GENERAL PROVISIONS AND DEFINITIONS
    1. This Personal Data Processing and Protection Policy (hereinafter referred to as the “Policy”) has been developed and is applied by CJSC Evalar (hereinafter referred to as the “Operator”) in accordance with Sub-clause 2, Part 1, Article 18.1 of Federal Law “On Personal Data” No. 152-FZ dd. 27.07.2006 (hereinafter referred to as the “Law”).
    2. This Policy defines the Operator’s policy with regard to processing and protecting personal data accepted for processing, the procedure and conditions for processing personal data of individuals who provide their personal data to the Operator for processing (hereinafter referred to as “Personal Data Subjects”) using or without using automation facilities, sets out the procedures aimed at preventing violations of Russian Federation laws and eliminating the consequences of violations associated with personal data processing.
    3. This Policy has been developed with a view to ensure protection of the rights and freedoms of Personal Data Subjects as their personal data are being processed, and to define liability of the Operator’s officers who have access to personal data of Personal Data Subjects for failure to comply with the requirements and rules governing personal data processing.
    4. This Policy shall not apply to the relations:

      - arising in the course of processing personal data of the Operator’s employees, as such relations are governed by a separate in-house regulation;

      - that are not subject to the Law (clause 1, article 1 of the Law).

    5. The Operator shall process the following personal data:

      - Surname, given name, patronymic;

      - Electronic mail address;

      - Telephone number;

      - Address;

      - Date of birth;

      - Gender;

      - Social media accounts data;

      - Internet pages requested;

      - Cookie files;

      - IP addresses;

      - Purchase history.

    6. Should any person unintentionally receive any information which is not specified in this clause, such person shall immediately destroy such information.
    7. The Operator shall process personal data of Personal Data Subjects for the following purposes:

      - registration and/or authorization of a Personal Data Subject on the Operator’s website at shop.evalar.ru, as well as on other websites managed by the Operator;

      - entering into and performing agreements to which a User is a party in accordance with the terms and conditions of a Public Offer including agreements for retail sale and purchase of Goods and commercial service agreements;

      - processing orders placed by a Personal Data Subject and performing its obligations before such Personal Data Subject;

      - informing Personal Data Subjects of promotions, special offers, new goods and services;

      - providing Order status information;

      - posting by Users and Buyers of their feedback about the Goods;

      - quality analysis of the service provided by the Operator and improving the quality of the Operator’s customer service;

      - identification of Users and Buyers in Promotion Campaigns, ensuring the procedure for crediting, recording and using bonus points provided under User and Buyer loyalty programs;

      - performance by the Operator of its obligations to hold Promotion Campaigns; meeting other Website Terms of Use as provided by Website Use Rules;

      - for other purposes, provided that the Operator’s relevant actions do not contradict applicable law and the Operator’s scope of activities, and the consent to the aforesaid processing has been obtained from the Personal Data Subject concerned;

    8. The Operator shall process personal data of Personal Data Subjects by performing any action (operation) or a series of actions (operations) with or without using automation facilities, including:

      - collection;

      - recording;

      - systematization;

      - accumulation;

      - storage;

      - refinement (updating, amendment);

      - extraction;

      - use;

      - transfer (dissemination, provision, access);

      - оdepersonalization;

      - blocking;

      - deletion;

      - destruction.

    9. Definitions:

      - Operator means a government authority, a municipal authority, a legal entity or an individual arranging for and/or performing the processing of personal data and defining the purposes and scope of personal data processing.

      - Personal data means any information related to a directly or indirectly identified or identifiable individual (citizen).

      - Personal data processing means any action (operation) or a series of actions (operations) with personal data performed using or without using automation facilities, including collection, recording, systematization, accumulation, storage, refinement (updating, amendment), extraction, use, transfer (dissemination, provision, access), depersonalization, blocking, deletion and destruction of personal data.

      - PDP Supervisor means the Operator’s officer in charge of organizing the processing of Personal Data Subjects’ personal data, whose position may not be lower than the head of a structural subdivision.

      - Mailing Group Service means the Operator’s structural unit responsible for organizing the processing of Personal Data Subjects’ personal data.

  1. PRINCIPLES OF PERSONAL DATA PROCESSING, SECURITY.

    Personal data security shall be understood as the protection of personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data and other illegal actions in respect of personal data. The Operator shall take necessary legal, organizational and technical measures to protect personal data.

    1. The Operator shall be guided by the following principles when processing personal data:

      - lawfulness and fairness;

      - obtaining, in a timely and reliable manner, the consent from a Personal Data Subject to his/her personal data being processed;

      - processing of only those personal data that meet the purposes for which they are processed;

      - the scope and amount of personal data being processed must conform to the purposes for which they are processed. Personal data being processed may not be excessive in relation to the purposes for which they are processed;

      - combining databases containing personal data that are processed for incompatible purposes is not allowed;

      - personal data must be accurate, sufficient and, where necessary, relevant to the purposes of personal data processing. The Operator shall take necessary steps or cause the same to be taken to have incomplete or inaccurate data deleted or destroyed;

      - personal data must be stored in a form that makes it possible to identify data subjects for no longer than is necessary for the purposes of personal data processing;

      - ensuring that personal data are accurate, sufficient and relevant to the purposes of personal data processing;

      - personal data must be destroyed or depersonalized as soon as the purposes of processing thereof have been achieved or if the achievement of such purposes is no longer required.

    2. The Operator shall process personal data in compliance with the principles and rules provided for by:

      - Federal Law “On Personal Data” No. 152-FZ dd. 27.07.2006;

      - this Policy;

      - Article 12 of the Universal Declaration of Human Rights (1948);

      - Article 17 of the International Covenant on Civil and Political Rights (1966);

      - Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (1950);

      - provisions of the Commonwealth of Independent States Convention on Human Rights and Fundamental Freedoms (Minsk, 1995) ratified by the Russian Federation on 11.08. 1998;

      - the provisions of the Okinawa Charter on Global Information Society adopted on July 22, 2000;

    3. The Operator shall process personal data in accordance with:

      - Russian Government Directive “On Approving the Requirements for Protection of Personal Data Processed in Personal Data Information Systems” No. 1119 dated 01.11.2012;

      - Order of the Russian Federal Service for Technical and Export Control (FSTEC) “On Approving the List and Scope of Organizational and Technical Measures for Protection of Personal Data Processed in Personal Data Information Systems” No. 21 dated 18.02.2013;

      - other regulatory and non-regulatory instruments governing personal data processing.

  2. OBTAINING PERSONAL DATA

    1. Personal data of Personal Data Subjects shall be obtained by the Operator:

      - directly from Personal Data Subjects when they enter their data on shop.evalar.ru website and other websites managed by the Operator;

      - directly from Personal Data Subjects when they contact the call center;

      - using any other methods that do not contradict the laws of the Russian Federation and the requirements of international law on the protection of personal data.

    2. The Operator shall obtain and start processing personal data once it has received the consent of the Personal Data Subject concerned. Consent to personal data processing may be given by Personal Data Subjects in any form that makes it possible to confirm the receipt of the consent, unless otherwise prescribed by federal law: in writing or any other form provided for by applicable law, including through conclusive actions performed by Personal Data Subjects.
    3. Consent to the processing of personal data shall be deemed given by a Personal Data Subject through the performance by such Personal Data Subject of all of the following conclusive actions:

      - checking the respective box in the relevant form to confirm the consent to the processing of personal data to the extent, for the purposes and in the manner described in the text intended for review before registration or placing an order.

      - Consent shall be deemed received upon such registration or order placement, subject to confirmation by the Personal Data Subject in the prescribed manner, and shall continue in effect until the Personal Data Subject sends a respective request for termination of personal data processing to the Operator’s location address.

      - In the absence of Personal Data Subject’s consent to the processing of his/her personal data, such processing shall not be performed.

    4. Personal data shall be obtained from other persons and personal data processing shall be assigned to other persons by the Operator under respective agreements containing the provisions on the procedure for processing personal data obtained and keeping them confidential.
    5. A Personal Data Subject may at any time withdraw his/her consent to the processing of personal data, provided that such procedure does not violate the requirements of the Russian Federation law.
    6. The procedure for withdrawing consent to the processing of personal data shall be as follows:

      to withdraw the consent to personal data processing given in writing, a respective request shall be sent in writing to the Operator’s location address.

    7. Where a Personal Data Subject withdraws his/her consent to the processing of his/her personal data, the Operator shall stop the processing thereof or cause the same to be stopped (if processing is performed by another person acting on behalf of the Operator), and if the retention of personal data is no longer required for the purposes of processing thereof, the Operator shall destroy personal data or cause the same to be destroyed (if the processing of personal data is performed by another person acting on behalf of the Operator) within a period not exceeding thirty (30) days following the receipt of the aforesaid withdrawal, unless otherwise provided by the agreement, to which the Personal Data Subject concerned in a party, the beneficiary or the surety, other agreement made by and between the Operator and the Personal Data Subject, or if the Operator may not process personal data without the consent of the Personal Data Subject on the grounds provided for by the Law or other federal laws.
  3. PERSONAL DATA PROCESSING RULES AND PROCEDURES

    1. Prior to the commencement of personal data processing, the Operator shall appoint a person in charge of organizing the processing of personal data, whose position may not be lower than the head of a structural subdivision, hereinafter referred to as the “PDP Supervisor”.
    2. Personal data shall be processed by the Operator’s duly authorized employees. Before starting their work, the Operator’s employees directly engaged in the processing of personal data shall be familiarized with:

      - the provisions of the Russian Federation law on personal data including the requirements applicable to the procedure for protecting personal data;

      - the documents defining the Operator’s policy with regard to personal data processing including this Policy, annexes and amendments hereto;

      - in-house regulations on personal data processing.

      The Operator’s employees may obtain only those personal data that they require to perform specific employment duties. The Operator’s employees engaged in the processing of personal data shall be informed about such processing, special aspects and rules of such processing established by regulatory legal instruments and the Operator’s internal documents.

    3. When processing personal data, the Operator shall apply legal, organizational and technical measures to ensure the security of personal data in accordance with Article 19 of the Law and the Methodology for Determining Actual Threats to the Security of Personal Data as They Are Processed in Personal Data Information Systems as approved by the FSTEC of the Russian Federation on February 14, 2008.
    4. The monitoring of compliance by the Operator’s employees with the Russian Federation law and rules of international law, as well as the provisions of the Operator’s in-house regulations shall be organized by the Operator in accordance with the Personal Data Processing Policy.
    5. Damage that may be caused to Personal Data Subjects in the event of violation by the Operator of the Law on Personal Data Processing shall be assessed in accordance with Articles 15, 151, 152, 1101 of the Civil Code of the Russian Federation.
    6. The Operator shall publish or otherwise provide unrestricted access to this Policy, other documents defining the Operator’s policy with respect to personal data processing and information on personal data protection requirements being implemented by posting them on the Operator’s electronic website.
    7. The following persons within the Organization shall have the right of access to personal data of Personal Data Subjects:

      - Director of the Organization;

      - PDP Supervisor;

      - employees engaged in the collection and processing of personal data;

      - Personal Data Subjects or their authorized representatives.

      The aforesaid persons shall have the right of access only to those personal data that they require to perform their specific functions, with copying and extracting allowed only with a written authorization issued by the PDP Supervisor, or as may be directly requested by a Personal Data Subject or his/her authorized representative. Should the Operator assign the processing of personal data to third parties, other than its employees, under respective agreements made with them (or on other grounds), pursuant to which they need have access to personal data of Personal Data Subjects, respective data shall only be provided by the Operator upon the execution of a relevant agreement with the persons processing personal data on behalf of the Operator, which agreement shall define the list of actions (operations) with personal data to be performed by the person processing them and the purposes of such processing; such agreement shall also provide for the obligation of such person to keep personal data confidential, ensure the security of personal data during the processing thereof and specify the requirements applicable to the protection of personal data being processed as provided for by Article 19 of the Law.

  4. OPERATOR’S STRUCTURAL SUBDIVISIONS ENGAGED IN PERSONAL DATA PROCESSING

    1. Personal data processing shall be organized by the Marketing Department’s Mailing Group (hereinafter referred to as the “Mailing Group Service”).
    2. The Mailing Group Service shall report directly to the PDP Supervisor.
    3. The Mailing Group Service, under the direction of the PDP Supervisor shall:

      - familiarize the Operator’s employees with the provisions of the Russian Federation law on personal data, in-house regulations on personal data processing and personal data protection requirements;

      - organize personal data processing by Operator’s employees;

      - organize the receipt and processing of inquiries and requests from Personal Data Subjects or their representatives.

    4. Compliance by the Operator’s employees with the requirements of the Russian Federation law and the provisions of the Operator’s in-house regulations on personal data shall be monitored by the Operator’s executive body.
  5. PROCEDURE FOR ENSURING THE RIGHTS OF PERSONAL DATA SUBJECTS BY THE OPERATOR

    1. Personal Data Subjects or their representatives shall have the rights provided for by the Law and other regulations governing the processing of personal data.

    2. The Operator shall ensure that the rights of Personal Data Subjects are observed in the manner prescribed for by the Law.

    3. The representative’s authority to represent the interests of each Personal Data Subject shall be confirmed by a power of attorney executed as prescribed by law. A copy of the representative’s power of attorney shall be retained by the Operator for at least three (3) years, and where personal data retention period exceeds three years – at least for the personal data retention period.

    4. The data specified in Part 7, Article 14 of the Law shall be provided to a Personal Data Subject by the PDP Service in accessible format and without personal data relating to other Personal Data Subjects, except where there are legal grounds for disclosure of such personal data in electronic format. They may also be provided in paper form at the request of the Personal Data Subject. The accessible form shall be certified by the PDP Supervisor or another PDP Service employee duly authorized by the respective order issued by the head of the Operator’s organization.

    5. The data specified in Part 7, Article 14 of the Law shall be provided to a Personal Data Subject or his/her representative upon request made in person or upon receipt by the Operator of a relevant request from the Personal Data Subject or his/her representative. Such request shall contain the number of the main identification document of the Personal Data Subject or his/her representative, information on the date of issue and the issuing authority of the aforesaid document, data confirming the relations between the Personal Data Subject and the Operator (agreement number and date, verbal designation and/or other information), or data otherwise confirming the processing of personal data by the Operator, the signature of Personal Data Subject or his/her representative. Where it is technically possible, such request may be sent in the form of an electronic document and signed with electronic signature in accordance with the laws of the Russian Federation.

    6. The Personal Data Subject’s right of access to his/her personal data may be restricted pursuant to federal laws, inter alia, as provided by Part 8, Article 14 of the Law.

    7. The Operator shall, at Personal Data Subject’s request, immediately terminate the processing of his/her personal data performed pursuant to Part 1, Article 15 of the Law.

    8. A decision entailing legal consequences for a Personal Data Subject or otherwise affecting his/her rights and legitimate interests may solely be made based on automated processing of his/her Personal Data and only with the consent of the Personal Data Subject given in writing or as provided for by federal laws that also establish measures to ensure the observance of the rights and legitimate interests of Personal Data Subjects.

    9. The Operator shall explain to Personal Data Subjects the decision making procedure based solely on automated processing of their personal data and possible legal consequences of such decision, make it possible for them to present their objections to such decision and explain the procedure that may be applied by Personal Data Subjects to protect their rights and legitimate interests.
      1. The Operator shall draft the text of such explanation prior to the commencement of personal data processing and retain it for at least 2 (two) years.
      2. Where automated processing of personal data is performed using various methods, the aforesaid explanation shall be prepared for each such method individually.
    10. The Operator shall review the objection to the decision made solely on the basis of automated processing of personal data within thirty (30) days following the receipt thereof. The Operator shall notify the Personal Data Subject of the results of the objection review within ten (10) days. Such notice may be given by the Operator in any form enabling the confirmation of the Personal Data Subject notification (by e-mail or using a web resource providing the Personal Data Subject with personal web space on the Website or the Internet websites of partner companies, by wire with acknowledgement of receipt or by mail with return receipt requested). The choice of the notice sending method shall be up to the Operator.
    11. Оператор обязан предоставить безвозмездно Субъекту персональных данных или его представителю возможность ознакомления с персональными данными, относящимися к этому Субъекту персональных данных, по месту своего расположения в рабочее время.
    12. The Operator shall make personal data relating to a Personal Data Subject available for review by such Personal Data Subject or his/her representative at the Operator’s office during working hours, free of charge. The Operator shall, within 5 days following any correction or destruction of personal data, notify the Personal Data Subject or his/her representative, upon request, of the changes made and the measures taken, and take reasonable steps to notify the third parties to whom personal data of the Subject concerned were transferred. Such notice may be made by the Operator in any form enabling the confirmation of the Personal Data Subject notification (by e-mail or wire with acknowledgement of receipt or by mail with return receipt requested or using any other method). The choice of the notice sending method shall be up to the Operator.
    13. No cross-border transfer of personal data shall be effected by the Operator.
  6. PERSONAL DATA RETENTION

    1. Personal data shall be retained in accordance with written consent of the Personal Data Subject and for the period set pursuant to the requirements of applicable laws of the Russian Federation. Where relevant regulations do not specify the retention period for certain types of personal data, such personal data shall be retained for the period specified in the written consent of the Personal Data Subject concerned.
    2. Personal data shall not be retained longer than it is required for the purposes of personal data processing. Personal data being processed shall be destroyed or depersonalized once the processing purposes thereof have been achieved or if the achievement of such purposes is no longer required (deletion of Personal Data Subject’s account).
    3. Personal data that have different processing purposes shall be stored separately within the information system or within the file structure of a respective Operator’s subdivision, if they are stored on tangible media.
    4. An Operator’s employee, who has access to personal data as part of performing his/her employment duties, shall ensure storage of information containing personal data of Personal Data Subjects that precludes access to it by any third party. There should be no documents containing personal data on such employee’s desk while he/she out of the office. Where such employee takes a vacation, goes on a business trip or in other cases when he/she is out of the office for a long time, he/she shall hand over documents and other media containing personal data to a person who will be assigned to perform his/her employment duties by Operator’s in-house regulation. If no such person is appointed, documents and other media containing personal data of Personal Data Subjects shall be handed over to another employee who has access to personal data of Personal Data Subjects as instructed by the head of the relevant Operator’s structural subdivision.
  7. MONITORING, LIABILITY FOR VIOLATION OR NON-COMPLIANCE WITH THIS POLICY

    1. Monitoring of the implementation of this Policy shall be the responsibility of the PDP Supervisor.
    2. Persons guilty of violating the rules governing the obtaining, processing and protection of Personal Data Subjects’ personal data shall be subject to disciplinary action, administrative, civil or criminal liability.
  8. MISCELLANEOUS

    1. This Policy shall take effect upon the approval hereof by the Operator’s sole executive body.
    2. All Operator’s employees authorized to process personal data must be familiarized with this Policy before starting their work with personal data.