CRM SOLUTIONS LTD. POLICY ON PROCESSING PERSONAL DATA OF SITE VISITORS AND OTHER USERS

 

Updated version dated August 23, 2022

Approved by the General Director of CRM SOLUTIONS Ltd.

1.General terms

This Policy is a basic local act of CRM Solutions Ltd. (INN: 7451278717, KPP: 770301001, PSRN: 1097451001273, location: 123022, Moscow, Zvenigorodskaya 2-st street, 13, building 43, room VIII, room 4) (hereinafter – Company, Operator), which regulates the processing of company personal data (PD).

This Policy is developed in accordance with subparagraph 2 of part 1 of Article 18.1 of the Federal Law July 27, 2006 No. 152 “On Personal Data” (hereinafter – the Law on Personal Data).

In accordance with the requirements of part 2 of Article 18.1 of the Law on Personal Data, this Policy is published (and regularly updated) in free access in the information and telecommunications network “Internet” on the website at: www.konnektu.ai.

The Policy discloses the main categories of PD processed by the Operator, the purposes, methods and principles of processing PD, the rights of the subjects of PD and the Operator, as well as the list of measures applied by the Operator in order to ensure the PD security during their processing.

This Policy applies to all of the Operator’s procedures that involve the PD processing, both using computer equipment, including information and telecommunications networks, and without using such equipment.

The Policy applies to relations in the field of PD processing that have arisen with the Company both before and after the approval of this Policy.

The Policy is the basis for the development of local regulations of the Company to ensure the  PD security.

This Policy enters into force upon approval by the General Director of the Company and is valid indefinitely.

The Company shall revise the provisions of this Policy and update them as necessary, but at least once every three years, as well as:

– in case of changes in the regulatory framework affecting the PII processing procedures and/or principles in the Company;

– in case of creating new and amending the existing PII processing procedures.

Any changes to the current version shall include the date of the last update. A new version of this Policy shall become effective as soon as it is approved by the General Director and posted on the Company’s website, unless otherwise provided for in the new version of this Policy. The current version of the Policy is permanently available on the website at: www.konnektu.ai.

2. Regulatory framework

The Policy was developed in accordance with the requirements of the following regulatory documents in the field of PD processing and protection:

Federal Law of the Russian Federation of July 27, 2006 No. 102-FZ “On Personal Data”

Federal Law of the Russian Federation of July 27, 2006 No. 149-FZ “On Information, Information Technologies and Information Protection”

Decree of the Government of the Russian Federation of September 15, 2008 No. 687 “On Special Aspects of Personal Data Processing without Using Automation Technology”.

Decree of the Government of the Russian Federation of November 1, 2012 No. 1119 “On Approving The Requirements for The Protection of Personal Data When Processing Them in Personal Information Systems “.

3. Basic concepts

Confidentiality of personal data – a mandatory requirement for the Operator or other person who has gained access to personal data not to disclose to third parties and not to distribute PD without the consent of the PD subject, unless otherwise provided by federal law.

Personal data (PD) – any information relating directly or indirectly to a specific or identifiable natural person (subject of personal data).

The subject of personal data – an individual who has PD directly or indirectly determining it.

Processing of personal data – any action (operation) or set of actions (operations) performed with or without the use of automation with personal data, including the collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), anonymization, blocking, removal, destruction of personal data.

Operator – public authority, municipal authority, legal entity or individual, independently or together with other persons organizing and (or) carrying out processing of personal data, as well as defining purposes of personal data processing, composition of personal data to be processed, actions (operations) performed with personal data. For the framework of this Policy CRM Solutions Ltd. acts as an operator of personal data.

Automated processing of personal data – processing of personal data by using computer equipment.

Information system of personal data (ISPD) – a set of personal data and information technologies and technical means, providing their processing, which are contained in databases of personal data.

Cross-border transfer of personal data – transfer of personal data to a foreign country, a foreign authority, a foreign individual or a foreign legal entity.

Blocking of personal data – temporary termination of personal data processing (except when processing is necessary to clarify personal data).

Destruction of personal data – actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed.

Depersonalization of personal data – actions, as a result of which it becomes impossible to determine the ownership of personal data by a specific subject of personal data without the use of additional information.

Protection of personal data – activities aimed at preventing leakage of protected personal data, unauthorized and unintended influences on the protected personal data.

Employee – a natural person who has entered into an employment relationship with the Operator on the basis of an employment contract and on other grounds provided for by Article 16 of the Labor Code of the Russian Federation.

Candidate – an individual who is considered by the Company based on an application/letter/resume posted on publicly available data sources — job search site, social networks and other relevant information sources — to decide on an invitation for an interview or a job offer at the Company and/or has received an invitation for an interview/work offer from the Company.

Applicant for a vacancy – an individual who has placed his/her application/form/resume on job search sites or other advising sources of information and/or has submitted an application/form/resume directly to the Company for consideration as an employee of the Company.

Operator’s website – Internet sites, chatbots and pages belonging to the Operator and/or administered by the Operator or a third party on behalf of and for the Operator (hereinafter referred to as the website).

Promotion participant – a subject of personal data, participating in promotional actions, conducted by the Operator or in the interests of the Operator or on behalf of third parties, whose data is stored and processed.

4. Purposes of PD collection and processing

To maintain its business reputation and ensure compliance with the requirements of the Personal Data Law and regulations adopted in accordance with it, the Company, as a personal data operator with appropriate rights and obligations, shall ensure legality of Personal Data processing, as well as an appropriate level of security of processed Personal Data.

The Company shall process PD in a lawful and fair manner, and shall be limited to achieving specific, predetermined and legitimate purposes. Only those PD shall be processed that meet the purposes for which they are processed. The content and scope of the processed PD shall comply with the declared processing purposes, and no redundancy of the processed PD shall be permitted.

During processing of PD, the Operator shall ensure the accuracy of the PD, its sufficiency, and, in necessary cases, its relevance in relation to the purpose of PD processing. The Operator shall take or ensure that necessary measures are taken to remove or clarify incomplete or inaccurate PD.

The Company, within the framework of its principal activities, processes PD of its employees; relatives of employees; applicants/candidates for vacancies; counterparties/clients of the Operator, as well as individuals representing counterparties/clients of the Operator visiting Operator’s web-sites; participants of promotional, advertising and other events organised or held by the Operator; subjects of PD, whose data the Operator processes under agreements with and commissioned to process PD (participants of promotional, medical representatives); subjects of PD – medical and health care specialists.

Processing of PD of above-mentioned subjects shall be carried out by the Operator for the following purposes:

• the Company’s employees’ PD, including those who were fired:

– for the purpose of signing, maintaining, amending or terminating employment contracts, which serve as a basis for the emergence or termination of labour relations between an employee and the Company;

– for the purpose of fulfilment of obligations by the Company as defined by local normative acts, employment contracts, federal laws and other regulatory legal acts, including for the purposes of HR and accounting, preparation of tax and other reports mandatory for the Company;

– for the purpose of assisting employees in training and promotion;

– for the purpose of signing, changing or terminating a voluntary health insurance contract;

– for the purpose of ensuring personal safety of employees, control over quantity and quality of work performed by the employees, security of property.

• PD of relatives of the Company’s employees:

– for the purpose of fulfilling by the Company its obligations under federal laws (obtaining alimony, processing of social benefits and allowances);

– for the purpose of signing, changing and terminating voluntary medical insurance contracts for the relatives of the employees.

• PD of candidates/ applicants for vacant positions in the Company:

– for the purpose of reviewing resumes and selecting candidates for a vacant position for further employment in the Company;

– for the purpose of keeping a roster of candidates for the position;

– for the purpose of providing the requested information and communication with the applicant on the Operator’s website;

– for the purpose of obtaining other information about a candidate for a vacant position in the Company.

• PD of the Company’s counterparties/clients, as well as persons representing the counterparties/clients to the Company:

– for the purpose of signing, changing, terminating contracts, as well as fulfilling obligations under the concluded contracts;

– f or the purpose of complying with and/or performing the procedures and actions set out in the local regulations and/or the laws of the Russian Federation, including for the purposes of keeping accounting records, preparing tax reports.

• PD of the Operator’s website visitors:

– for the purpose of processing enquiries and applications on the Site;

– for the purpose of processing requests from applicants on the Site;- for the purpose of sending advertising and information messages about products and services;

– for the purpose of improving the user experience;

– for the purpose of keeping statistics regarding visits to the Site;

– for the purpose of profiling;

– for the purpose of targeting services according to interests.

• PD of participants in promotions, advertising and other events conducted by the Operator:

– for the purpose of participating in promotional events held by the Operator or for the benefit of the Operator or on behalf of third parties whose data is stored and processed;

– for the purpose of advertising and informational mailing on behalf of the Operator and/or third parties on behalf of any promotional campaigns, any product brands within the Operator’s commercial activities

– for the purpose of market research and analytics by Operator with respect to data obtained on the sites.

– PD of the subjects of PD, whose data is processed by the Operator within the framework of agreements with the Operator’s clients and the order to process PD (campaign participants, medical representatives):

– for the purpose defined by the Company’s client in the order to process the Operator’s client’s PD.

• PD of health care specialists and medical workers – recipients of information about analytical, clinical and other studies from the Operator and/or third parties on the instructions of the Operator as well as recipients of invitations to conferences and other events organized by the Operator and/or third parties;

– for the purpose of involving to analytical, marketing and other researches;

– for the purpose of providing information/services of scientific, informational and educational purposes;

– for the purpose of inviting to participate in conferences, informing me about medicinal products and services;

– for the purpose of maintaining a single up-to-date information base of healthcare specialists in the Russian Federation.

5. Legal basis for processing of PD

The basis for processing of PD of the subjects of PD in the Company shall be as follows:

1) processing of employees’ PD shall be carried out based on employee’s written consent to process his/her PD, employment contract, to which the employee is a party, as well as based on the labor, social and pension legislation, the Tax Code of the Russian Federation and the Federal Law of the Russian Federation of November 21, 1996 No. 129-FZ “On Accounting”;

2) processing of PD of dismissed employees shall be carried out on the basis of subpar. 5 par. 3 Art. 24 of the Tax Code of the Russian Federation and Art. 17 of the Federal Law of the Russian Federation of November 21, 1996, No. 129-FZ “On Accounting”, Art. 62 of the Labour Code of the Russian Federation, as well as par. 3 Article 3 of the Federal Law October 22, 2004 “On the Archives in the Russian Federation”;

3) processing of PD of employees’ relatives is stipulated by the Labour and Tax Codes of Russian Federation (alimony payments, registration of social benefits), unified form № T-2, approved by Decree of RF Goskomstat of January 5, 2004 No. 1 “On approval of unified forms of primary accounting documents on labor records and payment”, Federal Law July 25, 2002 No. 1150FZ “On Legal Status of Foreign citizens in Russian Federation” and written consent of employee’s relative (registration of voluntary health insurance contracts).

4) processing of PD of candidate/applicants for vacant positions of the Company shall be carried out at the initiative of the candidate/applicant to sign a contract with the Company with the written consent of the candidate/applicant for processing of his/her PD, given on the Company website, recruitment agency, third party recruitment resources website or directly to the Company;

5) processing of counterparties/client’s PD, persons representing counterparties/clients in the Company shall be carried out on the basis of a contract between the counterparties/clients and the Company in accordance with the Civil Code of the Russian Federation;

6) processing of PD of visitors of websites, participants of actions on websites, chat-bots of the Company shall be carried out with consent given during registration, filling of registration forms and/or ticking of checkboxes;

7) Processing of PD of subjects of PD, whose data is processed by the Company as Processor under contracts with the client (Operator) and under an authorization to process PD in accordance with an authorization contract

8) Processing of PD of healthcare specialists and medical workers shall be carried out with the consent of the mentioned subjects, data in written, audio forms, or by ticking and/or filling in registration forms on websites, chatbots of the Operator, within participation in scientific, analytical and other researches conducted by the Operator and/or third parties on its behalf.

6. Scope and categories of processed PD

6.1 The Company processes the following categories of PD:

1) employees’ PD: name, surname, patronymic, contact details, information about identity document, date of birth, sex, age, place of birth, photo, address details, educational details, foreign language skills, information about professional experience, information about employment history, information about employment/dismissal/relocation, information about type of work, position details, qualification category details, salary details, income details, information about incentives and deductions, information about working hours, business trip details, holiday details, temporary disability details, bank account and/or payment card details, payments to the Federal Tax Service, the Social Insurance Fund, pension funds, pension insurance details, including INN and SNILS, social benefits details, citizenship details, taxpayer status details, migration card and work permit details, address details, marital status details, family status details, military service details, driving licence details, FSSP details, internship details, training and further education details, length of work experience and specialisation details;

2) PD of candidates/applicants for vacant positions: name, surname, patronymic, date and place of birth, contact details (e-mail address, mobile number), details of registration address/address of actual residence/place of stay, details of identity document, details of nationality, marital status, details of education, employment history and qualifications, work experience, information on foreign language skills, CV to be provided;

3) PD of employees’ relatives: name, surname, patronymic, date of birth, degree of kinship, details of identification document, contact details (e-mail

mobile phone number);4) PD of the site visitors, participants of the shares on the Company’s web-sites: surname, name, patronymic, residence address, e-mail address, telephone number, comment, company, sex, personal account credentials: login and password, date and time of visiting the Site, cookies, IP-address assigned to the user device for Internet access, type of browser and operating system of the user, data collected on the site by web-site visitors statistics aggregators, transferred to “Yandex. Metrika” and “GoogleAnalytics”;

5) PD of counterparties/clients and persons representing counterparties/clients in the Company: surname, first name, patronymic, contact telephone number, e-mail, information on place of work, position details;

6) PD of the subjects of PD, whose data are processed by the Operator in frames of the agreements with the client and the order for processing of PD: the scope of data is determined by the order for processing of PD;

7) PD of health care specialists and medical workers: name, surname, patronymic, position and specialty details, workplace details (address and name), education details; contact telephone number, e-mail address.

8) Technical information about the computer/mobile device. Any information about the computer system or other technical device used to visit the Operator’s websites (e.g. IP address, Internet Protocol address) used to connect the user’s computer or device to the Internet, type of operating system, type and version of web browser). If the user accesses the website through a mobile device, the information obtained will also include (in the cases specified) the unique device identifier, advertising identifier, geolocation data and other similar data about the mobile device;

9) Website/message usage information. As a user browses the Operator’s websites or messages, certain data about his or her activities is collected using automated data collection technologies.

This data includes the links the website visitor clicks on, the pages or content he/she views, the time he/she views the page/content, as well as other similar information and statistics about the page visit, such as loading errors, content response times and the duration of the visit to certain pages. This information is captured using automated technologies such as cookies and web beacons and is also collected using third-party tracking services.

6.2 Cookies

6.2.1 The Operator’s website may use technology known as a cookie. A cookie is a message that a web server sends to the user’s computer when the user accesses the website. On a second visit, the Operator’s website will check if the user has one of the Operator’s cookies on his or her computer. The cookies increase the functionality of the website and help to analyse how the website is used more accurately.

6.2.2 The website uses Internet Protocol (IP) addresses. An IP address is a number given to a computer by an Internet Service Provider to access the Internet. Typically, the IP address changes whenever a user logs into the Internet (it is a ‘dynamic’ address). However, if a high-speed connection is used, depending on the circumstances, it is possible that the IP address or even the cookie that is used contains identifiable information. This is because in some types of high-speed connection the IP address of the User does not change (“static”) and may be associated with the User’s computer. The Operator uses the IP address of the User to send general information about the use of the site as well as to improve it.

6.2.3. The Operator’s website uses technology to determine the location of the User. The User is obliged to leave the Operator’s website if he does not want the above mentioned data (cookies, IP address and location data) to be processed.

6.2.4 The Operator’s website, on which the information is collected, uses standard data protection protocol (SSL) encryption.

6.2.5. The information banner that appears on the Site informs the visitor of the Site about the processing of cookies and user data. The Operator processes the above-mentioned personal data in order to ensure the stable operation of the Website, improve the user experience, improve the methods and techniques of presenting information on the Website, keep statistics of visits to the Website and identify the most visited pages of the Website, compiling a profile, targeting the product according to the interests of the Website visitor.

6.2.6. The Website visitor has the choice to consent to the processing of the above-mentioned personal data by continuing to use the Website, or to refuse to provide such consent by disabling cookie processing and user data collection in the browser settings, or by leaving the Website.

6.2.7. Although most browsers accept cookies automatically, the Website visitor can set his or her browser so that only the Website visitor decides whether or not to accept or block the cookie (the Website visitor should refer to the “Tools” or “Settings” menu of the browser used by the Website visitor). The Website visitor can delete cookies from his or her device at any time. In this case, it should be noted that if the Website visitor does not accept cookies, some of the Website’s functions may be unavailable.

6.2.8. More information about managing cookies can be found in the browser help file or on specialised websites.

6.3 The Operator processes employees’ biometric PD (photo) only in order to designate employees’ personal pages in the Company’s corporate network.

6.4 The Operator does not process PD concerning race, nationality, political opinions, religious or philosophical beliefs and intimate life.

6.5 Processing of PD related to health conditions shall be carried out if consent to process the mentioned data has been obtained from the subject of PD, or in other cases expressly provided for in the applicable laws of the Russian Federation.

7. PD Processing Procedure and Requirements

7.1 During collection of PD, the Operator shall ensure recording, systematization, accumulation, storage, clarification (updating, changing) and retrieval of PD using databases located in the Russian Federation.

All PD shall be collected directly from the subject himself/herself. If the subject’s PD can only be obtained from a third party, the subject must be notified or consent to such transfer must be obtained from the subject.

During collection of PD, the Operator shall inform the subject of the PD about the purposes, intended sources and methods of obtaining the PD, the list of operations with the PD, the period during which consent to process the PD is valid and the procedure for withdrawing it, as well as the consequences of the subject’s refusal to consent to the processing of the PD.

Databases containing PD shall be created by:

– copying original documents, submitted by employees and/or candidates for a vacant position of the Company;

– adding data to the record forms;

– obtaining original copies of necessary documents from employees, counterparties, etc;

– entering data into the Konnektu CDP or its individual modules;

– entering data by subjects of PD during registration on websites and chat-bots of the Company;

  providing data as part of contractual obligations and as part of orders to process PD.

7.2 Subject of PD decides to provide his/her PD to the Operator and consents to the processing of the PD and/or consent to the advertising and information dissemination freely, at his/her own will and in his/her own interest. The consent to process PD and/or consent to advertising and informational mailing is specific, informed and conscious and may be given by the subject in any form that allows him to confirm its receipt, unless otherwise provided by federal laws.

In particular, consent shall be deemed given if the subject  of PD remains on the site (for cookies) or checks the box next to the relevant text – consent to the processing of PD / consent to receive information and promotional mailings / consent to this Policy on processing PD – in the registration form on the site or in the mobile application.

Consent may also be obtained by the subject of PD confirming his/her consent to the processing of PD during an IVR call, USSD, SMS or chat-bot session, as well as in any other way described in the Operator’s rules of conducting marketing campaigns.

In case consent to the processing of PD is received from a representative of the subject of PD, the authority of this representative to give consent on behalf of the subject of PD may be verified by the Operator.

Subjects of PD consent to processing of their PD and/or consent to advertising and informational mailing by agreeing to the provision of information, services and the opportunity to participate in promotions held by and/or for the Operator, as well as by ticking off and providing requested information in feedback forms on the Operator’s websites.

Voluntarily provided consent to processing of PD shall be provision by subjects of PD, requested by the Operator, of PD in specially created questionnaires, chat-bots or in web forms on websites of the Operator and/or its counterparties, organising and conducting campaigns in the interests of the Operator.

7.3 PD of subjects may be collected, further processed and stored both in hard copy and electronically by automated means.

All PD, regardless of the method of processing, shall be processed by the Operator in separate groups, depending on the established purposes of processing, and shall not be mixed.

PD recorded on paper shall be stored in a fireproof locker with restricted access to authorised employees only.

PD of subjects processed with the use of automation tools in different folders (tabs) with restricted access and subject to security measures by authorised employees of the Company, while maintaining the confidentiality of personal access login and password.

Storing and placing documents containing PD in open electronic directories (file sharing) in PDIS is prohibited.

Storing of PD in a form enabling identification of the subject of PD shall not last longer than required by the purposes of their processing and shall be destroyed upon attainment of the purposes of processing or if they are no longer needed, unless other requirements for the storage of PD are established by law.

7.4 Processing of Personal Data on request

7.4.1 In the course of its activities the Company will entrust processing of PD to third parties with consent of the subjects of PD, unless otherwise stipulated by the current legislation of the Russian Federation, on the condition that a person, processing PD on behalf of the Company, shall comply with principles and rules of PD processing and security established by the legislation of the Russian Federation.

7.4.2 In the course of its activities, the Company may act as a processor of PD on behalf of the Company’s client (Operator) with consent of the subjects of PD.

7.4.3 All terms of processing, areas of responsibility and obligations of the Parties shall be stated in the assignment, in compliance with the requirements of the laws of the Russian Federation.

7.4.4 There must be an agreement and an assignment for the processing of PD between the Processor and the Operator with the following mandatory terms:

  the name and contacts of the Operator;

  the name and contacts of the Processor;

  the obligation for the Processor to comply with the Principles of PD processing;

– the type of PD and the categories of data subjects;

  a list of the PD;

– a list of actions with the PD, the list of actions must not contradict the purposes and actions declared to the subject of the PD in the agreement with the Operator, consent, etc. documents;

– Obligations to maintain privacy;

  PD processing purposes, which must not contradict the purposes declared to the subject of PD in the agreement with the Operator, consent etc;

– compliance with PD security requirements by the processor under Art. 19 of the Law on Personal Data;

– compliance with localization requirements;

– compliance with the requirements of Article 18.1 of the Law on Personal Data;

– the Processor’s need to notify the Operator about leaks of Personal Data transferred to the Processor under the Order;

– provision of data and documents on the execution of the assignment at the Operator’s request within the framework of the assignment.

7.4.5 Third parties to whom the PD shall be transferred:

– Third parties to whom the transfer is provided for by the legislation of the Russian Federation;

– Third parties, to whom the subject of PD has given his/her consent to the transfer of PD in his/her consent to the processing of PD.

7.4.6 The Operator shall make sure that the Processor shall apply technical and organisational measures that meet the requirements and ensure protection of the rights of the subjects of the PD under the assignment for processing.

7.4.7 The Processor shall not engage another Processor without the Operator’s prior written express or general permission. The Processor shall inform the Operator of any proposed changes. The Operator shall have the opportunity to raise objections to any changes.

7.4.8 The Company acts as the Processor on behalf of third parties (operators) to process PD on the following categories of subjects of PD: participants of promotions, medical representatives of the Company’s clients.

7.4.9 List of third parties, to whom the Company transfers under the instruction to process PD on subjects of PD is published on the Company’s official web-site in the public domain.

7.4.10 The Company, acting as a Processor under the assignment to process PD, may engage Sub-processors in order to perform obligations to the Operator’s PD subjects, as well as to ensure its legitimate interests. The Processor shall notify the client (the Operator) on a mandatory basis of the engagement of a Sub-processor. The Sub-processors shall be provided with a strictly limited set of data necessary to perform its duties. Before engaging a Sub-processor, the Processor will take all measures in its control to ensure the confidentiality of the data transfer.

7.5 The Operator shall not place or distribute the PD of subjects in publicly accessible sources without their special prior consent.

7.6 Cross-border transfer of PD

7.6.1 In the course of its activities, the Operator may transfer PD to legal entities or individuals in foreign countries across borders. In this case, the issues of adequate protection of the rights of subjects of PD and ensuring security of their PD in the cross-border transfer are a priority for the Operator, which shall be resolved in accordance with the laws of the Russian Federation in the field of PD protection.

7.6.2 The cross-border transfer of PD to foreign countries that do not provide for effective protection of rights of subjects of PD shall only take place if the subject of PD has consented in writing to the cross-border transfer of his/her PD; if the contract to which the subject of PD is a party is executed; and in other cases provided for by law. In order to ensure effective protection of PD, the Operator shall assess the damage that may be caused to subjects of PD in case of a breach of their PD security, as well as determine the current threats to PD security when processing them in PD information systems.

7.6.3 The operator shall send a notification to the authorized body for the protection of rights of subjects of PD (Roskomnadzor) about the cross-border transfer and the grounds for such transfer in accordance with the requirements of clause. Article 12(4) of the Law on Personal Data. At the same time, the Operator shall not start or stop the transborder transfer to countries that do not provide sufficient protection of PD in case of receiving a ban from Roskomnadzor, in accordance with Article 12 Clause 7 of the Personal Data Law.

7.6.4 In accordance with the Operator’s main activity, when fulfilling its obligations to clients/counterparties, cross-border transfer is possible by routing electronic messages through foreign communication channels, in case the user’s e-mail address is registered in international mail services or in case the provider’s servers are located outside of the Russian Federation.

7.7 If the purpose of processing the PD is achieved, the Operator shall cease processing the PD, unless otherwise provided for by the requirements of the relevant laws of the Russian Federation.

The Operator shall set the following terms for ceasing the processing of PD:

– achievement of the PD processing purposes and the maximum storage period;

– expiration of the necessity to achieve the purposes of PD processing;

– provision by the subject of PD or his/her legal representative of data, confirming that the PD are illegally obtained or are not necessary for the stated processing purposes;

– inability to ensure lawfulness of PD processing;

– withdrawal of consent to process PD by the subject of the PD, if preservation of PD is no longer required for the purposes of PD processing

– expiration of limitation period for legal relations, in the framework of which PD processing is performed or was performed;

– expiration of the deadline for consent to process PD;

– liquidation or reorganization of the Company.

In case of withdrawal of consent to process his/her PD by the subject of PD, Operator shall cease data processing and ensure that third parties, acting on behalf of Operator, cease such processing, unless otherwise provided by contract between Operator and subject of PD, or if Operator is entitled to process PD without consent of subject of PD on the basis of the requirements of the applicable laws of the Russian Federation.

The Operator shall cease processing the PD in case of termination of the contract and assignment for the processing of the PD with the client, the destruction of the PD shall take place within the period specified by the client, except for the PD/part of the PD, the obligation to preserve which remains with the Operator in order to perform the function of tax agent under the tax legislation of the Russian Federation.

Destruction of documents (carriers) containing PВ shall be performed by burning, crushing (shredding). A shredder may be used to destroy paper documents.

Data on electronic media shall be destroyed by erasing or formatting of the carrier.

Destruction shall be performed by commission. The fact of destruction of PВ shall be confirmed by documented act on destruction of carriers, erasure from carriers, etc., signed by members of the commission.

8. Rights of the subject of PD

Subject of PD shall be entitled to demand clarification of his PD, their blocking or destruction in case the PD is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take statutory measures to protect his rights.

The subject of PD shall have the right to receive information concerning the processing of his PD, including containing:

1) confirmation of the fact of processing of the PD by the Operator;

2) legal grounds and purposes of PD processing;

3) Purposes and methods of PD processing used by the Operator;

4) name and location of the Operator, information on persons (excluding the Operator’s employees) who have access to PD or to whom PD may be disclosed under a contract with the Operator or under a federal law;

5) processed PD belonging to the respective subject of PD, the source of their receipt, unless other procedure for providing such data is stipulated by the federal law;

6) periods of processing of the PD, including their retention periods;

7) procedure of execution of rights provided by the Federal Law by the subject of PD;

8) information on actual or prospective cross-border data transfer;

9) name or full name and address of the person processing PD on request of the Operator, if the processing has been or will be assigned to such a person;

10) other data required by the legislation of the Russian Federation.

Any right of the subject of PD to access his/her PD may be restricted in accordance with federal laws, including if the subject’s access to his PD violates the rights and legitimate interests of third parties.

In order to realize and protect his/her rights and legitimate interests the subject of PD is entitled to apply to the Operator with a corresponding request to the address: 123022, Moscow, Zvenigorodskaya 2-ya street, 43, or by addressing to the Operator with a corresponding request by e-mail: Admin@konnektu.ai. The Operator shall consider any applications, information requests and complaints from subjects of PD and shall send a response to a subject of PD within 10 (ten) business days of receipt of respective request from such subject or send a motivated notice specifying reasons for extension of time by 5 (five) business days to provide the requested information/response. The Operator shall provide the requested information in the same manner in which the request was received unless the request itself specifies another way for the Operator to provide the requested information.

The Operator shall thoroughly investigate facts of violations and take all necessary measures to eliminate them immediately and resolve disputes and conflicts in pre-trial proceedings.

The subject of PD shall have the right to appeal against the Operator’s actions or omissions by appealing to an authorised body for the protection of the rights of the subjects of PD.

The subject of PD shall have the right to protect his/her rights and legitimate interests.

9. Rights and obligations of the Operator

9.1 The Operator shall have the right:

– to determine independently the scope and list of measures necessary and sufficient to ensure the fulfilment of the obligations provided for in the Personal Data Law and the regulations adopted in accordance therewith, unless otherwise provided for in the Law on Personal Data or other federal laws;

– to assign processing of PD to another person with the consent of the subject of PD, unless otherwise provided by the federal law, on the basis of the contract concluded with this person. The person processing PD on behalf of the Operator must comply with the principles and rules of personal data processing stipulated by the Law on Personal Data;

– to amend the list of third parties to whom the Operator is entitled to transfer PD with the consent of the subject of PD, which is located at www.konnektu.ai.

– in case the subject of PD withdraws consent to PD processing, the Operator shall be entitled to continue processing PD without the consent of the subject of PD, on the grounds specified in the Law on Personal Data.

9.2 The operator is obliged to:

– organise the processing of PD in accordance with the requirements of the Law on Personal Data;

– respond to requests and enquiries of the subjects of PD and their legal representatives in accordance with the requirements of the Law on Personal Data;

– notify the authority responsible for protection of rights of subjects of PD (Roscomnadzor) on request of this authority, the necessary information within 10 (ten) working days from receipt of the request or send a reasoned notice on the need to extend the period for providing the requested information for up to 5 (five) working days in accordance with the requirements of the Law on Personal Data.

10. Personal data protection

In accordance with the requirements of regulatory documents, the Company created a PD protection system (PDPS), which consists of legal, organisational and technical protection subsystems.

Legal protection subsystem is a set of legal, organizational and regulatory documents, ensuring creation, functioning and improvement of PDPS.

The organizational protection subsystem includes organization of the PDPS management structure, permit system, protection of information when working with employees, partners and third parties, protection of information in the open press, publishing and advertising activities, and analytical work.

The technical protection subsystem includes a set of technical, software, software and hardware tools ensuring PD protection.

The main PD protection measures used by the Company are as follows:

• Appointment of a person responsible for PD processing, who organizes PD processing, training and briefing, internal control over observance of PD protection requirements by the Company and its employees;

• Identification of actual threats to PD security in the course of their processing in ISPD, and elaboration of measures and measures on PD protection;

• Development of local normative acts in relation to PD processing;

• Setting rules of access to PD, processed in ISPD, as well as ensuring registration and accounting of all actions, performed with PD in ISPD;

• Setting individual passwords for Company employees’ access to the information system in accordance with their job duties;

• Application of duly approved means of compliance assessment for the protection of information;

• Certified anti-virus software with regularly updated databases;

• Certified software to protect information from unauthorised access;

• Certified firewall and intrusion detection software;

• Compliance with conditions ensuring the safety of PD and excluding unauthorized access to it;

• Detection of unauthorised access to PD and taking measures;

• Restoring PD modified or destroyed as a result of unauthorised access to it;

• Training of Company’s employees, directly engaged in processing PD, within the requirements of the legislation of the Russian Federation in respect of protection of PD, including documents which define the Company’s policy on processing PD, local regulatory acts on processing of PD;

• Implementation of internal control and audit.

In case the Operator establishes the fact of unlawful or accidental transfer (provision, distribution, access) of PD, which led to breach of rights of subjects of PD, the Operator shall notify the authorized body on protection of rights of subjects of PD from the moment such incident was revealed:

1) within 24 hours on the incident that occurred, the alleged causes that led to the violation of the rights of the subjects of PD and the alleged harm caused to the rights of the subjects of PD, on the measures taken to eliminate the consequences of the relevant incident, as well as provide information on the person authorized by the operator to interact with the authorized body for the protection of the rights of subjects of PD regarding the issues related to the detected incident;

2) within 72 hours on the results of the internal investigation of the detected incident and provides information on the persons whose actions caused the detected incident (if any).

11. Responsibility

Persons guilty of violating the rules governing the processing and protection of PD shall be responsible in accordance with the laws of the Russian Federation, local regulations of the Company and contracts governing the Company’s legal relationship with third parties.

Konnektu © 2024

Благодарим вас!
Ваш запрос был отправлен.
В ближайшее время мы с вами свяжемся!

Thank you!
Your request has been sent.
We will contact you shortly!