Personal Data Processing Policy

1. General provisions
1.1. This Policy of LLC Perception Technologies regarding the processing of personal data (hereinafter referred to as the Policy) has been developed in pursuance of the requirements of Article 18.1 part 1 clause 2 of Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" (hereinafter referred to as the Personal Data Law) in order to ensure the protection of the rights and freedoms of a person and citizen in the processing of their personal data, including the protection of the rights to privacy, personal and family secrets.
1.2. The Policy applies to all personal data processed by Perception Technologies Limited Liability Company (hereinafter referred to as the Operator, LLC Perception Technologies).
1.3. The Policy applies to relations in the field of personal data processing that arose with the Operator both before and after the approval of this Policy.
1.4. In pursuance of the requirements of Article 18.1 part 2 of the Personal Data Law, this Policy is published in the public domain on the information and telecommunications network "Internet" at https://www.kalpagrama.com.
1.5. Basic concepts used in the Policy:
1.5.1 Personal data: any information relating to a directly or indirectly identified or identifiable natural person (subject of personal data).
1.5.2. Operator: a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) performing the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed and the actions (operations) performed with personal data.
1.5.3. Personal Data Processing: any action (operation) or a series of actions (operations) with personal data performed with or without automation tools.

The personal data processing includes, among other things, the following:
- collection;
- recording;
- systematization;
- accumulation;
- storage;
- rectification (update, change);
- extraction;
- use;
- transfer (distribution, provision, access);
- depersonalization;
- blocking;
- deletion;
- destruction.

1.5.4. Automated personal data processing: processing of personal data using computer technology.
1.5.5. Distribution of personal data: actions aimed at disclosing personal data to an indefinite range of persons.
1.5.6. Provision of personal data: actions aimed at disclosing personal data to a certain person or a certain range of persons.
1.5.7. Blocking of personal data: a temporary suspension of the personal data processing (unless the processing is necessary to rectify personal data).
1.5.8. Destruction of personal data: actions resulting in the impossibility to restore the content of personal data in the personal data information system and (or) in the destruction of material media bearing personal data.
1.5.9. Depersonalization of personal data: actions resulting in the impossibility to determine the ownership of personal data by a specific subject of personal data without the use of additional information.
1.5.10. Personal data information system: a set of personal data contained in databases and information technologies and technical means that ensure their processing.
1.5.11. Cross-border transfer of personal data: transfer of personal data to the territory of a foreign state to the authorities of a foreign state, a foreign individual or a foreign legal entity.

1.6. Basic rights and obligations of the Operator.
1.6.1. The Operator has the right to:
- independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the Personal Data Law and the regulatory legal acts adopted in accordance with it, unless otherwise provided for by the Personal Data Law or other federal laws;
- entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person. The person who processes personal data on behalf of the Operator is obliged to comply with the principles and rules for the processing of personal data provided for by the Personal Data Law;
- in the event that the subject of personal data withdraws consent to the processing of personal data, the Operator has the right to continue processing personal data without the consent of the subject of personal data if there are grounds specified in the Personal Data Law.

1.6.2. The operator is obliged to:
- organize the processing of personal data in accordance with the requirements of the Personal Data Law;
- respond to requests and inquiries from subjects of personal data and their legal representatives in accordance with the requirements of the Personal Data Law;
- provide the authorized body for the protection of the rights of subjects of personal data (the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor)) at the request of this body with the necessary information within thirty days from the date of receipt of such a request.

1.7. Basic rights of the subject of personal data.
The subject of personal data has the right to:
- receive information regarding the processing of their personal data, except as otherwise provided for by federal laws. The information is provided to the subject of personal data by the Operator in an accessible form, and it should not contain personal data relating to other subjects of personal data, unless there are legal grounds for disclosing such personal data. The list of information and the procedure for its acquisition is established by the Personal Data Law;
- require the Operator to rectify, block or destruct their personal data if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as take legal measures to protect their rights;
- put forward the condition of prior consent to processing personal data in order to promote goods, works and services on the market;
- appeal to Roskomnadzor or in court against illegal actions or inaction of the Operator in the course of processing their personal data.

1.8. The execution of the requirements of this Policy is supervised by an authorized person responsible for organizing the processing of personal data in the Operator's company.
1.9. Responsibility for violation of the requirements of the legislation of the Russian Federation and the regulations of LLC Perception Technologies in the area of processing and protecting personal data is determined in accordance with the legislation of the Russian Federation.

2. Purposes of personal data processing
2.1. The personal data processing is limited to the achievement of specific, predetermined and legitimate purposes. It is not allowed to process personal data that is incompatible with the purposes of collecting personal data.

2.2. Only personal data that meet the purposes of their processing are subject to processing.

2.3. The Operator processes personal data for the following purposes:
- ensuring compliance with the Constitution of the Russian Federation, federal laws and other regulatory legal acts of the Russian Federation;
- carrying out its activities in accordance with the LLC Perception Technologies Charter;
- HR records keeping;
- assistance to employees in employment, education and promotion, ensuring the personal safety of employees, monitoring the quantity and quality of work performed, ensuring the safety of property;
- recruitment and selection of candidates to fill vacant positions in the Operator's company;
- organization of individual (personalized) record-keeping of employees in the compulsory pension insurance system;
- filling in and submitting the required reporting forms to the executive authorities and other authorized organizations;
- implementation of civil-law relations;
- accounting;
- implementation of access control;
- providing the opportunity to use websites in the information and telecommunications network "Internet", specified in clause 4.2.6 of the Policy (hereinafter referred to as the websites), in accordance with the documents specified in clause 3.1.10 of the Policy; providing users of the information and telecommunications network "Internet" (hereinafter referred to as users) with the opportunity to register on websites by creating accounts; providing users with access to personalized website resources, establishing feedback mechanisms and exchanging information with users, determining the location of users, confirming the accuracy and completeness of personal data provided by users; notification of users about changes in the terms of use of websites and (or) the terms of use of computer programs posted on websites or being components of websites; technical support for website users; sending information and (or) carrying out advertising activities with the consent of users.

2.4. Personal data of employees can be processed solely for the purpose of ensuring compliance with laws and other regulatory legal acts.

3. Legal grounds for the personal data processing
3.1. The legal basis for the personal data processing is a set of regulatory legal acts, in pursuance of which and in accordance with which the Operator processes personal data, including the following:
3.1.1. Constitution of the Russian Federation.
3.1.2. Civil Code of the Russian Federation.
3.1.3. Labor Code of the Russian Federation.
3.1.4. Tax Code of the Russian Federation.
3.1.5. Federal Law No. 14-FZ of February 8, 1998 "On Limited Liability Companies".
3.1.6. Federal Law No. 402-FZ of December 6, 2011 "On Accounting".
3.1.7. Federal Law No. 167-FZ of December 15, 2001 "On Compulsory Pension Insurance in the Russian Federation".
3.1.8. Other regulatory legal acts regulating relations associated with the activities of the Operator.
3.1.9. LLC Perception Technologies Charter.
3.1.10. Agreements concluded between the Operator and subjects of personal data, including but not limited to agreements posted on Operator-owned websites in the information and telecommunications network "Internet", concluded by joining subjects of personal data.
3.1.11. Consent from subjects of personal data to the processing of their personal data.

4. Volume and categories of personal data processed, categories of personal data subjects
4.1. The content and volume of the personal data processed shall comply with the stated purposes of processing provided for in clause 2.3 of the Policy. The personal data processed shall not be excessive in relation to the stated purposes of their processing.

4.2. The Operator may process personal data of the following categories of personal data subjects:
4.2.1. Candidates to fill vacant positions in the Operator's company:
- full name;
- gender;
- citizenship;
- date and place of birth;
- contact details;
- information about education, work experience, qualifications;
- other personal data reported by candidates in CVs and letters of introduction.

4.2.2. Employees and former employees of the Operator:
- full name;
- gender;
- citizenship;
- date and place of birth;
- image (photo);
- passport data;
- registration address;
- residence address;
- contact details;
- individual taxpayer number;
- insurance number of an individual personal account;
- information about education, qualifications, professional training and proficiency enhancement;
- marital status, parental status, ties of kinship;
- information about labor activity, including incentives, awards and (or) disciplinary sanctions;
- data on marriage registration;
- information about military registration;
- information about disability;
- information about maintenance deduction;
- information about income from the previous employer;
- other personal data provided by employees in accordance with the requirements of labor legislation.

4.2.3. Relatives of the Operator's employees:
- full name;
- degree of kinship;
- year of birth;
- other personal data provided by employees in accordance with the requirements of labor legislation.

4.2.4. Counterparties of the Operator (individuals):
- full name;
- date and place of birth;
- passport data;
- registration address;
- contact details;
- position held;
- individual taxpayer number;
- current account number;
- other personal data provided by counterparties who are individuals, necessary for the conclusion and execution of contracts.

4.2.5. Representatives (employees) of the Operator's counterparties (legal entities):
- full name;
- passport data;
- contact details;
- position held;
- other personal data provided by representatives (employees) of counterparties necessary for the conclusion and execution of contracts.

4.2.6. Users of Operator-owned websites in the information and telecommunications network "Internet":
- full name;
- contact details, including subscriber phone number and e-mail address;
- network metadata identifiers, including URLs and HTTP-request headers, IP-address, Cookie data, information about the browser or other program that accesses the websites; technical characteristics of hardware and software, date and time of access to webpages, geo-identifier, search queries and addresses of requested webpages, information about transitions between webpages and actions taken on them.

4.3. The Operator processes biometric personal data (information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish their identity) in accordance with the legislation of the Russian Federation.

4.4. The Operator does not process special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life, except as provided by the legislation of the Russian Federation.

5. Procedure and conditions for processing personal data
5.1. Personal data are processed by the Operator in accordance with the requirements of the legislation of the Russian Federation.

5.2. Personal data are processed with the consent of the subjects of personal data to the processing of their personal data, as well as without it in cases provided for by the legislation of the Russian Federation.

5.3. The Operator carries out both automated and non-automated processing of personal data.

5.4. Personal data can be processed by authorized employees of the Operator whose duties include the processing of personal data.

5.5. Personal data are processed by:
- obtaining personal data in verbal and written form directly from the subjects of personal data;
- obtaining personal data from publicly available sources;
- entering personal data into the journals, registers and information systems of the Operator;
- other methods of personal data processing.

5.6. It is not allowed to disclose to third parties and distribute personal data without the consent of the subject of personal data, unless otherwise provided for by federal law. Consent to the processing of personal data authorized by the subject of personal data for distribution is obtained separately from other consents of the subject of personal data to the processing of their personal data.
The requirements for the content of the consent to the processing of personal data authorized by the subject of personal data for distribution are approved by Roskomnadzor Order No. 18 dated February 24, 2021.

5.7. Personal data are transferred to the bodies of inquiry and investigation, the Federal Tax Service, the Pension Fund of the Russian Federation, the Social Insurance Fund and other authorized executive bodies and organizations in accordance with the requirements of the legislation of the Russian Federation.

5.8. The Operator takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, their destruction, modification, blocking, distribution and other unauthorized actions, including the following:
- determines threats to the security of personal data during their processing;
- adopts local regulations and other documents regulating relations in the area of processing and protection of personal data;
- appoints persons responsible for ensuring the security of personal data in the structural divisions and information systems of the Operator;
- creates the necessary conditions for personal data management;
- organizes accounting of documents containing personal data;
- organizes work with information systems in which personal data are processed;
- stores personal data under conditions that ensure their security and exclude unauthorized access to them;
- organizes training for the Operator's employees who process personal data.

5.9. The Operator stores personal data in a form that allows to determine the subject of personal data no longer than required by the purposes of processing personal data, if the period of storage of personal data is not established by federal law or contract.

5.10.When collecting personal data, specifically through the information and telecommunications network "Internet", the Operator ensures the recording, systematization, accumulation, storage, rectification (update, change) and extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except as provided for in the Personal Data Law.

6. Update, correction, deletion and destruction of personal data, responses to subjects' requests for access to personal data

6.1. Confirmation of the fact of processing personal data by the Operator, the legal grounds and purposes of processing personal data, as well as other information specified in Article 14 part 7 of the Personal Data Law, are provided by the Operator to the subject of personal data or their representative upon contact or upon receipt of a request from the subject of personal data or their representative.
The information provided does not include personal data relating to other subjects of personal data, unless there are legal grounds for disclosing such personal data.

The request shall contain the following:
- the number of the main document proving the identity of the subject of personal data or their representative, information about the date of issue of this document and the issuing authority;
- information confirming that the subject of personal data has a relationship with the Operator (contract number, date of conclusion of the contract, conditional verbal designation and (or) other information), or information otherwise confirming the fact of processing personal data by the Operator;
- signature of the personal data subject or their representative.

The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

If the application (request) of the personal data subject does not contain all the necessary information in accordance with the Personal Data Law requirements, or the subject does not have the right to access the requested information, then a reasoned refusal is sent to them.

The right of the subject of personal data to access their personal data may be limited in accordance with Article 14 part 8 of the Personal Data Law, specifically if the access of the subject of personal data to their personal data violates the rights and legitimate interests of third parties.

6.2. If personal data are found inaccurate, then, at the request of the subject of personal data or their representative, or at the request of Roskomnadzor, the Operator shall block personal data relating to this subject of personal data from the moment of such an application or receipt of the specified request for the period of verification, if the blocking of personal data does not violate the rights and legitimate interests of the subject of personal data or third parties.
If the fact of inaccuracy of personal data is confirmed, the Operator, on the basis of information provided by the subject of personal data or their representative or Roskomnadzor, or other necessary documents, shall rectify personal data within seven working days from the date of submission of such information and unblock these personal data.

6.3. If unlawful processing of personal data is detected, then, at the request (or upon submission of an application) of the subject of personal data or their representative or at the request of Roskomnadzor the Operator shall block the unlawfully processed personal data relating to this subject of personal data from the moment of such an application or receipt of the request.

6.4. Upon reaching the goals of processing personal data, as well as in the event that the subject of personal data withdraws consent to their processing, personal data shall be subject to destruction unless:
- otherwise provided for by the contract, the party to which is the subject of personal data acting as the beneficiary or the guarantee thereof;
- the Operator is entitled to process data without the consent of the subject of personal data on the grounds provided for by the Personal Data Law or other federal laws;
- otherwise provided for by another agreement between the Operator and the subject of personal data.


Edited on Feb. 22, 2022