Personal Data Protection and Processing Policy of SimbirSoft JSC

Legal, physical and mailing address: 4320071 Ulyanovsk, prospekt Narimanova, dom 1, str. 2. (INN 7325029206) (hereinafter, the Operator)

1. General Provisions

1.1. This Personal Data Protection and Processing Policy (hereinafter, the Policy) is drawn up in accordance with Clause 2 of Article 18.1 of Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" (hereinafter, the Law on Personal Data), as well as other regulations on the protection and processing of personal data (hereinafter, PD), and defines the main principles, purposes, scope and categories of processed PD, categories of PD subjects (individuals), the procedure and conditions for processing, procedures aimed at identifying and preventing violations of the laws of the Russian Federation on personal data during their processing by the Operator.

1.2. The Operator shall ensure the protection of processed PD against unauthorized access and disclosure, unauthorized use or loss in accordance with the requirements of the Law on Personal Data.

1.3. The Operator shall have the right to make changes to this Policy. The new version of the Policy shall enter into force upon its approval by the CEO of the Operator, unless otherwise stipulated by the new version of the Policy.

1.4. The terms contained in Article 3 of the Law on Personal Data are used in this Policy with the same meaning.

1.5. This Policy includes, among other things, provisions related to PD processing using the Operator’s website.

1.6. This Policy is a publicly accessible document and is published on the Operator’s official website at https://www.simbirsoft.com.

2. Legal Grounds for PD Processing

2.1. The legal grounds for the processing of personal data by the Operator are as follows:

• The Constitution of the Russian Federation;
• The Constitution of the Russian Federation;
• The Labor Code of the Russian Federation;
• The Civil Code of the Russian Federation;
• The Tax Code of the Russian Federation;
• Federal Law No. 149-FZ dated July 27, 2006, "On Information, Information Technologies and Information Protection";
• Federal Law No. 208-FZ dated December 26, 1995, "On Joint Stock Companies";
• Federal Law No. 27-FZ dated April 1, 1996, "On Individual (Personalized) Accounting in the System of Mandatory Pension Insurance";
• Federal Law No. 395-1 dated December 2, 1990, "On Banks and Banking Activities";
• Federal Law No. 402-FZ dated December 6, 2011, "On Accounting";
• The Charter of the Operator;
• Contracts concluded between the Operator and the subjects of personal data;
• Consents of personal data subjects for the processing of their personal data;
• Other federal laws imposing on the Operator the implementation and performance of its functions, powers, and obligations.

3. Principles of PD Processing

3.1. PD shall be processed on a lawful and fair basis.

3.2. PD processing shall be restricted to the achievement of specific, predetermined and legitimate purposes. PD processing inconsistent with the purposes of PD processing is not permitted.

3.3. The merging of databases containing PD to be processed for purposes that are incompatible with one another is not permitted.

3.4. Only personal data that comply with the purposes of their processing shall be processed. The PD to be processed shall not be redundant in relation to the stated purposes of their processing.

3.5. In the course of personal data processing, it is necessary to ensure the accuracy of the personal data, their sufficiency and, if appropriate, their adequacy for processing purposes. The Operator shall take the required measures or ensure their adoption to delete or clarify incomplete or inaccurate data.

3.6. PD shall be stored in a form that allows identifying the PD subject for no longer than the purposes of PD processing require, unless the PD storage period is established by federal law, the contract to which the PD subject is a party, the beneficiary or the guarantor. The processed PD shall be destroyed or depersonalized upon achievement of processing purposes or when such purposes cease to be relevant, unless otherwise stipulated by federal law.

4. Purposes of Processing, Composition, Subjects, Methods, Terms of Processing and Storage of Personal Data

4.1. The purposes of processing personal data (PD), categories and the list of processed PD, categories of subjects whose personal data are processed, methods, terms of their processing and storage, and the procedure for destruction are defined by the Operator in Appendix No. 1 to this Policy.

4.2. The processing of special categories of PD related to racial and ethnic origin, political opinions, religious or philosophical beliefs, intimate life, and health status is not carried out by the Operator.

4.3. The processing of biometric categories of personal data and personal data permitted for dissemination is carried out by the Operator with the consent of the subject of personal data obtained in accordance with the requirements of the legislation of the Russian Federation.

5. Procedure and Conditions for Processing Personal Data (PD)

5.1. The processing of PD is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.

5.2. The processing of PD is conducted with the consent of the subjects of PD for the processing of their PD, as well as without such consent in cases provided for by the legislation of the Russian Federation.

5.3. When processing personal data using the Operator's websites, users express their consent to the processing by filling out fields in forms intended for entering personal data on the Operator's website and/or checking a box in the appropriate field after reviewing the text of consent to the processing of personal data outlined in this Policy when submitting the form to the Operator.

5.4. The Operator carries out mixed processing of PD, both automated and non-automated.

5.5. Access to PD is granted to those employees of the Operator who need it in connection with the performance of their official duties. The procedure for granting access to PD includes familiarizing the employee with the provisions of current legislation of the Russian Federation on personal data, including requirements for the protection of personal data, with internal documents of the Operator regulating the process of processing and protecting PD, as well as obtaining a written commitment from the employee not to disclose PD. Upon termination of employment of an employee with access to PD, documents and other carriers containing PD are transferred to their immediate supervisor, and the employee's access to personal data information systems is terminated.

5.6. The transfer of PD to third parties and dissemination of PD is carried out with the consent of the subject of PD unless otherwise provided by federal law.

5.7. The transfer of PD to authorized state authorities and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.

5.8. The Operator collects, records, systematizes, accumulates, stores, clarifies (updates, modifies), extracts, uses, transfers (distributes, provides, grants access), blocks, deletes, and destroys PD using a mixed method of processing personal data.

5.9. When collecting PD, including through information and telecommunications networks (the internet), the Operator ensures recording, systematization, accumulation, storage, clarification (updating, modification), extraction of PD using databases located on the territory of the Russian Federation.

5.10. The Operator ensures that the content and volume of processed PD correspond to the stated purposes of processing and, if necessary, takes measures to eliminate their excessiveness concerning the stated purposes of processing.

6. Procedure for Storing Personal Data (PD)

6.1. The duration of processing PD does not exceed the time necessary to achieve the purpose of processing unless otherwise provided by RF legislation or a written agreement with the subject of PD.

6.2. The storage of PD in a form that allows identifying the subject of PD shall not exceed what is required for the purposes of processing, and they shall be destroyed upon achieving the purposes of processing or in case there is no longer a need to achieve them.

6.3. The storage and placement of documents containing PD are carried out in compliance with the requirements of current RF legislation.

6.4. The PD of subjects may be obtained, further processed, and stored both on paper and in electronic form.

6.5. PD recorded on paper carriers are stored in locked cabinets or in locked rooms with restricted access.

6.6. PD subjects processed using automation tools for different purposes are stored in separate folders.

6.7. Processed PD shall be destroyed upon achieving the purposes of processing or in case there is no longer a need to achieve these purposes unless otherwise provided by current legislation.

7. Ensuring the Confidentiality of Personal Data (PD)

7.1. Information related to PD is considered confidential information and is protected by the legislation of the Russian Federation.

7.2. Individuals permitted to process PD undertake a commitment to maintain the confidentiality of this information.

7.3. The Operator takes necessary and sufficient legal, organizational, and technical measures to protect PD from unlawful or accidental access, destruction, alteration, blocking, copying, provision, dissemination of personal data, as well as from other unlawful actions involving PD.

8. Procedures Aimed at Identifying and Preventing Violations of the Legislation of the Russian Federation in the Field of Personal Data

8.1. To identify violations, procedures are provided for:

• Conducting internal control over the compliance of PD processing with the requirements of the Personal Data Law and regulatory legal acts adopted in accordance with it, requirements for the protection of PD, the Operator's Policy, and other local acts of the Operator;
• Assessing the harm that may be caused to subjects of PD;
• Familiarizing employees directly involved in PD processing with the legislation of the Russian Federation on PD (including requirements for personal data protection), and internal local acts of the Operator regarding PD processing;
• Preventing the merging of databases containing PD, the processing of which is carried out for incompatible purposes;
• Ensuring the accuracy of PD during processing, their sufficiency, and, where necessary, their relevance to the purposes of PD processing;
• Detecting unauthorized access to PD and taking appropriate measures.

8.2. To Prevent and Eliminate the Consequences of Such Violations, Procedures Are Provided for:

• Adopting local acts in the field of PD processing;
• Organizing the processing of PD in information systems (ISPD), including actions for systematization, accumulation, use, storage, transfer, as well as destruction and blocking in accordance with the requirements of the Personal Data Law;
• Appointing a person responsible for organizing the processing of PD;
• Appointing individuals responsible for ensuring the security of processed PD;
• Informing employees of the Operator who process PD without using automated means about the fact that they are processing PD, which is done without using automated means, the categories of processed PD, as well as the specifics and rules for such processing established by regulatory legal acts of federal executive authorities, executive authorities of subjects of the Russian Federation, and local acts of the Operator;
• Organizing the collection of PD personally from the subject of PD, their legal representatives, or third parties in accordance with the requirements of the Personal Data Law;
• Applying legal, organizational, and technical measures to ensure the security of PD necessary to meet the requirements for PD protection, compliance with which ensures the levels of PD protection established by the Government of the Russian Federation, including:
  • Identifying current threats to PD security during their processing in ISPD and developing measures and activities for PD protection;
  • Establishing access rules to PD processed in ISPD, as well as ensuring registration and accounting of all actions performed with PD in ISPD;
  • Establishing individual access passwords for employees in ISPD according to their job responsibilities;
  • Applying information protection means that have undergone the established conformity assessment procedure;
  • Using antivirus software;
  • Complying with conditions that ensure the preservation of PD and exclude unauthorized access to them;
  • Detecting instances of unauthorized access to personal data and taking measures;
  • Restoring PD modified or destroyed due to unauthorized access;
  • Protecting information carriers on which personal data is stored and/or processed (hereinafter referred to as personal data carriers);
  • Detecting (preventing) intrusions;
  • Monitoring (analyzing) the security of PD;
  • Identifying incidents (a single event or a group of events) that may lead to failures or disruptions in the functioning of ISPD and/or pose threats to PD security and responding to them;
  • Implementing security measures for premises where personal data is processed and personal data carriers are stored, preventing uncontrolled access or presence of unauthorized persons in these premises;
  • Ensuring the preservation of personal data carriers;
  • Ensuring that doors to premises are kept locked at all times and opened only for authorized access, as well as sealing premises at the end of the working day or equipping premises with appropriate technical devices signaling unauthorized entry;
  • Publishing the Operator's Policy on Protection and Processing of Personal Data on the Operator's website in the information and telecommunications network "Internet."

9. Basic Rights of the Personal Data Subject and Obligations of the Operator

9.1. Basic Rights of the Personal Data Subject

9.1.1. The subject has the right to access their personal data (PD) and the following information:

• Confirmation of the fact that PD is being processed by the Operator;
• Legal grounds and purposes for processing PD;
• The purposes and methods used by the Operator for processing PD;
• The name and location of the Operator, information about individuals (excluding employees of the Operator) who have access to PD or to whom PD may be disclosed based on a contract with the Operator or under federal law;
• The duration of PD processing, including storage periods;
• The procedure for exercising the rights of the PD subject as provided by law;
• The name or surname, first name, patronymic, and address of the person processing PD on behalf of the Operator if the processing is delegated or will be delegated to such a person;
• Information about how the Operator fulfills its obligations established by Article 18.1 of the Personal Data Law;
• Other information provided for by the Personal Data Law or other federal laws.

9.1.2. The subject has the right to contact the Operator and submit requests to them;

9.1.3. The subject has the right to appeal against actions or inactions of the Operator;

9.1.4. The PD subject has the right to demand from the Operator clarification of their PD, blocking, or destruction if the PD is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing, as well as to take legal measures to protect their rights.
The Operator is obliged to:

• Provide the PD subject with information required by the Personal Data Law during PD processing;
• If, in accordance with the Personal Data Law, providing PD and/or obtaining consent from the Operator for processing PD is mandatory, explain to the PD subject the legal consequences of refusing to provide their PD and/or give consent for their processing;
• In cases where PD was obtained from a source other than the PD subject, provide the PD subject with information (except in cases provided for by the Personal Data Law):
  1) The name or surname, first name, patronymic, and address of the Operator or their representative;
  2) The purpose of processing personal data and its legal basis;
  3) A list of personal data;
  4) Intended users of PD;
  5) Rights of the personal data subject established by the Personal Data Law;
  6) Source of personal data acquisition.
  
• Publish or otherwise ensure unrestricted access to a document defining its policy regarding PD processing and information about implemented requirements for PD protection;
• Take necessary legal, organizational, and technical measures or ensure their implementation to protect PD from unlawful or accidental access, destruction, alteration, blocking, copying, provision, distribution of PD, as well as from other unlawful actions concerning PD;
• Respond to requests and appeals from PD subjects, their representatives, and authorized bodies for protecting the rights of PD subjects in accordance with the procedure and within the timeframes established by the Personal Data Law;
• Other obligations provided for by the Personal Data Law.

10. Modification and Destruction of Personal Data, Requests from Personal Data Subjects

10.1. In the event of confirming the inaccuracy of Personal Data (PD) or the illegality of their processing, the PD must be updated by the Operator, or their processing must be terminated accordingly.

10.2. The fact of inaccuracy of PD or illegality of their processing may be established either by the PD subject or by competent state authorities of the Russian Federation.

10.3. Upon written request from the PD subject or their representative, the Operator is obliged to provide information about the processing of PD of the specified subject in accordance with the requirements of current legislation of the Russian Federation. Such a request must contain:

• The number of the primary document proving the identity of the PD subject and their representative;
• A document confirming the rights of the representative to receive such data;
• Information about the date of issuance of the specified document and the issuing authority;
• Information confirming the participation of the PD subject in relations with the Operator (date of contract conclusion, conditional verbal designation, and/or other information), or information that otherwise confirms the fact of PD processing by the Operator;
• The signature of the PD subject or their representative.

10.4. If the request from the PD subject does not include all necessary information or if the subject does not have access rights to the requested information, a reasoned refusal will be sent to them.

10.5. Upon achieving the purposes of PD processing, as well as in case of withdrawal of consent by the PD subject, the Operator ceases processing PD and destroys PD in accordance with the procedures and timelines established by current legislation of the Russian Federation.

11. Use of Cookies

11.1. Cookies are used on the website to improve the quality of interaction for visitors with the Site, allowing the Site to remember visitors during their first visit or during subsequent visits. In some cases, cookies are used to personalize information on the Site based on location.

11.2. The Operator uses cookies that are necessary for navigating visitors through the Site or for certain core functions to operate. Cookies are used to enhance the functionality of the Site, for example, by saving visitor settings. The Operator also uses cookies to improve the performance of the Site to enhance the quality of interaction for visitors with the Site.

Purposes of Processing, Categories of Personal Data and Data Subjects, Methods, Retention Periods, and Procedures for Destruction