjects may be obtained, further processed, and transferred for storage both on paper and electronically.

9.15.2. Personal Data on paper media shall be stored by the Operator during document retention periods established by archival legislation of the Russian Federation (Federal Law No. 125-FZ dated October 22, 2004 “On Archival Affairs in the Russian Federation”, List of Standard Administrative Archival Documents Generated in the Activities of State Authorities, Local Self-Government Authorities, and Organizations, approved by Rosarchive Order No. 236 dated December 20, 2019).

9.15.3. Personal Data fixed on paper media shall be stored in locked cabinets or locked premises with restricted access rights.

9.15.4. Personal Data processed using automation means shall be processed and stored in compliance with requirements established by Decree of the Government of the Russian Federation No. 1119 “On Approval of Requirements for Protection of Personal Data During Processing in Personal Data Information Systems” dated November 1, 2012. The storage period for Personal Data processed in Personal Data information systems shall correspond to the storage period for Personal Data on paper media.

9.15.5. Storage and placement of documents containing Personal Data in open electronic catalogs (file- sharing systems) within Personal Data information systems shall not be permitted.

9.15.6. Storage of Personal Data shall be carried out in a form enabling identification of the Subject no longer than required by the purposes of processing unless the storage period is established by federal law or an agreement to which the Subject is a party, beneficiary, or guarantor.

10. LIABILITY OF THE OPERATOR

10.1. Management of the Operator shall bear responsibility for failure to ensure confidentiality of Personal Data and for non-compliance with rights and freedoms of Subjects regarding their Personal Data, including rights to privacy and personal and family secrecy.

10.2. Employees of the Operator shall bear personal liability for failure to comply with requirements regarding processing and ensuring security of Personal Data in accordance with the legislation of the Russian Federation.

10.3. An employee of the Operator may be held liable in cases of:

10.3.1. intentional or negligent disclosure of Personal Data;

10.3.2. loss of tangible media containing Personal Data;

10.3.3. violation of requirements of this Policy and other regulatory documents of the Operator regarding access to and work with Personal Data.

10.4. In cases of violation of the established procedure for processing and ensuring security of Personal Data, unauthorized access to Personal Data, disclosure of Personal Data, and causing material or other damage to the Operator, its employees, contractors, and other Subjects, guilty persons shall bear civil, criminal, administrative, disciplinary, and other liability provided by the legislation of the Russian Federation.

10.5. The Operator informs the Subject that this Policy applies only to Personal Data processed by the Operator. The Operator does not control and shall not be responsible for use of third-party websites which the Subject may access at their own discretion and risk via links posted on the Websites.

10.6. The Operator shall not be responsible for accuracy of the Subject’s Personal Data.

11. FINAL PROVISIONS

11.1. This Policy shall enter into force upon approval, shall be enacted by order of the Operator, and shall remain in force indefinitely (until cancellation or replacement by a new version of the Policy).

11.2. Requirements of this Policy apply to all employees of the Operator having access to Personal Data, as well as to all Subjects.

11.3. The Operator shall have the right to unilaterally amend and/or supplement this Policy. In the event of amendments affecting rights of Subjects, the Operator may, but is not obliged to, send information about such amendments to Subjects using their contact details or notify them of amendments in another manner.

12. OPERATOR DETAILS

GEFERA MEDIA LLC

Registered address: Premises IV, Office 43, Floor 2, Building 2, 72 Leningradsky Prospekt, Moscow, 125315

TIN: 7705365187

PSRN: 1027700211417

Email: info@gefera.ru