Personal Data Processing Policy

Purpose and scope

This document describes the policy of processing, accumulation and storage of documents containing information related to personal data.

The purpose of formulation of this Policy is the provision of protection of human and civil rights and freedoms while processing their personal data, including the right to personal and family privacy, as well as establishment of responsibility of officials, having access to personal data, for the noncompliance with the regulations related to personal data processing and protection.

Abbreviations, basic definitions and terms

Personal data — any information related to directly or indirectly specified individual (personal data subject);

Personal data authorized by the personal data subject for distribution — personal data, access to which by the public is provided by the subject of personal data by giving consent to the processing of personal data, authorized by the personal data subject for distribution in the manner prescribed by Federal Law;

Operator — state authority, municipal authority, legal entity or individual, who independently or jointly with other persons arranges and/or performs personal data processing, as well as defines the purposes of personal data processing, the volume of personal data subject to processing and actions performed towards personal data;

Personal data processing — any action (operation) or a series of actions (operations) performed towards personal data with or without use of the software, including collection, recording, systematization, accumulation, storage, update and alteration, extraction, use, transfer (distribution, presentation, providing access), depersonalization, blocking, deleting and destruction of personal data;

Automated personal data processing — personal data processing via PC software;

Personal data presentation — actions aimed at personal data disclosure to a certain person or a certain group of persons;

Personal data blocking — temporary interruption of personal data processing (except where processing is required for personal data update or alteration);

Personal data destruction — actions making it impossible to restore personal data volume in the personal data information system and/or resulting in the elimination of tangible media;

Personal data depersonalization — actions making it impossible to identify personal data as related to a certain data subject without involving additional information;

Personal data information system — a set of personal data included into personal data databases, as well as the software and tools used for their processing;

Trans-border transfer of personal data — transfer of personal data to a foreign territory, foreign government body, to a foreign individual or a foreign legal entity located in a foreign territory;

Information — messages, data independently of their particular representation.

Legal basis for personal data processing

The Policy is based on the following statutes and regulations of the Russian Federation:

Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data dated January 28, 1981 as amended and approved by the Committee of Ministers of the Council of Europe on June 15, 1999, ratified by the Federal Law of the Russian Federation No. 160-FZ “On Ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ” dated December 19, 2005 within statements determined by this Federal Law;

Constitution of the Russian Federation;

Civil Code of the Russian Federation;

Administrative Violations Code of the Russian Federation;

Labour Code of the Russian Federation;

Criminal Code of the Russian Federation;

Federal Law No.149-FZ “On Information, Information Technologies and the Protection of Information” dated July 27, 2006;

List of confidential information approved Edict of the President of the Russian Federation No. 188 dated March 6, 1997;

Regulations on details of non-automated personal data processing approved by the decision of the Government of the Russian Federation No. 687 dated September 15, 2008;

Requirements to protection of personal data while it is processed in information systems of personal data, by the decision of the Government of the Russian Federation No. 1119 dated November 1, 2012.

JSC Tander (hereinafter - the Company) performs personal data processing on a legitimate equitable basis. The legal basis for personal data processing is a set of legal acts and legally significant documents in compliance with which JSC Tander performs personal data processing:

Labour Code of the Russian Federation;

Civil Code of the Russian Federation;

Agreements concluded between JSC Tander and a personal data subject;

Agreements concluded between JSC Tander and other legal entities under which personal data processing is involved;

Consent to personal data processing, etc.

Purposes of collection, volume and categories of subjects of personal data processed

Content and volume of personal data processed fully meet the specified purposes.

Purposes for personal data processing are the following:

1. Conclusion of employment agreements with individuals.

1.1. Categories of personal data subjects:

employees.

Categories of personal data processed: other personal data, special personal data.

List of personal data processed: full name; photo (hard copy); date and place of birth; nationality; gender; passport details or data of another identification document; registered address; residential address; taxpayer identification number; details of the document confirming registration in the system of individual (personalized) record-keeping (individual insurance account number); marital status; income details, number(s) of bank account and card for salary payment; education background, including academic degrees and competence, information on qualification upgrade, on language qualifications; information on disability (if applicable), disability group number, findings of Disability Board of Review (if applicable); telephone line (mobile) number; personal email address; military service details, social benefits data; employment history: current position; information on attendance at work; results of assessment, evaluation and testing of professional abilities and individual psychological characteristics; completed training programmes; work experience and positions held; special categories of personal data in the form of medical details (certificates, findings, medical records, including documents confirming vaccination, availability of medical exemption and other documents).

Periods for processing and storing personal data: personal data shall be stored in the form which allows to determine the personal data subject not longer than it is required by a purpose of their processing.

Procedure of personal data destruction when objectives are achieved and upon the occurrence of other legal grounds: destruction shall be fulfilled by erasing information from data storage media (including backup copies). Monitoring of compliance with the procedures of destruction of personal data shall be carried out by the person responsible for the organization of personal data processing.

1.2. Categories of personal data subjects:

job applicants.

Categories of personal data processed: other personal data.

List of personal data processed: full name, date of birth, contact telephone number, contact e-mail, residential address, marital status, details of the document confirming registration in the system of individual (personalized) record-keeping (individual insurance account number); education background, name of educational institution, starting date of education and graduation date, profession obtained, employment history.

Procedure of personal data destruction when objectives are achieved and upon the occurrence of other legal grounds: destruction shall be fulfilled by erasing information from data storage media (including backup copies), hard copies of applicants’ personal data shall be destroyed by shredding. Monitoring of compliance with the procedures of destruction of personal data shall be carried out by the person responsible for the organization of personal data processing.

2. Conclusion of services agreements with individuals.

2.1. Categories of personal data subjects: individuals with whom services agreements have been signed.

Categories of personal data processed: other personal data.

List of personal data processed: full name, nationality, gender, passport details, contact telephone number, details of the document confirming registration in the system of individual (personalized) record-keeping (individual insurance account number), taxpayer identification number, place of employment, position, date of birth, gender, place of birth.

3. Performance of functional duties of a legal entity as employer.

3.1. Categories of personal data subjects:

employees.

Categories of personal data processed: other personal data, special personal data.

3.2. Categories of personal data subjects:

former employees.

Categories of personal data processed: other personal data.

List of personal data processed: full name; nationality, gender, photo (hard copy); date and place of birth; passport details or data of another identification document; registered address; residential address; taxpayer identification number; details of the document confirming registration in the system of individual (personalized) record-keeping (individual insurance account number); education background, including academic degrees and competence, information on qualification upgrade, on language qualifications; information on disability (if applicable), disability group number, findings of Disability Board of Review (if applicable); telephone line (mobile) number; military service details, social benefits data; employment history: current position; results of assessment, evaluation and testing of professional abilities and individual psychological characteristics; completed training programmes; work experience and positions held;

3.3. Categories of personal data subjects:

nearest relatives of employees.

Categories of personal data processed: other personal data.

List of personal data processed: full name, relation degree, birth certificate number, date of birth.

4. Maintenance of financial and operating performance of a company.

4.1. Categories of personal data subjects:

contractors.

Categories of personal data processed: other personal data.

List of personal data processed: full name of a contact person, position, passport details, details of driving license, E-mail, contact telephone number, taxpayer identification number, account number.

4.2. Categories of personal data subjects:

lessees.

Categories of personal data processed: other personal data.

List of personal data processed: full name, taxpayer identification number, passport details, account number, address.

5. Organization and provision of advanced professional education in the form of professional retraining.

5.1. Categories of personal data subjects:

trainees.

Categories of personal data processed: other personal data.

List of personal data processed: full name; photo (hard copy); date and place of birth; nationality, gender, passport details or data of another identification document; registered address; residential address; taxpayer identification number; details of the document confirming registration in the system of individual (personalized) record-keeping (individual insurance account number); education background, including academic degrees and competence, information on qualification upgrade, on language qualifications; information on disability (if applicable), disability group number, findings of Disability Board of Review (if applicable); telephone line (mobile) number; military service details, social benefits data; information on training activity: training programme; information on educational performance and attendance at the place of training venue; learning outcomes of training programmes.

Procedure of personal data destruction when objectives are achieved and upon the occurrence of other legal grounds: destruction shall be fulfilled by erasing information from data storage media (including backup copies), hard copies of applicants’ personal data shall be destroyed by shredding. Monitoring of compliance with the procedures of destruction of personal data shall be carried out by the person responsible for the organization of personal data processing.

6. Organization of industrial and (or) pre-graduation internship for students of higher and specialized secondary educational institutions.

6.1. Categories of personal data subjects:

students.

Categories of personal data processed: other personal data.

List of personal data processed: full name; date of birth; nationality, gender, passport details; registered address; residential address; taxpayer identification number; details of the document confirming registration in the system of individual (personalized) record-keeping (individual insurance account number); education background: name of educational institution, course of study, name and code of specialty, subject of the thesis paper; telephone line (mobile) number; contact e-mail;

7. Organization of participation in corporate social events.

7.1. Categories of personal data subjects:

employees.

Categories of personal data processed: other personal data.

List of personal data processed: full name; photo (hard copy); date and place of birth; nationality, gender, passport details or data of another identification document; registered address; residential address; taxpayer identification number; details of the document confirming registration in the system of individual (personalized) record-keeping (individual insurance account number); marital status; education background, including academic degrees and competence, information on qualification upgrade, on language qualifications; information on disability (if applicable), disability group number, findings of Disability Board of Review (if applicable); telephone line (mobile) number; military service details, social benefits data; employment history: current position; results of assessment, evaluation and testing of professional abilities and individual psychological characteristics; completed training programmes; work experience and positions held;

7.2. Categories of personal data subjects:

nearest relatives of employees.

Categories of personal data processed: other personal data.

List of personal data processed: full name, relation degree, birth certificate number, date of birth.

7.3. Categories of personal data subjects:

employees of affiliated companies.

Categories of personal data processed: other personal data.

List of personal data processed: full name; photo (hard copy); date and place of birth; nationality, gender; passport details or data of another identification document; registered address; residential address; taxpayer identification number; details of the document confirming registration in the system of individual (personalized) record-keeping (individual insurance account number); marital status; education background, including academic degrees and competence, information on qualification upgrade, on language qualifications; information on disability (if applicable), disability group number, findings of Disability Board of Review (if applicable); telephone line (mobile) number; military service details, social benefits data; employment history: current position; results of assessment, evaluation and testing of professional abilities and individual psychological characteristics; completed training programmes; work experience and positions held;

8. Personnel and accounting records maintenance for affiliated companies.

8.1. Categories of personal data subjects:

employees of affiliated companies.

Categories of personal data processed: other personal data.

8.2. Categories of personal data subjects:

former employees of affiliated companies.

Categories of personal data processed: other personal data.

List of personal data processed: full name; photo (hard copy); date and place of birth; nationality, gender; passport details or data of another identification document; registered address; residential address; taxpayer identification number; details of the document confirming registration in the system of individual (personalized) record-keeping (individual insurance account number); education background, including academic degrees and competence, information on qualification upgrade, on language qualifications; information on disability (if applicable), disability group number, findings of Disability Board of Review (if applicable); telephone line (mobile) number; military service details, social benefits data; employment history: current position; results of assessment, evaluation and testing of professional abilities and individual psychological characteristics; completed training programmes; work experience and positions held;

8.3. Categories of personal data subjects:

nearest relatives of employees of affiliated companies.

Categories of personal data processed: other personal data.

List of personal data processed: full name, relation degree, birth certificate number, date of birth.

9. Recruitment of personnel for affiliated companies.

9.1. Categories of personal data subjects:

jobs applicants of affiliated companies.

Categories of personal data processed: other personal data.

Procedure of personal data destruction when objectives are achieved and upon the occurrence of other legal grounds: destruction shall be fulfilled by erasing information from data storage media (including backup copies), hard copies of applicants’ personal data shall be destroyed by shredding. Monitoring of compliance with the procedures of destruction of personal data shall be carried out by the person responsible for the organization of personal data processing.

10. Market promotion.

10.1. Categories of personal data subjects:

clients.

Categories of personal data processed: other personal data.

List of personal data processed: full name, gender, date of birth, contact telephone number, contact e-mail, district of residence;

11. Determination of a medical diagnosis and provision of medical services for medical and prophylactic purposes.

11.1. Categories of personal data subjects:

employees requesting medical assistance.

Categories of personal data processed: other personal data, special personal data.

List of personal data processed: full name; date of birth; place of birth; address; health condition;

11.2. Categories of personal data subjects:

individuals requesting medical assistance.

Categories of personal data processed: other personal data, special personal data.

List of personal data processed: full name; date of birth; place of birth; address; health condition;

12. Access control.

12.1. Categories of personal data subjects:

visitors of JSC Tander buildings.

Categories of personal data processed: other personal data.

List of personal data processed: full name, passport details.

Procedure of personal data destruction when objectives are achieved and upon the occurrence of other legal grounds: destruction shall be fulfilled by overwriting fields in databases (including backup copies). Monitoring of compliance with the procedures of destruction of personal data shall be carried out by the person responsible for the organization of personal data processing.

Procedure and terms of personal data processing

JSC Tander shall receive all personal data of subjects from these subjects or from their legal representatives.

While collecting personal data, including through the information and telecommunications network "Internet", the recording, systematization, accumulation, storage, clarification (update, change), and extraction of personal data of citizens of the Russian Federation using databases located in the Russian Federation are ensured.

Data automatically saved by the information system for user analysis, such as: phone model, mobile operator, phone operating system, phone manufacturer, ip-address of the website visitor - is used to identify and correct faulty functions of the website and application, to protect against hacking attempts, spam and other injurious actions through the service: https://www.kaspersky.com/web-privacy-policy.

Personal data processing shall be carried out in accordance with the current legislation of the Russian Federation on the basis of consent of the personal data subject, except as otherwise provided in the Federal Law No. 152-FZ. Adjustment of a form of consent of a subject to standard forms of documents containing personal data of a subject (for example: questionnaire, letterheads) shall be allowed, except when personal data is provided for distribution.

Personal data processing means actions (operations) with personal data including:

collection, storage, update and alteration;

systematization, accumulation;

use, distribution, transfer;

depersonalization, blocking, destruction.

The personal data subject shall make a decision on provision of their personal data and give a consent to their processing wilfully and for their own benefit.

Obtainment of personal data of the subject from the third parties shall be possible only upon prior notification of the subject and subject to their written approval, except when personal data is provided for distribution.

Personal data of subjects shall be processed in structural divisions of JSC Tander in accordance with functions performed.

Personal data authorized by the subject of personal data for distribution and published on the website of JSC Tander in the form of photographic images of the faces of the Chairmen and members of the Company's Management Board shall be published for the purpose of improving corporate governance practices, and shall not be prohibited from being disclosed to an indefinite number of persons.

If there are conditions for processing personal data and if there are prohibitions and conditions for processing personal data by the public, the relevant information shall be published by the Company within three business days from the moment the consent of the subject of the personal data is obtained.

Access to personal data processed without the use of automation facilities shall be exercised in accordance with the list approved.

Access to personal data processed in personal data information systems shall be exercised in accordance with the list and procedure approved by JSC Tander.

Authorized persons of JSC Tander allowed to receive personal data of subjects shall have a right to obtain only personal data of a subject that are necessary for fulfillment of certain functions in compliance with job description of the authorized persons.

Non-automated personal data processing shall be performed in compliance with “The provisions on details of non-automated personal data processing” approved by the Russian Federation Government Resolution No. 687 dated September 15, 2008.

Personal data processed in this way shall be separated from other information, in particular, by fixing it on separate material media bearing the personal data, in special sections or on forms (letterheads) margins.

Personal data shall be destroyed or depersonalized in the following cases:

objects of processing are achieved or their achievement becomes unnecessary;

withdrawal of consent of the personal data subject to personal data processing is received;

the personal data subject or their legal representative provide information confirming that the personal data have been received illegally or are not necessary for the declared purpose of their processing;

detection of unlawful processing of personal data when the personal data subject or their legal representative informs of it, and it is impossible to provide lawful processing of personal data.

the request of the subject of Personal Data if the Personal Data is incomplete, outdated, inaccurate, illegally obtained or not necessary to achieve the stated purpose.

Material media bearing the personal data shall be stored in specially fitted cabinets and safe boxes. Storage places shall be determined by the order on approval of storage places for JSC Tander material media bearing the personal data.

Within 7 business days from the day of provision by the personal data subject or their legal representative of information confirming that the personal data are incomplete, inaccurate or outdated, JSC Tander shall make adjustments as required and notify the subject of the alterations.

Destruction of personal data shall be fulfilled within 30 business days from the moment of achieving the purpose of personal data processing unless otherwise provided for by the federal laws of the Russian Federation.

Destruction of personal data shall be fulfilled within 30 business days from the moment of withdrawal of consent of the personal data subject to personal data processing.

Destruction of personal data shall be fulfilled within 7 business days from the moment of provision by the personal data subject or their representative of information confirming that the personal data have been received illegally or are not necessary for the declared purpose of their processing.

In case of detection of unlawful processing of personal data when the personal data subject or their legal representative informs of it, and if it is impossible to provide lawful personal data processing, destruction of personal data shall be fulfilled within 10 business days from the moment of detection of unlawful processing of personal data. Decision on the unlawfulness of personal data processing and the necessity of their destruction shall be made by the person responsible for organization of personal data processing who shall inform the management of it. JSC Tander shall inform a personal data subject or their legal representative of destruction of personal data.

Destruction of personal data shall be fulfilled by the committee consisting of employees of the structural division which processed personal data of the subject and established the necessity of destruction of personal data under the control of a director of this structural division.

The method of destruction of material media bearing the personal data shall be determined by the committee. The use of the following methods shall be admitted:

burning;

shredding (chopping);

transfer to special-purpose grounds (landfills);

chemical treatment.

An act shall be drawn up and signed by a chairman of the committee that performed destruction of material media bearing the personal data.

Special organizations may be involved if it is needed to destroy a large number of material media or to apply special methods of destruction. In this case the members of the committee responsible for personal data destruction shall be present at destruction of the material media bearing the personal data. The slip confirming transfer of material media bearing personal data, subject to destruction , to a special organization, shall be attached to the act of destruction.

Destruction of JSC Tander data base fields containing personal data of the subject shall be fulfilled in the following cases:

objects of processing are achieved or their achievement becomes unnecessary;

withdrawal of consent of the personal data subject to personal data processing is received;

detection of unlawful processing of personal data when the personal data subject or their legal representative informs of it, and it is impossible to provide lawful processing of personal data.

the request of the subject of Personal Data if the Personal Data is incomplete, outdated, inaccurate, illegally obtained or not necessary to achieve the stated purpose.

Destruction shall be fulfilled by the committee consisting of persons that are responsible for the technical maintenance of automated systems and that own the databases.

Destruction of electronic records archives and electronic communications protocols may not be fulfilled if their maintenance and security within a certain period are stipulated in the corresponding regulatory and/or contractual documents.

Processing of biometric personal data (photograph used for identification, fingerprints, retinal pattern, etc.), according to article 11 of the Federal Law No. 152-FZ, shall be allowed with the consent of the subject. Adjustment of a form of consent of the subject to standard forms of documents containing personal data of the subject (for example, questionnaire, letterheads) shall be allowed.

A decision that produces legal effects concerning the personal data subject or otherwise involves their rights and legitimate interests may be made on the basis of entirely automated processing of their personal data with the express written agreement of the personal data subject.

Protection of personal data of the subjects from unlawful use or loss shall be provided by JSC Tander at its own expense in accordance with the procedure established by the legislation of the Russian Federation.

Cross-border transfer of personal data to foreign territories or to persons and organizations located in foreign territories is carried out in strict compliance with the provisions of Article 12 of the Federal Law № 152-FZ.

Necessary organizational and technical measures to ensure confidentiality of personal data shall be taken while processing.

Technical measures to protect personal data while processing with hardware shall be determined in accordance with:

Regulatory document of FSTEC of Russia — “Composition and content of organizational and technical measures to ensure safety of personal data while processing in information systems of personal data”. Ratified by the Order of FSTEC of Russia No. 21 dated February 18, 2013;

Order of the Federal Security Service of Russia of 10.07.2014 No. 378 "On approval of the composition and content of organisational and technical measures to ensure security of personal data during its processing in personal data information systems using cryptographic information protection tools, necessary to meet the requirements established by the Government of the Russian Federation to the protection of personal data for each level of protection;

Internal documents of JSC Tander operating in the information security sphere.

Personal data protection shall provide for restriction of access to them.

Internal policies and procedures, including the following documents, have been approved and accepted for execution by the order of JSC Tander CEO:

documents determining the procedure of personal data processing;

orders on approval of storage places of material media bearing personal data;

orders on determination of the list of persons carrying out processing of personal data or having access to them;

forms of consent of subjects to processing of their personal data;

documents determining the procedures aimed at prevention and detection of breaches of the Russian Federation legislation and remedial measures;

documents regulating the procedure of internal control;

documents aimed at estimation of damage that may be caused to personal data subjects in case of breach of the federal legislation relating to personal data;

arrangement of access to rooms where personal data are processed;

standard obligation of personal data nondisclosure;

standard form of explanation to the personal data subject of the legal consequences of refusal to provide personal data;

list of personal data information systems.

JSC Tander shall reserve the right to check completeness and accuracy of personal data provided with the consent of the personal data subject. In case of detection of erroneous or incomplete personal data, JSC Tander shall have a right to end all relationships with the personal data subject.

Procedure of processing applications and inquiries of personal data subjects.

When receiving an application or a written inquiry from the personal data subject or their legal representative for the access to their personal data, JSC Tander shall follow the requirements of the articles 14, 18 and 20 of the federal law No. 152-FZ;

The access of the personal data subject or their legal representative to their personal data shall be provided by JSC Tander only under the control of the person responsible for the organization of personal data processing by JSC Tander.

Inquiries of the personal data subject or their legal representative shall be fixed in the registry of inquiries of citizens (personal data subjects) related to processing of personal data.

Written inquiries of the personal data subject or their legal representative shall be fixed in the registry of written inquiries of citizens for the access to their personal data.

The person responsible for the organization of personal data processing shall make a decision on providing access to personal data to the subject.

If the data provided by the subject are not enough for establishment of their identity or provision of personal data breaches constitutional rights and liberties of other persons, the person responsible for the organization of personal data processing shall prepare a substantive response containing a link to the provision of the part 8 article 14 of the Federal Law No. 152-FZ or another federal law, that is the ground for such refusal, within the time period specified by the law from the day of inquiry of the personal data subject or their legal representative or from the date of receipt of the inquiry of the personal data subject or their legal representative.

In order to provide access to personal data of the subject to this subject or their representative, the person responsible for the organization of personal data processing shall involve an employee (employees) of the structural division processing personal data of the subject upon the agreement with a director of this structural division.

Information on availability of personal data shall be provided by JSC Tander to the personal data subject in an intelligible form, and it shall not contain personal data related to other personal data subjects. Control over provision of information to the subject or their legal representative shall be carried out by the person responsible for the organization of personal data processing.

Information on availability of personal data shall be provided to the subject upon the respond to the inquiry within ten business days from the date of receipt of the inquiry of the personal data subject or their legal representative. This period may be extended, but by not more than five business days, if the operator delivers a reasoned notice to the personal data subject, specifying the reasons for extending the deadline for providing the requested information.

Procedure of interaction with regulatory (supervisory) authorities.

In case of an incident resulting in unauthorized access, provision, distribution or transfer of personal data, JSC Tander shall notify the authorized body for the protection of the rights of personal data subjects within twenty-four hours from the moment of detection of such incident. Within seventy-two hours, JSC Tander shall provide the results of an internal investigation into such incident.

Organisation of interaction with the competent authorities to protect the rights of subjects of personal data in the case of incidents is carried out in accordance with the procedure established by Articles 19, 21 of the Federal Law No. 152-FZ.

In accordance with the part 4 article 20 of the Federal Law No. 152-FZ, JSC Tander shall provide the authorized body for protection of rights of personal data subjects upon its request with the information necessary for the operation of this body within ten business days from the date of receipt of such request. This period may be extended, but by not more than five business days, if the operator delivers a reasoned notice to the personal data subject, specifying the reasons for extending the deadline for providing the requested information.

Collection of information for preparation of the substantive response to the inquiry of regulatory authorities shall be carried out by the person responsible for the organization of personal data processing, if necessary involving JSC Tander employees.

Within the period established by the legislation the person responsible for the organization of personal data processing shall prepare the substantive response and other necessary documents and send them to the authorized body.