Font size:
Color:

available at krasnoforum.ru (as of November 25, 2019)

1. General Provisions

1.1. This Personal Data Processing Policy (hereinafter referred to as the "Policy") has been developed according to Clause 2 of Article 18.1 of the Russian Federal Law "On Personal Data" (No. 152-FZ, dated July 27, 2006), as well as other legislative and regulatory acts of the Russian Federation regarding personal data protection and processing, and applies to all personal data (hereinafter referred to as "Data") that can be obtained by the Organization (hereinafter referred to as the "Operator") from a personal data subject being a party to a civil law contract.

1.2. The Operator protects processed personal data from unauthorized access, disclosure, misuse and loss according to the requirements of the Russian Federal Law "On Personal Data" (No. 152-FZ, dated July 27, 2006).

1.3. Making amendments to the Policy

1.3.1. The Operator is entitled to make amendments to this Policy. When amendments are made, the Policy heading will contain a date it is last reviewed or last updated. A new version of the Policy comes into force from the time of its posting on the website, unless otherwise specified in the new version of the Policy.

2. Terms and Abbreviations

2.1. "Personal data" (PD) means any information relating to a directly or indirectly identified or identifiable natural person (personal data subject).

"Personal data processing" means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, systematization, accumulation, storage, refinement (update, alteration), retrieval, utilization, transfer (distribution, provision, access), depersonalization, blocking, removal or destruction.

2.2. "Automated processing of personal data" means personal data processing by means of computer aids.

2.3. "Personal data information system" (PDIS) means a set of personal data contained in databases, as well as information technologies and technical means ensuring their processing.

2.4. "Personal data made public by the personal data subject" means PD, access of an unlimited number of persons to which is provided by the personal data subject or at his/her request.

2.5. "Personal data blocking" means temporary termination of personal data processing (except as otherwise necessary to clarify personal data).

"Personal data destruction" means actions, as a result of which it becomes impossible to restore the personal data content in the personal data information system or as a result of which personal data material or tangible media become destroyed.

"Operator" means a natural person who, acting independently or jointly with other persons, organizes personal data processing and determines the purposes of such personal data processing, the composition of personal data to be processed, operations to be performed with personal data. Operators are natural persons.

3. Personal Data Processing

3.1. PD reception

3.1.1. All PD should be received from the subject. If the subject's PD can only be received from a third party, the subject must be notified or consent must be given by the subject.

3.1.2. The Operator must inform the subject of any purposes, intended sources and methods of PD reception, PD to be received, actions to be carried out with PD, a period during which consent is valid and how it is withdrawn, as well as of any consequences of the subject's refusal to give written consent regarding their reception.

3.1.3. Documents containing PD are created by:

– Copying original documents (passport, educational certificate, INN certificate, pension certificate, etc.);

– Making entries on accounting forms;

3.2. PD processing

3.2.1. Personal data are processed:

– with consent of the personal data subject to the processing of his/her personal data;

– in cases where personal data processing is necessary to exercise and perform functions, powers and obligations imposed by the legislation of the Russian Federation;

– in cases where personal data are processed, access of an unlimited number of persons to which is provided by the personal data subject or at his/her request (hereinafter referred to as "Personal Data Made Public by the Personal Data Subject").

3.2.2. Purposes for processing personal data:

– Conducting civil law relations.

3.2.3. Categories of personal data subjects

PD of the following PD subjects are processed:

– Natural persons having civil law relations with the operator.

3.2.4. PD that are processed by the Operator:

– data obtained during the conduct of civil law relations.

3.2.5. Personal data are processed:

 – using automated means;

– without using automated means.

3.3. PD storage

3.3.1. Subjects' PD can be received, further processed and stored in both paper and electronic form.

3.3.2. PD recorded on paper-based media are stored in cabinets or rooms kept under lock and key with a restricted access right.

3.3.3. Subjects' PD processed using automated means for different purposes are stored in different folders.

3.3.4. It is not allowed to store and put documents containing PD into open electronic catalogues (file sharing services) in PDISs.

3.3.5. PD are stored in a form allowing the identification of a PD subject for no longer than the purposes of their processing require and are subject to destruction upon achievement of such purposes or in case their achievement is no longer needed.

3.4. PD destruction

3.4.2. PD stored on electronic media are destroyed by deleting or formatting the media.

3.4.3. The fact of PD destruction is confirmed documentarily by preparing a destruction certificate.

3.5. PD transfer

3.5.1. The Operator transfers PD to third parties in the following cases:

– The subject expresses his/her consent to such actions;

– Such transfer is provided for by the legislation of the Russian Federation or other applicable laws according to the procedure established by law.

3.5.2. Persons to whom PD are transferred

Third parties to whom PD are transferred:

– Agencies and units of the Russian Ministry of Internal Affairs in cases established by law.

4. Personal Data Protection

4.1. According to the requirements of regulatory documents, the Operator has created a personal data protection system (PDPS) that consists of legal, organizational and technical protection subsystems.

4.2. The legal protection subsystem is a set of legal, organizational, administrative and regulatory documents ensuring the creation, functioning and improvement of the PDPS.

4.3. The organizational protection subsystem includes the organization of a management structure for the PDPS, a permit system, the protection of information when dealing with employees, partners and third parties.

4.4. The technical protection subsystem includes a set of technical, software and hardware means ensuring the protection of PD.

4.4. Main PD protection measures used by the Operator are as follows:

4.5.1. Appointing a person who is responsible for PD processing, who organizes PD processing, training and briefing sessions, internal supervision to ensure that an institution and its employees meet PD protection requirements.

4.5.2. Identifying immediate threats to PD security during their processing in the PDIS and developing measures to protect PD.

4.5.3. Developing a personal data processing policy.

4.5.4. Establishing rules of access to PD processed in the PDIS, as well as ensuring the registration and verification of all actions performed with PD in the PDIS.

4.5.5. Generating individual passwords for employees to provide access to the information system according to their job duties.

4.5.6. Applying data protection means certified according to the established compliance verification procedure.

4.5.7. Certified anti-virus software products with regularly updated databases.

4.5.8. Meeting the terms and conditions ensuring the security of PD and excluding any unauthorized access.

4.5.9. Detecting unauthorized access to personal data and undertaking actions.

4.5.10. Restoring PD modified or destroyed due to any unauthorized access.

4.5.11. Training the Operator's employees who directly process personal data and instructing them in the provisions of the Russian legislation on personal data, including the requirements for personal data protection, documents detailing the Operator's personal data processing policy, local normative acts regarding personal data processing procedures.

4.5.12. Internal supervision and audit.

5. Fundamental Rights of the PD Subject and Obligations of the Operator

5.1. Fundamental rights of the PD subject

The subject is entitled to access his/her personal data and such information as:

– Confirmation of PD processing by the Operator;

– Legal grounds for and purposes of PD processing;

– PD processing purposes and methods used by the Operator;

– Name and location of the Operator, information about persons (except for the Operator's employees) who have access to PD or to whom PD can be disclosed by agreement with the Operator or by federal law;

– Dates of personal data processing, including dates of their storage;

– Methods on how the PD subject exercises his/her rights provided for by federal law;

– Name or surname, first name, patronymic and address of a person who processes PD when and as instructed by the Operator, if the processing is or will be entrusted to such person;

– Contacting and sending requests to the Operator;

– Appealing against the Operator's actions or omissions.

5.2. Obligations of the Operator

The Operator is obliged to:

– provide information on PD processing when PD are collected;

– notify the subject in cases where PD have not been received from the PD subject;

– explain, in case of refusal to provide PD to the subject, the consequences of such refusal;

– Publish or otherwise provide unrestricted access to documents detailing his/her PD processing policy, information on any PD protection requirements in progress;

– Take necessary legal, organizational and technical measures or ensure their undertaking to protect PD from illegal or accidental access, destruction, modification, blocking, copying, provision, distribution, as well as other illegal actions;

– Answer to requests sent by PD subjects, their representatives and authorized bodies specializing in the protection of PD subjects' rights.

 

Procedures for storing and protecting personal user data

1. Terms and Definitions

"Website" means a set of computer-related software and hardware means ensuring that information and data are published for public inspection and general use by technical means used for communication between computers in the Internet. The term "website", when used in the Agreement, means a website available at http://krasnoforum.ru

"User" means a person who uses the Internet and, in particular, the Website and has his/her personal page (profile/account).

"Federal law (FL)" means the Russian Federal Law "On Personal Data" (No. 152-FZ, dated July 27, 2006).

"Personal data" (PD) means any information relating to a directly or indirectly identified or identifiable natural person (personal data subject).

"Operator" means a natural person who, acting independently or jointly with other persons, organizes personal data processing and determines the purposes of such personal data processing, the composition of personal data to be processed, operations to be performed with personal data. Operators are natural persons.

"Personal data processing" means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, systematization, accumulation, storage, refinement (update, alteration), retrieval, utilization, transfer (distribution, provision, access), depersonalization, blocking, removal or destruction.

"Automated processing of personal data" means personal data processing by means of computer aids.

"Personal data distribution" means an action aimed at disclosing personal data to a certain number of persons upon prior consent and in cases provided for by law.

"Personal data provision" means actions aimed at disclosing personal data to a certain person or a certain number of persons.

"Personal data blocking" means temporary termination of personal data processing (except as otherwise necessary to clarify personal data).

"Personal data destruction" means actions, as a result of which it becomes impossible to restore the personal data content in the personal data information system or as a result of which personal data material or tangible media become destroyed.

"Personal data depersonalization" means actions, as a result of which it becomes impossible to determine the belonging of personal data to a specific personal data subject without using additional information.

"Personal data information system" (PDIS) means a set of personal data contained in databases, as well as information technologies and technical means ensuring their processing.

2. General Provisions

2.1. The Personal User Data Protection and Storage Regulation (hereinafter referred to as the "Regulation") has been developed to comply with the requirements of the legislation of the Russian Federation containing personal data and identifications of all Users navigating around the Website.

2.2. The Regulation has been developed according to the Constitution, the Civil Code and the applicable personal data protection legislation of the Russian Federation.

2.3. The Regulation establishes procedures for processing Website Users' personal data: actions undertaken to collect, systematize, accumulate, store, refine (update, modify), destroy personal data.

2.4. The Regulation establishes general rules and requirements associated with all types of data media containing Website Users' personal data and binding upon the Operator's employees involved in the Website maintenance.

2.5. The Regulation does not address any issues of ensuring the security of personal data classified as information constituting an official secret of the Russian Federation.

2.6. The purposes of this Regulation are as follows:

– Meeting the requirements associated with protecting human rights and freedoms in the course of processing personal data, including rights to privacy, personal and family secrets;

– Preventing any unauthorized actions by the Operator's employees and any third parties related to the collection, systematization, accumulation, storage, refinement (update, modification) of personal data, other forms of illegal interference with the Operator's information resources and local computer network, ensuring a legal and regulatory confidentiality mode with regard to Website Users' undocumented information; protecting constitutional rights to personal secrets, confidentiality of information constituting personal data, as well as preventing possible threats to the security of Website Users.

2.7. Principles for personal data processing:

– Personal data must be processed on a legal and fair basis;

– Personal data processing must be limited to the achievement of specific, predetermined and legitimate goals. Personal data processing incompatible with the purposes of personal data collection is not allowed;

– It is not allowed to combine databases containing personal data that are processed for purposes incompatible with each other;

– Only personal data meeting the purpose of their processing are subject to processing;

– The content and amount of processed personal data must correspond to all stated processing purposes. Personal data to be processed must not be redundant with respect to the stated purposes of their processing;

– When processing personal data, their accuracy, sufficiency and, if necessary, relevance with respect to the purposes of personal data processing must be ensured;

– Personal data must be stored for no longer than required by the purpose of personal data processing, if dates of personal data storage are not specified by federal law, a contract to which the User is a party;

– Processed personal data are subject to destruction or depersonalization upon achievement of processing purposes or in case such achievement is no longer needed, unless otherwise specified in the Federal Law.

2.8. Personal data processing terms

2.8.1. Website Users' personal data are processed on the basis of the Civil Code, the Constitution and the applicable personal data protection legislation of the Russian Federation.

2.8.2. Personal data contained in the Website are processed in compliance with the principles and rules stipulated in the Regulation and the legislation of the Russian Federation.

Personal data processing is allowed in the following cases:

– Personal data processing is necessary to use the Website to which the User is a party;

– Personal data processing is necessary to protect the Website User's life, health or other vital interests, if it is impossible to obtain consent;

– Personal data processing is necessary to exercise the Operator's rights and legitimate interests or those of third parties or achieve socially significant purposes provided that Website Users' rights and freedoms are not violated;

– Personal data are processed for statistical or other research purposes, except for personal data processing for the purpose of promoting goods, works, services in the market through direct contacts with potential consumers using communication facilities, as well as for the purpose of political agitation, provided that personal data must be depersonalized.

2.9. Purposes of personal data processing

2.9.1. Website Users' personal data are processed solely for the purpose of enabling the User to interact with the Website.

2.9.2. Information constituting personal data available from the Website is any information relating to a natural person (personal data subject) identified or identifiable based on such information.

2.10. Sources of Users' personal data

2.10.1. A source of information on all the User's personal data is the User himself/herself.

2.10.2. A source of information on the User's personal data is the information received as a result of granting of the rights by the Operator to the User to use the Website.

2.10.3. Users' personal data are classified as confidential information of restricted access.

2.10.4. No confidentiality of personal data is required in case of their depersonalization, as well as in relation to publicly available personal data.

2.10.5. The Operator is not entitled to collect and process the User's personal data regarding his/her ethnicity, nationality, political views, religious or philosophical beliefs, private life, except as specified in the applicable legislation.

2.10.6. The Operator is not entitled to receive and process the User's personal data regarding his/her membership in public associations or his/her trade union activities, except as specified in the Federal Law.

2.11. Methods of personal data processing

2.11.1. Website Users' personal data are processed using exclusively automated means.

2.12. Rights of personal data subjects (Users)

2.12.1. The User is entitled to receive information about the Operator, his/her location, have personal data related to a specific personal data subject (User) from the Operator, as well as get acquainted with such personal data, except in cases provided for in Part 8 of Article 14 of the Federal Law "On Personal Data".

2.12.2. The User is entitled to receive from the Operator, either through face-to-face communication or upon receipt of the User's written request by the Operator, the following information concerning the processing of his/her personal data, including that containing:

– Confirmation of personal data processing by the Operator, as well as the purpose of such processing;

– Legal grounds for and purposes of personal data processing;

– Purposes and methods of personal data processing used by the Operator;

– Name and location of the Operator, information about persons (except for the Operator's employees) who have access to personal data or to whom personal data can be disclosed by agreement with the Operator or by operation of the Federal Law;

– Processed personal data relating to a specific personal data subject, sources of their reception, unless otherwise specified in the Federal Law;

– Dates of personal data processing, including dates of their storage;

– Procedures enabling personal data subjects to exercise their rights provided for by the Federal Law;

– Information on any actual or implied cross-border data transfer;

– Name or surname, first name, patronymic and address of a person who processes personal data when and as instructed by the Operator, if the processing is or will be entrusted to such person;

– Other information provided for by the Federal Law or other federal laws;

– Require modifications, clarifications, destruction of his/her personal information;

– Appeal against illegal actions or omissions regarding personal data processing and claim compensation in court;

– Supplement personal data of judgment with a statement expressing his/her own point of view;

– Appoint representatives to protect his/her personal data;

– Require the Operator to notify of all changes or exceptions made to them.

2.12.3. The User is entitled to appeal to an authorized body specializing in the protection of personal data subjects' rights or in court against the Operator's actions or omissions if he/she considers that the latter processes his/her personal data in violation of the requirements of the Federal Law "On Personal Data" or otherwise violates his/her rights and freedoms.

2.12.4. The User is entitled to protect his/her rights and legitimate interests, including those associated with compensation of losses and (or) emotional distress damages in court.

2.13. Obligations of the Operator

2.13.1. Either through face-to-face communication or upon receipt of the personal data subject's or his/her representative's written request, the Operator is obliged, if applicable and within 30 days from the date of such communication or request, to provide information to the extent specified in the Federal Law. This information must be provided to the personal data subject in an easily accessible form and must not contain any personal data relating to any other personal data subjects, unless there are legitimate grounds for disclosing such personal data.

2.13.2. All personal data subjects' or their representatives' requests regarding personal data processing are registered in the Record Book.

2.13.3. In case of refusal to provide personal data to the subject or his/her representative either through face-to-face communication or upon receipt of the personal data subject's or his/her representative's request for information on the availability of personal data on a specific personal data subject, the Operator is obliged to give a written substantiated response containing a reference to Paragraph 8 of Article 14 of the Federal Law "On Personal Data" or any other federal law, which constitutes grounds for such refusal, within a period not exceeding 30 days from the date of communication or from the date of such request.

2.13.4. In case of receipt of a request from an authorized body specializing in the protection of personal data subjects' rights regarding the provision of information necessary for carrying out the specified body's activities, the Operator is obliged to provide such information to the authorized body within 30 days from the date of such request.

2.13.5. In case of detection of illegal personal data processing, either through face-to-face communication or at the personal data subject's or his/her representative's request or that of an authorized body specializing in the protection of personal data subjects' rights, the Operator is obliged to block illegally processed personal data related to this personal data subject from the time of such communication or request for the period of inspection.

2.13.6. In case of detection of illegal personal data processing carried out by the Operator, the latter is obliged to cease such illegal personal data processing within three working days from the date of detection. The Operator is obliged to notify the personal data subject or his/her representative of elimination of all committed violations, and in case the personal data subject's or his/her representative's communication or a request of an authorized body specializing in the protection of personal data subjects' rights is sent by the authorized body, and the specified body as well.

2.13.7. If personal data processing purposes are achieved, the Operator is obliged to cease personal data processing and destroy personal data within a period not exceeding 30 working days from the date of achievement, unless otherwise specified in a contract to which the personal data subject is a party.

2.13.8. It is prohibited to make decisions that are based exclusively on the automated processing of personal data and give rise to legal consequences in relation to the personal data subject or otherwise affect his/her rights or legitimate interests.

2.14. Confidentiality mode for personal data

2.14.1. The Operator ensures the confidentiality and security of personal data during their processing according to the requirements of the legislation of the Russian Federation.

2.14.2. The Operator does not disclose or distribute personal data to third parties without the personal data subject's consent, unless otherwise specified in the Federal Law.

2.14.3. According to the list of personal data processed on the website, Website Users' personal data are confidential information.

2.14.4. Persons involved in processing personal data are obliged to comply with the requirements of the Operator's regulatory documents with regard to ensuring the confidentiality and security of personal data.

3. Personal Data Processing

3.1. The list of Users' processed personal data is as follows: surname, first name, patronymic, sex, date of birth, company, region, mobile phone, e-mail.

3.2. Persons entitled to access personal data

3.2.1. The right of access to subjects' personal data is vested in persons who have corresponding powers in accordance with their official duties.

3.2.2. A list of persons having access to personal data is approved by the Operator.

3.3. Procedures and terms of personal data storage on the Website

3.3.1. The Operator only stores Users' personal data on the Website.

3.3.2. Periods of Users' personal data storage on the Website are determined according to the terms and conditions of End-User Agreement, become effective from the time of acceptance of this agreement by the User on the Website and are valid until the User declares desire to remove his/her personal data from the Website.

3.3.3. In case of data deletion from the Website at the initiative of one of the parties, namely the cessation of use of the Website, the User's personal data are stored in the Operator's databases for five years in accordance with the legislation of the Russian Federation.

3.3.4. Upon expiration of the above period, the User's personal data are deleted by an automatically preassigned algorithm to be specified by the Operator.

3.3.5. The Operator does not process personal data from paper-based media.

3.4. Personal data blocking

3.4.1. Personal data blocking means temporary termination of processing operations by the Operator at the User's request in case the latter detects false information or illegal actions with respect to his/her data, in the personal data subject's opinion.

3.4.2. The Operator does not transfer personal data to any third parties and does not entrust their processing to any third parties or organizations. Website Users' personal data are processed only by the Operator's employees (database administrators, etc.) authorized to process personal data in the established procedure.

3.4.3. Personal data on the Website are blocked on the basis of the personal data subject's written request.

3.5. Personal data destruction

3.5.1. Personal data destruction means actions, as a result of which it becomes impossible to restore the personal data content on the Website or as a result of which personal data material or tangible media become destroyed.

3.5.2. The personal data subject is entitled to make a written request regarding the destruction of his/her personal data in case such personal data are incomplete, out-of-date, unreliable, illegally obtained or not necessary for the stated purpose of processing.

3.5.3. If personal data cannot be destroyed, the Operator blocks them.

3.5.4. Personal data are destroyed by deleting information using a certified software product with guaranteed destruction (according to certain characteristics specified for such installed software product with guaranteed destruction).

4. Personal Data Protection System

4.1. Measures ensuring the security of personal data during their processing

4.1.1. When processing personal data, the Operator is obliged to take necessary legal, organizational and technical measures or ensure their undertaking to protect personal data from illegal or accidental access, destruction, modification, blocking, copying, provision, distribution, as well as other illegal actions.

4.1.2. The security of personal data is achieved, in particular, by:

– Identifying threats to the security of personal data during their processing in personal data information systems;

– Taking organizational and technical measures to ensure the security of personal data during their processing in personal data information systems, necessary to meet personal data protection requirements;

– Applying data protection means certified according to the established compliance verification procedure;

– Assessing the effectiveness of measures undertaken to ensure the security of personal data before the personal data information system is commissioned;

– Taking into account computer-assisted personal data media;

– Detecting unauthorized access to personal data and taking measures;

– Restoring personal data modified or destroyed due to any unauthorized access;

– Establishing the rules of access to personal data processed in the personal data information system, as well as ensuring the registration and verification of all actions performed with personal data in the personal data information system;

– Monitoring measures undertaken to ensure the security of personal data and the security level of personal data information systems.

4.1.3. For the purposes of the Regulation, threats to the security of personal data are defined as a set of conditions and factors that create the risk of unauthorized access, including accidental one, to personal data, the result of which may be destruction, modification, blocking, copying, provision, distribution and other illegal actions during their processing in the personal data information system. The security level of personal data means a comprehensive indicator characterizing the requirements whose execution ensures the neutralization of certain threats to the security of personal data during their processing in the personal data information system.

4.2. Protected information about the personal data subject

Protected information about the personal data subject on the Website includes data that allow one to identify this personal data subject and/or obtain additional information about him/her, provided for by the legislation and the Regulation.

4.3. Protected personal data objects

4.3.1. Protected personal data objects on the Website are as follows:

– Informatization items and technical means for the automated processing of information containing personal data;

– Information resources (databases, files, etc.) containing information about information and telecommunication systems where personal data circulate, about events occurred with controlled objects, about plans to ensure uninterrupted operation and procedures for transition to control in emergency modes;

– Communication channels that are used to transmit personal data as informative electrical signals and physical fields;

– Alienated data carriers on a magnetic and magnetic-optical basis (or another basis) used to process personal data.

4.3.2. Technological information concerning information systems or personal data protection system elements and subject to protection includes the following:

– Information about an access control system for informatization items where personal data are processed;

– Management information (configuration files, routing tables, security settings, etc.);

– Technological information of access facilities for control systems (authentication information, access keys and attributes, etc.);

– Characteristics of communication channels that are used to transmit personal data as informative electrical signals and physical fields;

– Information about personal data protection facilities, their composition and structure, protection principles and technical solutions;

– Service data (metadata) appearing during the operation of software, internetworking messages and protocols, as a result of personal data processing.

4.4. Requirements for personal data protection systems

Personal data protection systems must comply with the requirements of the Russian Government Resolution "On the Approval of Requirements for Personal Data Protection During Their Processing in Personal Data Information Systems" (Resolution No. 1119, dated November 1, 2012).

4.4.1. Personal data protection systems must ensure:

– Timely detection and prevention of unauthorized access to personal data and (or) their transfer to persons who are not entitled to access such information;

– Prevention of any effects on technical means related to the automated processing of personal data, as a result of which their functioning may be affected;

– Possibility of immediate restoration of personal data modified or destroyed due to any unauthorized access;

– Continuous control over ensuring the security level of personal data.

4.4.2. Information security facilities used in information systems must be subject to the established compliance verification procedure.

4.5. Data protection methods in personal data information systems

4.5.1. Data protection methods in the Operator's personal data information systems must meet the requirements of:

– Decree No. 21 "On the Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data During Their Processing in Personal Data Information Systems" of the Federal Service for Technical and Export Control (Decree No. 21, dated February 18, 2013);

– Decree No. 378 "On the Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data During Their Processing in Personal Data Information Systems Using Cryptographic Data Protection Facilities Necessary for Compliance with the Personal Data Protection Requirements Established by the Russian Government for the Protection of Personal Data for Each Level of Security" of the Russian Federal Security Service (Decree No. 378, dated July 10, 2014) (in case the Operator determines the necessity of using cryptographic data protection facilities to ensure the security of personal data).

4.5.2. Main data protection methods in personal data information systems are data protection methods from unauthorized access, including accidental one, to personal data, which may result in destruction, modification, blocking, copying, distribution and other unauthorized actions (hereinafter referred to as "Data Protection Methods from Unauthorized Access").

4.5.3. Data protection methods related to the Website are selected and implemented according to recommendations from such regulatory bodies as the FSTEC of Russia and the Russian Federal Security Service, taking into account any threats to the security of personal data (threat model) determined by the Operator and depending on the class of information systems.

4.5.4. Selected and implemented data protection methods related to the Website must ensure the neutralization of any implied threats to the security of personal data during their processing.

4.6. Measures aimed at protecting information constituting personal data

4.6.1. Measures aimed at protecting databases containing personal data and undertaken by the Operator must include the following:

– Determining a list of information constituting personal data;

– Restricting access to information containing personal data by establishing procedures for handling and monitoring such information.

4.6.2. Measures aimed at protecting the confidentiality of information are considered to be reasonably sufficient if:

– Any third parties are prevented from accessing personal data without the Operator's consent;

– It is possible to use information containing personal data without violating the personal data legislation;

– When dealing with the User, the Operator's plan of actions is organized so as to ensure the security of information containing the User's personal data.

4.6.3. Personal data cannot be used for any purposes conflicting with the requirements of the Federal Law, the protection of the foundations of the constitutional system, morality, health, rights and legitimate interests of other persons, the defence of the country and the security of the state.

4.7. Responsibility

4.7.1. All the Operator's employees who process personal data are obliged to keep confidentiality of information containing personal data, in accordance with the Regulation and the requirements of the legislation of the Russian Federation.

4.7.2. Persons guilty of violating the requirements of the Regulation will bear responsibility as set forth by the legislation of the Russian Federation.

4.7.3. Those responsible for personal data processing will bear responsibility for complying with the personal data mode with respect to personal data available from the Website databases.

5. Final Provisions

5.1. In case of any amendments made to the applicable legislation of the Russian Federation, regulatory documents related to personal data protection, this Regulation will be valid insofar as it does not conflict with the applicable legislation before it is brought into compliance with the same.

5.2. The terms and conditions of this Regulation will be set forth, amended and annulled by the Operator on a unilateral basis and without the User's prior notice. A previous version of the Regulation will be considered invalid from the time its new version is posted on the Website. In the event of a substantial change to the terms and conditions of this Agreement, the Operator will notify Users by posting a relevant message on the Website.

5.3. If the User does not agree with the terms and conditions of this Regulation, he/she is obliged to immediately delete his/her account from the Website, otherwise the User's continued use of the Website means that the User agrees with the terms and conditions of this Regulation.