Personal Data Processing Policy

1. General Provisions

1.1.This Policy of Co. LTD "UralKhimSintez" (hereinafter, the Operator) regarding the processing of personal data (hereinafter, the Policy) defines the main goals, procedures, and conditions for the Operator’s processing of personal data, as well as measures to ensure the security of personal data.
1.2.This Policy is developed in accordance with Article 18.1 of the Federal Law dated July 27, 2006, No. 152-FZ "On Personal Data" (hereinafter, the 152-FZ).
1.3.This Policy is a publicly available document and is subject to publication on the Operator's official website in the information and telecommunications network Internet, including on pages that are used for the collection of personal data.
1.4.All employees of the Operator are guided by the provisions of this Policy.
1.5.The provisions of this Policy serve as the basis for the Operator to develop local regulatory acts that detail issues related to the processing and protection of personal data.

2. Key Definitions

2.1.Personal data – any information relating directly or indirectly to a specific or identifiable individual (the subject of personal data).
2.2.Processing of personal data – any action (operation) or set of actions (operations) performed with or without the use of automation tools on personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (dissemination, provision, access), anonymization, blocking, deletion, and destruction of personal data.
2.3.Automated processing of personal data – processing of personal data using computer technology.
2.4.Dissemination of personal data – actions aimed at disclosing personal data to an unspecified group of individuals.
2.5.Provision of personal data – actions aimed at disclosing personal data to a specific individual or a defined group of individuals.
2.6.Blocking of personal data – temporary cessation of personal data processing (except in cases where processing is necessary for clarifying personal data).
2.7.Destruction of personal data – actions resulting in the impossibility of restoring the content of personal data in the personal data information system and/or as a result of which the physical media containing personal data are destroyed.
2.8.Anonymization of personal data – actions resulting in the impossibility of determining the affiliation of personal data to a specific subject of personal data without the use of additional information.
2.9.Personal data information system – a set of personal data contained in databases and the information technologies and technical means ensuring their processing.

3. Rights and Obligations of the Operator

3.1.The Operator has the right to:
– defend its interests in judicial bodies;
– with the consent of the subject of personal data, entrust the processing of their personal data to another person, if not otherwise provided by the 152-FZ, based on a contract concluded with that person;
– provide personal data of subjects to third parties if this is provided for by the legislation of the Russian Federation (transfer personal data to investigative bodies, law enforcement agencies, or other authorized bodies on grounds established by the legislation of the Russian Federation);
– refuse to provide personal data in cases provided for by the legislation of the Russian Federation;
– process the personal data of a subject without their consent in cases provided for by the legislation of the Russian Federation.
3.2.The Operator is obligated to:
– notify the authorized body for the protection of the rights of personal data subjects of its intention to process personal data before the start of such processing;
– inform the subject of personal data or their representative about the existence of personal data related to the respective subject of personal data and provide the opportunity to review these personal data upon request from the subject of personal data or their representative, or within the timeframe specified in Part 1 of Article 20 of the 152-FZ from the date of receiving the request from the subject of personal data or their representative;
– make changes to the personal data related to the subject of personal data within the timeframe specified in Part 3 of Article 20 of the 152-FZ from the day the subject of personal data or their representative provides information confirming that the personal data is incomplete, inaccurate, or outdated;
– destroy the personal data of the subject of personal data within the timeframe specified in Part 3 of Article 20 of the 152-FZ from the moment the subject of personal data or their representative provides information confirming that such personal data was obtained illegally or is not necessary for the stated purpose of processing;
– take measures that are necessary and sufficient to ensure compliance with the obligations stipulated by the 152-FZ and the regulatory legal acts adopted in accordance with it;
– ensure the recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of personal data of citizens of the Russian Federation using databases located within the territory of the Russian Federation, except in cases provided for by the legislation of the Russian Federation.

4. Rights of Personal Data Subjects

4.1.Personal data subjects have the right to:
– full information about their personal data processed by the Operator;
– access to their personal data, including the right to obtain a copy of any record containing their personal data, except in cases provided for by the legislation of the Russian Federation;
– clarification of their personal data, as well as its blocking or destruction if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing;
– withdrawal of consent to the processing of personal data;
– taking measures provided for by the legislation of the Russian Federation to protect their rights;
– challenging unlawful actions or omissions during the processing and protection of their personal data in the authorized body for the protection of personal data subjects' rights or through legal proceedings;
– exercising other rights provided for by the legislation of the Russian Federation.

5. Main Purposes of Personal Data Processing

5.1.The Operator processes personal data for the purposes of:
– ensuring compliance with the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation, as well as the Operator’s local regulatory acts;
– fulfilling the functions, powers, and obligations imposed on the Operator by the legislation of the Russian Federation, including the provision of personal data to government authorities, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund, and other state bodies;
– зprotecting the life, health, or other vital interests of personal data subjects;
– preparing, concluding, executing, and terminating contracts with the Operator’s counterparties;
– creating and maintaining reference databases for the informational support of the Operator’s activities;
– enforcing court decisions, acts of other authorities or officials that are subject to enforcement in accordance with the legislation of the Russian Federation on enforcement proceedings.

6. Legal Basis for Personal Data Processing

6.1.Labor Code of the Russian Federation;
6.2.Civil Code of the Russian Federation;
6.3.Tax Code of the Russian Federation;
6.4.Federal Law No. 402-FZ of December 6, 2011, "On Accounting";
6.5.Federal Law No. 81-FZ of May 19, 1995, "On State Benefits to Citizens with Children";
6.6.Federal Law No. 181-FZ of November 24, 1995, "On Social Protection of Disabled Persons in the Russian Federation";
6.7.Federal Law No. 27-FZ of April 1, 1996, "On Individual (Personalized) Record Keeping in the System of Mandatory Pension Insurance";
6.8.Federal Law No. 53-FZ of March 28, 1998, "On Military Duty and Military Service";
6.9.Federal Law No. 125-FZ of July 24, 1998, "On Mandatory Social Insurance Against Industrial Accidents and Occupational Diseases";
6.10.Federal Law No. 165-FZ of July 16, 1999, "On the Basics of Mandatory Social Insurance";
6.11.Federal Law No. 166-FZ of December 15, 2001, "On State Pensions in the Russian Federation";
6.12.Federal Law No. 167-FZ of December 15, 2001, "On Mandatory Pension Insurance in the Russian Federation";
6.13.Federal Law No. 173-FZ of December 17, 2001, "On Labor Pensions in the Russian Federation";
6.14.Federal Law No. 255-FZ of December 29, 2006, "On Mandatory Social Insurance in Case of Temporary Disability and in Connection with Maternity";
6.15.Federal Law No. 126-FZ of July 7, 2003, "On Communications";
6.16.Federal Law No. 149-FZ of July 27, 2006, "On Information, Information Technologies, and the Protection of Information";
6.17.Federal Law No. 63-FZ of April 6, 2011, "On Electronic Signatures";
6.18.Charter and other constituent documents of the Operator;
6.19.Consent of the personal data subject to the processing of their personal data;
6.20.Contracts concluded between the Operator and personal data subjects.

7. Categories of Processed Personal Data and Categories of Subjects

7.1. To achieve the processing purposes outlined in this Policy, the Operator processes personal data of its employees as well as other personal data subjects not in employment relationships with the Operator, including:
– employees of the Operator, former employees, and their close relatives and representatives;
– job applicants;
– employees and representatives of counterparties;
– visitors to the Operator’s facilities and participants in events organized by the Operator;
– subjects whose personal data have been transferred to the Operator by third parties under concluded contracts;
– personal data subjects with whom the Operator has entered into contracts.
7.2.The list of personal data processed by the Operator is determined in accordance with the legislation of the Russian Federation and the Operator’s local regulatory acts, taking into account the purposes of personal data processing specified in this Policy.
7.3.The Operator is not entitled to obtain or process personal data related to racial or ethnic origin, political, religious, or philosophical beliefs, private life, or health status, except in cases provided for by federal laws.
7.4.For informational support, the Operator may create publicly accessible sources (including directories and address books) that may include personal data provided by the personal data subject with their written consent, unless otherwise provided by the legislation of the Russian Federation.
7.5.The Operator may process biometric personal data of personal data subjects with the written consent of the subjects, unless otherwise provided by the legislation of the Russian Federation.

8. Procedure and Conditions for Personal Data Processing

8.1.The Operator performs the collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (dissemination, provision, access), anonymization, blocking, deletion, and destruction of personal data.
8.2.Personal data processing is carried out in the following ways:
– Non-automated processing of personal data;
– Automated processing of personal data with or without the transmission of information via information and telecommunication networks;
– Mixed processing of personal data.
8.3.The Operator processes personal data with the consent of the personal data subject for the processing of their personal data, unless otherwise provided by the legislation of the Russian Federation.
8.4.Personal data of subjects is stored in a form that allows the identification of the personal data subject, but no longer than required to achieve the purposes of their processing, unless the storage period for personal data is established by federal law, a contract in which the personal data subject is a party, beneficiary, or guarantor.
8.5. The conditions for terminating personal data processing may include:
– Achievement of the purposes of personal data processing;
– Expiration of the consent period or withdrawal of consent by the personal data subject for the processing of their personal data;
– Termination of the Operator’s activities (liquidation or reorganization);
– A request from the personal data subject to the Operator to terminate the processing of their personal data in accordance with Part 5.1 of Article 21 of the 152-FZ.
8.6.When processing personal data, the Operator takes necessary and sufficient legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, disclosure, dissemination, and other unlawful actions regarding personal data, including:
– Appointment of a person responsible for organizing the processing of personal data;
– Adoption of local regulatory acts and other documents on the processing and protection of personal data;
– Identification of threats to the security of personal data during their processing in personal data information systems;
– Implementation of legal, organizational, and technical measures to ensure the security of personal data during their processing;
– Conducting internal control and/or audits to ensure compliance of personal data processing with the 152-FZ and the regulatory legal acts adopted in accordance with it, requirements for personal data protection, this policy, and the Operator’s local acts;
– Assessment of harm that may be caused to personal data subjects in the event of non-compliance with the 152-FZ, as well as comparing such harm with the measures taken by the Operator to fulfill its obligations under the 152-FZ;
– Familiarizing the Operator’s employees directly involved in personal data processing with the provisions of the legislation of the Russian Federation on personal data and local acts on personal data processing matters, and, if necessary, organizing training for such employees;
– Obtaining consents from personal data subjects for the processing of their personal data, except in cases provided for by the legislation of the Russian Federation;
– Other measures provided for by the legislation of the Russian Federation on personal data.
8.7.Employees of the Operator who are guilty of violating the requirements of the 152-FZ and the regulatory legal acts adopted in accordance with it shall bear disciplinary, administrative, civil, or criminal liability in accordance with the legislation of the Russian Federation.

9. Clarification, Correction, Deletion, and Destruction of Personal Data

9.1.In the event that the inaccuracy of personal data is confirmed, the personal data must be clarified by the Operator, and if the unlawfulness of their processing is confirmed, the processing must be terminated.
9.2.Upon achieving the purposes of personal data processing, as well as in the event that the personal data subject withdraws consent for their processing, the Operator is obligated to cease processing or ensure the cessation of such processing (if the personal data is processed by another party acting on behalf of the Operator) and, if the retention of personal data is no longer necessary for the purposes of personal data processing, destroy the personal data or ensure their destruction (if the personal data is processed by another party acting on behalf of the Operator) within the timeframe specified in Part 5 of Article 21 of the 152-FZ, unless:
– otherwise provided by a contract in which the personal data subject is a party, beneficiary, or guarantor;
– the Operator is not entitled to process the data without the consent of the personal data subject based on the provisions of the 152-FZ or other federal laws;
– otherwise agreed upon between the Operator and the personal data subject.
9.3.In the event that it is not possible to destroy the personal data within the timeframe specified in Clause 9.2, the Operator shall block such personal data and ensure their destruction within the timeframe specified in Part 6 of Article 21 of the 152-FZ.