REGULATION
on Personal Data Processing

Saint Petersburg, 2017

1. GENERAL PROVISIONS

1.1. Regulation on Personal Data Processing (hereinafter referred to as the “Regulation”) is issued and applied by LUMI POLAR (Limited Liability Company), hereinafter referred to as the “Operator” in accordance with clause 2 part 1 article 18L of the Federal Law no. 152-FZ “On Personal Data” dated July, 27, 2006 (hereinafter referred to as the “Federal Law”).

This Regulation determines the policy, procedure and terms of the Operator with respect to processing of personal data (hereinafter referred to as the “Data”) establishing procedures aimed at prevention and detection of breaches of the laws, remedy of the effects of such breaches connected with personal data processing.

All issues, related to personal data processing and not covered by this Regulation, will be resolved in accordance with existing personal data laws .

1.2. The purposes of the Data processing will be:

- protection of human rights and freedoms in case of personal data processing, including protection of rights to privacy, personal and family secret;

- promotion of the Operator’s goods, work and services on the market by directly contacting a potential customer via the means of communication(in the manner stipulated by clause 2.6. of this Regulation);

- service quality increase provided to clients and consumers by the Operator;

- improvement in the quality of the services rendered by the Operator and the work carried out by the Operator.

1.3. This Regulation will not apply to relations, which emerge during:

1) arrangement of storage, integration, management and utilization of documents of the Archive Fund and other archive funds, which include personal data;

2) processing of personal data, which qualify as a state secret in accordance with the established procedure;

3) provision of information about activities of courts by authorized bodies.

1.4. Processing will be organized by the Operator on the principles of:

- legality of objectives and methods of Data processing, scrupulosity and fairness of the Operator’s activities;

- reliability of Data, their sufficiency for processing purposes, prohibition of processing the Data, which are redundant for the purposes claimed in the course of Data collection;

- processing the Data, which meet the objectives for processing thereof;

- correspondence of the content and volume of the processed Data with the claimed processing objectives. Processed Data should not be redundant with respect to claimed objectives of processing thereof;

- prohibition of consolidation of databases containing the Data, which are processed for inconsistent purposes;

- assurance of Data accuracy, sufficiency and, where necessary, relevance with respect to objectives of Data processing. The Operator will take or ensure taking necessary measures to delete or clarify incomplete or inaccurate data;

- keeping the Data in a form, giving an opportunity to determine the subject of personal data (hereinafter referred to as the “Subject”) within a period required for the purposes of personal data processing.

1.5. Data processing will be carried out in accordance with the principles and rules stipulated by the Federal Law and this Regulation.

1.6. Personal data may be processed:

- with the use of automation facilities;

- without the use of automation facilities.

1.7. The Operator may process the following Data:

1) Full name;

2) Address of permanent and/or temporary residence, stay, registration;

3) Mail address;

4) E-mail;

5) Date and place of birth;

6) Business occupation, hobbies and interests

7) Marital status;

8) Passport data and/or data from other official IDs;

9) Payment details and/or payment information, including data on current, foreign currency, personal and other bank accounts;

10) Any other information reported by the Subject to determine his/her needs for provision of services and performance of work.

Data Composition will be determined subject to the objectives stipulated by clause 1.2. of this Regulation. Data Composition may vary subject to the objective of processing thereof.

1.8. Subject to objectives and tasks, the Operator will, before commencement of Data processing, designate a person responsible for Data processing (hereinafter referred to as the “Responsible Person”).

1.8.1. The Responsible Person will receive instructions directly from the Operator’s executive body and will be accountable to it.

1.8.2. The Responsible Person may prepare and sign a notification stipulated by parts 1 and 3 article 22 of the Federal Law.

1.9. This Regulation and amendments hereto will be approved by the Operator’s Director General and implemented by his order.

1.10. The Operator’s employees who process the Data, before starting their work, should read, understand and accept in writing the provisions of the personal data laws, including the requirements to Data protection, documents, which determine the Operator’s policy with respect to Data processing, local acts related to Data processing, this Regulation and amendments hereto. If necessary, the Operator will arrange a relevant training for its employees.

1.11. When processing the Data, the Operator will take legal, organizational and technical measures aimed at the Data protection in accordance with article 19 of the Federal Law.

1.12. The Operator will protect the Data confidentiality in accordance with the Operator’s Confidentiality Regulation, if such Confidentiality Regulation is applied by the Operator. If the Company does not apply the Confidentiality Regulation, the Operator will apply generally accepted confidentiality standards to the Data.

1.13. Control over compliance of the laws and the Operator’s local acts by the Operator’s employees will be exercised in accordance with existing laws of the Russian Federation. Such control will include check of compliance with information protection requirements of regulatory documents, as well as assessment of reasonability and efficiency of measures, and is carried out on a contractual basis by third-party organizations licensed to perform activities aimed at technical protection of confidential information.

1.14. Audit of the Operator’s compliance with the laws and the Operator’s local regulations will be exercised in accordance with existing laws of the Russian Federation.

1.15. Assessment of damage, which may be inflicted on the Subjects in case of the Operator’s failure to meet the requirements of the Federal Law, will be carried out in accordance with articles 15, 151, 152, 1101 of the Civil Code.

1.16. The Operator will publish or otherwise grant an unrestricted access to this Regulation, other documents, which determine the Operator’s personal data processing policy, information about implemented Data protection requirements, on the following website: https://lumipolar.com.

1.17. When collecting Data with the use of information and telecommunication networks, the Operator,before starting Data processing, will publish in respective information and telecommunication network a document, which determines its Data processing policy, as well as information about implemented Data protection requirements and ensure the access to the document with the use of the relevant information and telecommunication network.

1.18. The Operator will provide documents and local acts specified in part 1 article 18.1 of the Federal Law and/or otherwise confirm adoption of measures specified in part 1 article 18.1 of the Federal Law, at the request from the authorized Subjects’ rights protection body, within 10 (ten) business days.

1.19. The Operator will process Data subject to the following terms and conditions:

1) Data will be processed with the consent of the Subject to processing of his/her Data;

2) Data processing is necessary for performance of the agreement, the party to which is the Subject;

3) Data processing is necessary for exercise of the rights and legal interests of the Operator;

4) Data processing is carried out in statistical or other research purposes, other than purposes specified in article 15 of the Federal Law, and subject to mandatory depersonalization of Data.

1.20. The Operator may instruct a third party to process Data on a contractual basis. Availability of the right to process Data and obligation of a person to maintain confidentiality of Data and safety of Data during processing thereof will be a material term of such contract.

1.21. Data should be stored in a form, which would allow to determine the Subject, within the time limits required for the purpose of processing thereof and will be deleted upon achieving the objectives of processing or in case when there is no longer a need for achieving such objectives.

1.22. Interaction with federal executive authorities responsible for processing and protection of Data of the Subjects, the Data of which are processed by the Operator, will be carried out in accordance with the laws.

2. PROCEDURE FOR ASSURANCE OF SUBJECT RIGHTS BY THE OPERATOR

2.1. The Subjects or their representatives will have the rights stipulated by the Federal Law and other laws and regulations on personal data processing.

2.2. The Operator will assure the Subjects’ rights in the manner stipulated by chapters 3 and 4 of the Federal Law.

2.3. The representative’s authority to represent the interests of each Subject will be confirmed by a power of attorney executed in accordance with the requirements of existing laws.

2.4. Information specified in part 7 article 14 of the Federal Law will be provided to the Subject by the Operator in available electronic form without the Data related to other Subjects, save when there are lawful grounds for disclosure of such Data. If requested by the Subject, they may be duplicated in hard copy. Available form will be certified by the Responsible Person or the Operator’s Director General.

2.5. Information specified in part 7 article 14 of the Federal Law will be provided to the Subject or his/her representative upon personal request or upon request from the Subject or his/her representative. Such request will include the reference number of the primary ID of the Subject and his/her representative (if the Subject addresses a request through his/her representative), information about the date of issue of such document and the issuing body, information, which proves participation of the Subject in relations with the Operator (number of the agreement, date of the agreement, conditional verbal name and/or other information), or information, which otherwise proves the fact of Data processing by the Operator, a signature of the Subject or his/her representative. If technically possible, such request may be sent in a form of electronic document and signed with electronic signature in accordance with the laws.

2.6. Data processing in order to promote goods, work and services on the market by directly contacting a potential customer with the use of the communication means will be allowed only with the prior consent of the Subject. Such consent must be received in writing. When using the Operator’s website, if the Subject sends, publishes, provides his/her Data, he/she confirms that he/she is aware of and accepts the terms of this Regulation at the same time when he/she sends, publishes or provides such Data; in this case no further written confirmations will be required.

2.7. At the Subject’s request, the Operator will immediately stop processing his/her Data, according to part 1 article 15 of the Federal Law.

2.8. The Operator will consider objection specified in part 3 article 16 of the Federal Law:

- with respect to legal relations, which have occurred before July 1, 2011 - within 7 (seven) business days from receipt of such objection;

- with respect to legal relations, which have occurred after July 1, 2011 - within 30 (thirty) days from receipt of such objection.

The Operator will inform the Subject of the results of the objection consideration within 10 (ten) business days.

2.9. The Operator will provide the Subject or his/her representative with an opportunity to become aware of the Data related to the Subject for free at its location during business hours.

2.10. The Operator will, within 10 (ten) business days from correction or deletion of Data, at the request of the Subject or his/her representative, inform the Subject of changes and measures and take reasonable measures to notify third parties, to which the Data of the Subject have been transferred to.

3. DATA PROCESSING PROCEDURE

3.1. The Director General of the Operator will determine the Data processing objective.

3.2. Subject to the Data processing objective, the Responsible Person will determine the methods and the terms of Data processing, the list of involved and responsible persons. Such methods, terms and persons will be approved by the Operator’s order.

3.3. The Responsible Person will:

- arrange the adoption of legal, organizational and technical measures to ensure protection of the Data processed by the Operator from unauthorized or accidental access, deletion, change, blocking, copying, provision, distribution of the Data and from other illegal actions with respect to the Data;

- exercise internal control over compliance with requirements of personal data laws, including requirements to Data protection, by his/her subordinates;

- inform the Operator’s employees of provisions of personal data laws, local regulations on Data processing issues, Data protection requirements;

- arrange acceptance and processing of the Subjects or their representatives’ requests and exercise control over acceptance and processing of such requests;

- in case of failure to meet the Data protection requirements, take necessary measures to restore infringed rights of the Subjects.

3.4. Subject to determined objectives, methods and terms, the Operator will collect Data during the following processes of interaction with the Subjects:during negotiations on conclusion, conclusion, execution,

- amendment and termination of transactions with clients and consumers;

- during provision of primary consultations to clients and consumers on services provided by the Operator and work carried out by the Operator;

- during analytical studies conducted with respect to its own clients and consumers;

- other processes, which imply receipt of Data from the Subject.

4. RESPONSIBILITIES OF THE DIRECTOR AND EMPLOYEES OF THE OPERATOR

4.1. The Director General of the Operator will:

- assist the Responsible Person in performance of his/her responsibilities;

- arrange remedy of revealed violations of the laws, laws and regulations of the authorized federal executive authority, internal regulations of the Operator, as well as the reasons and conditions, which facilitated such violations.

4.2. The Operator’s employees will:

- assist the Responsible Person in performance of his/her responsibilities;

- immediately inform their immediate supervisor and the Responsible Person (within his/her competence) of alleged violations of the laws, including laws and regulations of the authorized federal executive authority and internal regulations of the Operator, by other employees or counterparties of the Operator.

5. CONTROL, RESPONSIBILITY FOR VIOLATION OR NON-COMPLIANCE WITH THE REGULATION

5.1. The Responsible Person of the Director General will exercise control over compliance with the Regulation.

5.2. Persons, who violate or fail to meet the requirements of the Regulation, will be brought to disciplinary, administrative (articles 5.39, 13.11-13.14, 19.7 of the Code of Administrative Offenses) or criminal responsibility (articles 137, 140, 272 of the Criminal Code).

5.3. The Operator’s employees, who have subordinate employees, will be personally liable for the fulfillment of the requirements of this Regulation by their subordinates.