Nizhny Novgorod
prospekt Gagarina 37D,room P3.

(831) 296-14-01
(831) 296-14-02

Menu

Nizhny Novgorod
prospekt Gagarina 37D,room P3.

(831) 296-14-01
(831) 296-14-02

Personal Data Processing Policy

1. General Provisions

1.1. This Personal Data Processing Policy of JSC Politeks-NN (hereinafter – the Policy) establishes the basic principles, purposes, conditions, and methods of processing personal data, the categories of subjects and personal data processed by JSC Politeks-NN (hereinafter – the Company), the Company’s functions in processing personal data, the rights of personal data subjects, as well as the requirements for personal data protection implemented within the Company.

1.2. The Policy has been developed taking into account the requirements of legislative and other regulatory legal acts of the Russian Federation in the field of personal data processing.

1.3. The provisions of the Policy serve as the basis for the development of the Company’s organizational and administrative documents regulating the processes of personal data processing, as well as measures to ensure the security of personal data when processed by the Company.

2. Legislative and Regulatory Framework

This Policy is defined in accordance with the following regulatory legal acts:

2.1. Constitution of the Russian Federation.

2.2. Labor Code of the Russian Federation.

2.3. Federal Law No. 152-FZ of July 27, 2006 “On Personal Data.”

2.4. Decree of the President of the Russian Federation No. 188 of March 6, 1997 “On the Approval of the List of Confidential Information.”

2.5. Resolution of the Government of the Russian Federation No. 512 of July 6, 2008 “On Approval of Requirements for Physical Media of Biometric Personal Data and Technologies for Storing Such Data Outside Personal Data Information Systems.”

2.6. Resolution of the Government of the Russian Federation No. 687 of September 15, 2008 “On Approval of the Regulation on Specifics of Processing Personal Data Carried Out Without the Use of Automation Tools.”

2.7. Resolution of the Government of the Russian Federation No. 1119 of November 1, 2012 “On Approval of Requirements for the Protection of Personal Data During Their Processing in Personal Data Information Systems.”

2.8. Order of the Federal Service for Technical and Export Control No. 21 of February 18, 2013 “On Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data During Their Processing in Personal Data Information Systems.”

2.9. Order of the Federal Service for Supervision of Communications, Information Technology and Mass Media No. 996 of September 5, 2013 “On Approval of Requirements and Methods for Depersonalization of Personal Data.”

2.10. Order of the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) No. 178 of October 27, 2022 “On Approval of the Requirements for Assessing Harm That May Be Caused to Personal Data Subjects in the Event of Violation of the Federal Law ‘On Personal Data.’”

2.11. Order of the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) No. 179 of October 28, 2022 “On Approval of the Requirements for Confirmation of Personal Data Destruction.”

2.12. Order of the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) No. 187 of November 14, 2022 “On Approval of the Procedure and Conditions for Interaction Between the Federal Service for Supervision of Communications, Information Technology and Mass Media and Data Operators in the Framework of Maintaining the Register of Personal Data Incidents.”
2.13. Other regulatory legal acts of the state authorities of the Russian Federation and of the Company.

2.14. The documents referenced in this section shall be used in their latest published version with all amendments and additions duly adopted in accordance with established procedure.

3. Basic Terms, Concepts, and Definitions

The following terms, concepts, and definitions are used in this Policy:

3.1. Information — data (messages, facts), regardless of the form of their presentation.

3.2. Personal Data — any information relating directly or indirectly to an identified or identifiable natural person (personal data subject).

3.3. Operator — a state body, municipal body, legal entity, or natural person that, independently or jointly with others, organizes and/or carries out the processing of personal data, as well as determines the purposes of personal data processing, the scope of personal data to be processed, and the actions (operations) performed with personal data.

3.4. Personal Data Processing — any action (operation) or set of actions (operations) performed with or without the use of automation tools on personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, or destruction of personal data.

3.5. Automated Processing of Personal Data — the processing of personal data using computer technology.

3.6. Distribution of Personal Data — actions aimed at disclosing personal data to an indefinite circle of persons.

3.7. Provision of Personal Data — actions aimed at disclosing personal data to a specific person or a specific circle of persons.

3.8. Blocking of Personal Data — temporary suspension of personal data processing (except in cases where processing is necessary for the clarification of personal data).

3.9. Destruction of Personal Data — actions resulting in the impossibility of restoring the content of personal data in a personal data information system and/or resulting in the destruction of physical media of personal data.

3.10. Depersonalization of Personal Data — actions resulting in the impossibility, without the use of additional information, to determine the affiliation of personal data to a specific personal data subject.

3.11. Personal Data Information System — a set of personal data contained in databases and the information technologies and technical means ensuring their processing.

3.12. Cross-Border Transfer of Personal Data — transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual, or a foreign legal entity.

 

4. Principles and Purposes of Personal Data Processing

4.1. The Company, acting as a personal data operator, processes personal data of its employees as well as personal data of other subjects who do not have employment relations with the Company.

4.2. The processing of personal data in the Company is carried out with due regard to the need to ensure the protection of the rights and freedoms of the Company’s employees and other personal data subjects, including the right to privacy, personal and family confidentiality, and is based on the following principles:

  • processing of personal data in the Company is carried out on a lawful and fair basis;

  • processing of personal data is limited to achieving specific, predetermined, and lawful purposes;

  • processing of personal data incompatible with the purposes of data collection is not permitted;

  • combining databases containing personal data, the processing of which is carried out for purposes incompatible with each other, is not permitted;

  • only personal data that corresponds to the purposes of its processing is subject to processing;

  • the content and scope of the personal data being processed must correspond to the stated purposes of processing. Excessive processing of personal data in relation to the stated purposes of its processing is not permitted;

  • when processing personal data, accuracy, sufficiency, and, where necessary, relevance of personal data in relation to the purposes of processing are ensured. The Company takes the necessary measures, or ensures that such measures are taken, to delete or clarify incomplete or inaccurate personal data;

  • processed personal data is destroyed or depersonalized upon achieving the purposes of processing or when the need to achieve these purposes is lost, unless otherwise provided by the legislation of the Russian Federation;

  • for each purpose of processing, the categories and list of personal data, categories of subjects, methods, periods of processing and storage, and the procedure for the destruction of personal data upon achieving the purpose are specified;

  • personal data must be stored in a form that allows identifying the personal data subject no longer than is required by the purposes of personal data processing, unless a longer retention period for personal data is established by federal law or by a contract to which the personal data subject is a party, beneficiary, or guarantor;

  • processed personal data must be destroyed or depersonalized upon achieving the purposes of processing or when the need to achieve these purposes is lost, unless otherwise provided by federal law.

4.3. The processing of personal data in the Company is carried out for the following purposes:

  • performance of the terms of employment agreements, including ensuring compliance with the legislation of the Russian Federation and other regulatory legal acts;

  • maintenance of HR and accounting records and documentation management;

  • recruitment of personnel (candidates) for vacant positions;

  • processing of payroll projects and salary cards;

  • preparation of documents for business trips and other official travel;

  • implementation of occupational health, industrial safety measures, and special assessment of working conditions (SOUT);

  • training and raising awareness;

  • provision of benefits, compensations, gifts, and other material and non-material values for employees and their children;

  • protection of life, health, or other vital interests of personal data subjects;

  • ensuring access control to the territory of JSC Politeks-NN;

  • compilation of reference materials for internal information support of the Company’s activities;

  • execution of court decisions and acts of other bodies and officials subject to enforcement in accordance with the legislation of the Russian Federation;

  • interaction with visitors of the JSC Politeks-NN website;

  • feedback with personal data subjects, processing (consideration) of requests and appeals from individuals.

4.4. Legal grounds for personal data processing in the Company:

  • Constitution of the Russian Federation;

  • Labor Code of the Russian Federation;

  • Civil Code of the Russian Federation;

  • Civil Procedure Code of the Russian Federation;

  • Arbitration Procedure Code of the Russian Federation;

  • Tax Code of the Russian Federation;

  • Code of Administrative Offenses of the Russian Federation;

  • Charter of the Company;

  • Personal Data Processing Policy of JSC Politeks-NN;

  • Federal Law of December 26, 1995 “On Joint-Stock Companies”;

  • Other legal grounds as provided by the legislation of the Russian Federation.

5. List of Data Subjects Whose Personal Data Are Processed by the Company

5.1. The Company processes personal data of the following categories of data subjects:

  • Employees;

  • Candidates for vacant positions within the Company;

  • Family members and close relatives of the Company’s employees;

  • Former employees;

  • Counterparties;

  • Employees of counterparties;

  • Representatives of counterparties;

  • Parties to contracts;

  • Shareholders and beneficiaries of the Company;

  • Persons authorized to act on behalf of the Company;

  • Retired employees of the Company;

  • Visitors admitted to the Company’s facilities;

  • Visitors of the official website of JSC “Politeks-NN” — http://politexnn.ru/;

  • Individuals who send inquiries to the Company and/or correspond with the Company;

  • Other data subjects, when necessary to achieve the purposes of processing specified in Section 4 of this Policy.

6. List of Personal Data Processed by the Company

6.1. The list of personal data processed by the Company is determined in accordance with the legislation of the Russian Federation and the internal regulations of JSC “Politeks-NN”, taking into account the purposes of data processing specified in Clause 4.3 of this Policy.

6.2. The Company does not process special categories of personal data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, or private life.

6.3. Depending on the tasks and functions assigned to the Company’s structural units, the following personal data may be processed:

  • Surname, first name, patronymic (including previous names, if applicable);

  • Date and place of birth, date of death (if applicable);

  • Information contained in identity documents;

  • Gender;

  • Citizenship (nationality);

  • Registered address;

  • Actual place of residence;

  • Email address;

  • Place of work;

  • Phone numbers (mobile and work);

  • Taxpayer Identification Number (INN);

  • Pension insurance certificate number (SNILS);

  • Military registration data;

  • Education and qualification details;

  • Job title;

  • Employment history;

  • Income and salary information (including bank account details);

  • Marital status;

  • Family composition;

  • Photographic image (provided by the data subject);

  • Certificate from the place of study of the data subject’s children (if necessary);

  • Information on driver’s license (category, driving experience);

  • Information on awards;

  • Veteran status;

  • Certification (attestation) details;

  • Disciplinary actions;

  • Information contained in the employment contract;

  • Information about social benefits provided under the laws of the Russian Federation and the Company’s internal regulations;

  • Knowledge of foreign languages;

  • Academic degrees and titles;

  • Membership in elected bodies;

  • Data generated during visits to the Company’s website (cookies);

  • Health information — in cases provided for by Parts 3 and 4 of Article 13 of Federal Law No. 323-FZ of November 21, 2011 “On the Fundamentals of Health Protection of Citizens in the Russian Federation.”

7. Functions of the Company in the Processing of Personal Data

When processing personal data, the Company performs the following functions:

7.1. Takes the necessary and sufficient measures to ensure compliance with the requirements of the legislation of the Russian Federation and the internal regulatory legal acts of JSC “Politeks-NN”.

7.2. Implements legal, organizational, and technical measures to protect personal data against unlawful or accidental access, destruction, alteration, blocking, copying, provision, dissemination, as well as other unlawful actions in relation to personal data.

7.3. Appoints a person responsible for organizing the processing of personal data within the Company.

7.4. Issues internal regulatory acts defining the policy and procedures for the processing and protection of personal data in the Company.

7.5. Ensures that employees of the Company directly involved in the processing of personal data are familiarized with the provisions of the legislation of the Russian Federation and the Company’s internal regulations on personal data processing and provides training to such employees.

7.6. Publishes this Policy on the Company’s official website and ensures unrestricted access to it.

7.7. Provides data subjects or their representatives, upon request, with information on the availability of personal data relating to them and allows them to review such data, unless otherwise provided by the legislation of the Russian Federation.

7.8. Has notified the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) of the Company’s personal data processing activities.

7.9. Shall notify Roskomnadzor in advance of any planned cross-border transfer of personal data, if such transfer is to be initiated.

7.10. Notifies Roskomnadzor of computer incidents that have resulted in the unlawful transfer (provision, dissemination, or access) of personal data, as well as of the results of investigations and the identified responsible parties, if any.

7.11. Notifies Roskomnadzor of any personal data leaks, including those on paper media, as well as the results of the incident investigation and the identified responsible parties, if any.

7.12. Terminates the processing and destroys personal data in cases stipulated by the legislation of the Russian Federation.

7.13. Carries out other actions as provided by the legislation of the Russian Federation in the field of personal data processing.

8. Conditions for the Processing of Personal Data

8.1. The processing of personal data in the Company is carried out on the legal grounds specified in Clause 4.5 of this Policy.

8.2. The processing of personal data by the Operator is carried out with the consent of the personal data subject, unless otherwise provided for by the legislation of the Russian Federation.

8.3. Without the consent of the personal data subject, the Company shall not transfer or disclose his/her personal data to third parties, unless otherwise provided for by the legislation of the Russian Federation.

8.4. Personal data shall be stored in a form that allows the identification of the personal data subject, for no longer than required by the purposes of processing, unless a longer storage period is established by federal law, a contract to which the personal data subject is a party, beneficiary, or guarantor.

8.5. The processing of personal data may be terminated upon the occurrence of any of the following circumstances:
– achievement of the purposes of personal data processing;

expiration or withdrawal of the consent of the personal data subject;

termination of the Operator’s activities (liquidation or reorganization);– receipt of a request from the personal data subject requiring termination of processing of his/her personal data in accordance with Part 5.1 of Article 21 of Federal Law No. 152-FZ “On Personal Data” dated July 27, 2006.

8.6. When processing personal data, the Operator takes necessary and sufficient legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, dissemination, as well as other unlawful actions, including:

appointment of a person responsible for organizing personal data processing;

adoption of internal regulations and other documents governing personal data processing and protection;
– identification of security threats to personal data in personal data information systems;

implementation of legal, organizational, and technical measures ensuring personal data security;

internal control and/or audit of compliance with Federal Law No. 152-FZ “On Personal Data” and other applicable regulations, as well as this Policy and local acts of the Operator;

assessment of potential harm that may be caused to personal data subjects in case of violation of Federal Law No. 152-FZ, and proportionality of such harm to the measures taken by the Operator;

familiarization and, where necessary, training of employees directly involved in personal data processing on the requirements of Russian legislation and local regulations;

obtaining consent from data subjects for personal data processing, except where otherwise provided by law;

other measures as required by the legislation of the Russian Federation on personal data.

8.7. Employees of the Operator found guilty of violating the provisions of Federal Law No. 152-FZ “On Personal Data” and related regulatory acts shall bear disciplinary, administrative, civil, or criminal liability in accordance with the legislation of the Russian Federation.

8.8. Cross-border transfer of personal data is not carried out by the Company.

8.9. In case cross-border transfer of personal data becomes necessary, the Company shall submit a notification to the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) before initiating such transfer.

8.10. Before any cross-border transfer of personal data, the Company must ensure that the recipient country provides an adequate level of protection for the rights of personal data subjects.

8.11. The processing of personal data in the Company shall be terminated in the event of liquidation or reorganization of the Company.

9. List of Actions with Personal Data and Methods of Their Processing

9.1. The Company performs the following actions with personal data:
collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data.

9.2. The Company carries out mixed processing of personal data, which includes both automated and non-automated processing, with the transmission of data through the internal network of the legal entity and via the Internet.

10. Storage of Personal Data

10.1. Personal data shall be stored in a form that allows the identification of the personal data subject, for no longer than required by the purposes of personal data processing, unless a longer storage period is established by federal law, or by a contract to which the personal data subject is a party, beneficiary, or guarantor.

10.2. Processed personal data shall be destroyed or anonymized upon achievement of the purposes of processing or when the necessity for achieving these purposes is lost, unless otherwise provided for by federal law.

10.3. Processing of personal data carried out without the use of automation tools shall be organized in such a way that, for each category of personal data, the places of storage (physical media) can be identified.

10.4. Separate storage of personal data (physical media) processed for different purposes shall be ensured.

10.5. When storing physical media containing personal data, the Company shall ensure conditions that maintain the integrity of personal data and prevent unauthorized access. The list of necessary measures, the procedure for their implementation, and the list of responsible persons shall be determined by the Company.

10.6. The periods of processing and storage of personal data for the categories of data subjects specified in Clause 6.3 of this Policy shall be determined in accordance with the requirements of the legislation of the Russian Federation, the Company’s internal regulatory acts governing these matters, and the terms of contracts to which the personal data subject is a party, beneficiary, or guarantor. In the absence of such contracts, the processing and storage period shall be determined by the consent of the personal data subject. In any case, personal data shall not be processed or stored longer than necessary for the purposes of processing, unless otherwise established by the legislation of the Russian Federation.

11. Destruction of Personal Data

11.1. Personal data shall be destroyed within a period not exceeding 30 working days from the moment the purpose of their processing has been achieved, unless otherwise provided for by the federal laws of the Russian Federation.

11.2. Personal data shall be destroyed within a period not exceeding 30 working days from the moment the personal data subject withdraws his or her consent to the processing of personal data.

11.3. Personal data shall be destroyed within a period not exceeding 7 working days from the moment the personal data subject or his/her representative provides information confirming that the personal data were obtained unlawfully or are not necessary for the stated purpose of processing.

11.4. In the event that the Company identifies any unlawful processing of personal data, it shall terminate such processing within a period not exceeding 3 working days from the date of detection.
If it is impossible to ensure lawful processing, the Company must destroy the personal data within a period not exceeding 10 working days from the date the unlawful processing was identified.
The decision regarding the unlawfulness of processing and the necessity of destruction shall be made by the person responsible for organizing personal data processing, who shall inform the Company’s management accordingly.

The Company shall notify the personal data subject or his/her legal representative of the correction of the violation or the destruction of personal data.

11.5. If destruction of personal data within the periods specified in Clauses 11.1–11.4 is not possible, the Company shall block such personal data and ensure their destruction within no more than six (6) months, unless another period is established by the federal laws of the Russian Federation.

11.6. The destruction of personal data shall be carried out in accordance with the requirements established by the Order of the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) dated October 28, 2022, No. 179.

11.7. Information regarding the destruction of personal data shall be retained by the Company for three (3) years from the date of destruction.

12. Rights of Personal Data Subjects

12.1. Personal data subjects have the right to:

  • Receive information about their personal data processed by the Company, to the extent provided for by Article 14 of Federal Law No. 152-FZ “On Personal Data” dated July 27, 2006;

  • Access their personal data processed by the Company, including the right to obtain a copy of any record containing their personal data, except in cases provided for by Federal Law No. 152-FZ “On Personal Data”;

  • Request clarification, blocking, or destruction of their personal data if such data are incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing;

  • Withdraw consent to the processing of their personal data previously provided to the Company;

  • Take measures to protect their rights as provided by the legislation of the Russian Federation;

  • Appeal actions or inactions of the Company that violate the legislation of the Russian Federation on personal data to the authorized body for the protection of the rights of personal data subjects or to the court;

  • Exercise other rights provided by the legislation of the Russian Federation.

12.2. A contract concluded with a personal data subject shall not contain:

  • Provisions restricting the rights and freedoms of the personal data subject or establishing cases of processing personal data of minors, unless otherwise provided for by the legislation of the Russian Federation;

  • Provisions allowing inaction of the personal data subject as a condition for concluding a contract.

12.3. Documents defining the Company’s policy regarding personal data processing, internal regulations on personal data issues, as well as internal acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation and eliminating their consequences, shall not contain provisions that restrict the rights of personal data subjects.



13. Measures Taken by the Company to Ensure Fulfillment of the Operator’s Obligations in the Processing of Personal Data

13.1. The measures necessary and sufficient to ensure that the Company fulfills its obligations as a personal data operator, as provided for by the legislation of the Russian Federation in the field of personal data processing, include:

  • Appointment of a person responsible for organizing the processing of personal data within the Company;

  • Adoption of internal regulatory acts and other documents governing the processing and protection of personal data;

  • Publication of this Policy on the Company’s official website at politexnn.ru, through which personal data may also be collected; and conducting methodological work with the Company’s employees;

  • Obtaining consent from personal data subjects, except in cases provided for by the legislation of the Russian Federation;

  • Providing personal data subjects or their representatives, upon request, with information on the existence of personal data relating to them and the opportunity to familiarize themselves with such data, unless otherwise provided by the legislation of the Russian Federation;

  • Separating personal data processed without the use of automation tools from other information, including by recording them on separate physical media or in dedicated sections;

  • Ensuring separate storage of personal data and their physical media when processed for different purposes or containing different categories of personal data;

  • Creating standardized forms for the collection of personal data so that each personal data subject can review his or her personal data without violating the rights and legitimate interests of other subjects;

  • Ensuring the protection of documents containing personal data on paper or other physical media when transferring them to third parties through postal or courier services;

  • Informing in writing any recipients of Company documents containing personal data about their obligation to maintain the confidentiality of received personal data;

  • Storing physical media containing personal data under conditions that ensure their integrity and prevent unauthorized access;

  • Conducting internal control to verify compliance of personal data processing with Federal Law No. 152-FZ “On Personal Data”, its implementing regulations, protection requirements, this Policy, and the Company’s internal regulations;

  • Submitting notifications on personal data processing to the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor);

  • Submitting notifications to Roskomnadzor regarding cross-border data transfers;

  • Other measures as provided for by the legislation of the Russian Federation in the field of personal data processing.

13.2. Measures ensuring the security of personal data during their processing in personal data information systems shall be established in accordance with the requirements of the legislative and other regulatory legal acts of the Russian Federation, as well as the Company’s internal regulations governing the protection of personal data during their processing in information systems.

13.3. The person responsible for organizing personal data processing, appointed by the Company’s order, shall receive instructions from and report to the General Director of the Company.

13.4. The person responsible for organizing personal data processing shall, in particular, be obliged to:

  • Organize internal control over compliance by the Company’s employees with the legislation of the Russian Federation in the field of personal data processing, including protection requirements;

  • Ensure that employees of the Company are informed about the provisions of the legislation of the Russian Federation and the Company’s internal regulations regarding personal data processing, including data protection requirements;

  • Control the receipt and handling of requests from personal data subjects or their representatives.

14. Information on Ensuring the Security of Personal Data in Accordance with the Requirements for the Protection of Personal Data Established by the Government of the Russian Federation

14.1. The Company has implemented the following measures to ensure the security of personal data:

  • Designated specific locations for the storage of physical media containing personal data;

  • Ensured separate storage of personal data (physical media) depending on the purposes of their processing;

  • Ensured storage conditions that maintain the integrity of personal data and prevent unauthorized access to them;

  • Established a list of measures necessary to ensure such conditions, the procedure for their implementation, and the list of persons responsible for carrying them out;

  • Appointed a person responsible for organizing the processing of personal data.

15. Control over Compliance with the Legislation of the Russian Federation and the Company’s Internal Regulations in the Field of Personal Data Processing, Including Data Protection Requirements

15.1. Control over compliance by the Company’s structural divisions with the legislation of the Russian Federation and the Company’s internal regulations in the field of personal data processing, including data protection requirements, is carried out to verify that the processing of personal data in the Company complies with:

  • the legislation of the Russian Federation;

  • the Company’s internal regulatory acts in the field of personal data processing, including data protection requirements; and

  • the measures adopted to prevent and detect violations of the legislation of the Russian Federation in the field of personal data processing.

Such control also aims to identify potential channels of data leakage and unauthorized access to personal data, as well as to eliminate the consequences of such violations.

15.2. Internal control over compliance by the Company’s divisions with the legislation of the Russian Federation and the Company’s internal regulations in the field of personal data processing is carried out by the person responsible for organizing personal data processing within the Company.

16. Liability

16.1. Employees of the Company bear personal responsibility for compliance with the requirements of the legislation of the Russian Federation and the Company’s internal regulatory acts in the field of personal data, including the provisions of this Policy.