ENRU

APPENDIX 1. SUPPLEMENTARY PROVISIONS FOR USERS LOCATED IN THE RUSSIAN FEDERATION

Where personal data of users residing in the Russian Federation is processed, we seek to consider the principles and requirements established by Federal Law No. 152-FZ of 27 July 2006 “On Personal Data”, as amended from time to time (the “Russian Personal Data Law”), to the extent applicable to us.

1. INTERPRETATION OF THIS POLICY FOR USERS IN RUSSIA

For users residing in the Russian Federation, this Policy shall be interpreted with due regard to the provisions of the Russian Personal Data Law. This Appendix supplements the main body of the Policy and is intended to provide additional information commonly included in privacy notices addressed to users in Russia. Unless otherwise expressly stated in this Appendix, the terms of the main body of this Policy remain fully applicable.

2. PRINCIPLES OF PERSONAL DATA PROCESSING

When processing personal data of users residing in the Russian Federation, we seek to adhere to the following principles:

  • personal data shall be processed lawfully and fairly;
  • personal data shall be processed only for specific, predetermined, and legitimate purposes, and processing incompatible with the purposes of collection shall not be permitted;
  • databases containing personal data processed for incompatible purposes shall not be combined;
  • only personal data that is relevant to the stated purposes of processing shall be processed;
  • the content and volume of processed personal data shall correspond to the declared purposes of processing, and such personal data shall not be excessive in relation to those purposes;
  • when processing personal data, we seek to ensure the accuracy, sufficiency, and, where necessary, relevance of the personal data in relation to the purposes of processing, and to take appropriate measures, or ensure that such measures are taken, to delete or rectify incomplete or inaccurate data;
  • personal data shall be stored in a form that permits identification of the data subject for no longer than is required by the purposes of processing, unless a longer retention period is required by applicable law or by a contract to which the data subject is a party, beneficiary, or guarantor; and
  • once the purposes of processing have been achieved, or where the need to achieve such purposes no longer exists, personal data shall be deleted or anonymized unless otherwise required by applicable law.

3. RIGHTS OF DATA SUBJECTS IN THE RUSSIAN FEDERATION

If you reside in the Russian Federation, you have the rights of a personal-data subject provided under the Russian Personal Data Law, to the extent applicable. Such rights may include, among others, the right to receive information regarding the processing of your personal data, the right of access, the right to request rectification, updating, blocking, or deletion of personal data, as well as other rights provided by applicable law.

You may exercise such rights using the contact details specified in Section 10 and Section 13 of this Policy, or through any other means made available by us for privacy-related requests.

4. MEASURES AIMED AT ENSURING COMPLIANCE WITH PERSONAL-DATA LEGISLATION

We take the necessary and sufficient legal, organizational, and technical measures aimed at ensuring compliance with obligations relating to personal-data processing and security, taking into account the laws applicable to us as an international company and, where relevant, the provisions of the Russian Personal Data Law.

In particular, we may implement measures that include:

  • appointing a person responsible for the organization of personal-data processing;
  • adopting internal documents, policies, and procedures governing personal-data processing, including measures aimed at preventing and detecting violations of applicable law and addressing the consequences of such violations;
  • applying legal, organizational, and technical safeguards designed to ensure the security of personal data during processing;
  • carrying out internal control and/or audits of compliance of personal-data processing with applicable legal requirements and internal policies;
  • assessing potential harm that may be caused to data subjects in the event of violations and evaluating such risks against the measures taken by us; and
  • ensuring that personnel involved in personal-data processing are informed of applicable personal-data requirements and internal rules and, where appropriate, receive relevant training.

The specific set of measures implemented by us is determined by our internal policies, standards, and procedures.

5. PERSONAL-DATA SECURITY MEASURES

When determining the measures required to ensure the security of personal data, we may take into account, where relevant, the nature of the processed data, the risks associated with processing, and the requirements of applicable law. Such measures may include, where appropriate:

  • identification of security threats to personal data during processing in personal-data information systems;
  • implementation of organizational and technical safeguards necessary to ensure the protection of personal data and the required level of security;
  • use of information-security tools and protective measures that have undergone any required conformity-assessment procedures where such procedures are applicable;
  • assessment of the effectiveness of the implemented security measures;
  • maintaining records of media containing personal data where appropriate;
  • detection of unauthorized access to personal data and adoption of responsive measures;
  • restoration of personal data modified or destroyed as a result of unauthorized access;
  • establishment of access rules for personal data processed in information systems, as well as logging and accounting of actions performed with personal data where appropriate; and
  • monitoring and review of the measures taken to ensure the security of personal data and the applicable level of protection of information systems.

6. PRIORITY OF MANDATORY LEGAL REQUIREMENTS

Nothing in this Appendix shall be interpreted as limiting any rights of data subjects or any mandatory obligations that may apply under the Russian Personal Data Law. If mandatory provisions of applicable law in the Russian Federation require a different approach to processing, retention, protection, or disclosure of personal data, such mandatory provisions shall prevail to the extent applicable.