Home

Personal Data Processing Policy

The policy of the limited liability Company "Digital Constellation" regarding the processing of personal data

For the purpose of ensuring compliance with the requirements of the legislation of the Russian Federation, the Limited Liability Company "Tsifrovoe sozvezdie" (Digital Constellation), LLC "Tsifrovoe sozvezdie" (PSRN (OGRN) 1247700106961, TIN (INN) 9726067259, location address: 117525, Moscow, internal territory of the municipal district of Chertanovo Severnoe, Dnepropetrovskaya street, building 4B) does everything possible to ensure the confidentiality and security of personal data of Users of the Internet platform located on the information and telecommunications network "Internet" at: nashel.ru/en/ (hereinafter – the Internet Platform).

1. General Provisions

1.1. This Policy of the limited liability company "Tsifrovoe sozvezdie" regarding the processing of personal data (hereinafter - the Policy) is developed in execution of the requirements of clause 2, part 1, article 18.1 of the Federal Law of July 27, 2006 N 152-FZ "On Personal Data" (hereinafter - the Law on Personal Data) to ensure the protection of human and civil rights and freedoms during the processing of his personal data, including the protection of the rights to privacy, personal and family secrets.

1.2. The Policy defines the procedure and conditions for the processing of personal data by the Operator, including the procedure for transferring personal data to third parties, features of non-automated processing of personal data, the procedure for accessing personal data, the system for protecting personal data, the procedure for organizing internal control and responsibility for violations in the processing of personal data, as well as other issues.

1.3. The Policy applies to all personal data processed by the limited liability company "Tsifrovoe sozvezdie" (hereinafter - the Operator, LLC "Tsifrovoe sozvezdie").

1.4. The Policy applies to relations in the field of personal data processing that arose for the Operator both before and after the approval of this Policy.

1.5. In execution of the requirements of part 2, article 18.1 of the Law on Personal Data, this Policy is published in free access on the information and telecommunications network Internet on the Operator's website.

2. Basic Concepts Used in the Policy

Operator – Limited Liability Company "TSIFROVOE SOZVEZDIE" (PSRN (OGRN) 1247700106961, TIN (INN) 9726067259, legal address: 117525, Moscow, Dnepropetrovskaya st, b. 4b), which is the owner and holder of exclusive rights to the Internet Portal.

Internet Portal - An Internet resource located on the information and telecommunications network "Internet", intended for buying, selling, renting special equipment and components for it, as well as the possibility of providing and receiving related services, access to which the Operator provides to Users at the electronic address: https://nashel.ru/en/, access to which is carried out by accessing through a traditional and publicly available Internet browser (Internet Explorer, Firefox, Safari, Opera, Flock, Maxthon, Google Chrome, Yandex Browser, Edge, etc. of various versions) and in other ways by a unified locator of the information resource, consisting of letters, numbers and other symbols, allowing to uniquely determine its location on the Internet, including the mobile version of the Site, Telegram bot, mobile application, intranet and ftp-server, as well as its subdomains and versions for other hardware platforms. The Internet Portal is a complex object within the meaning of Article 1240 of the Civil Code of the Russian Federation, the creation of which is organized by the Operator.

Telegram bot - A program that is part of the Internet Portal, within the functionality of the Telegram messenger, located on the information and telecommunications network "Internet" at: https://t.me/nashel_ru_bot.

Portal Website - https://nashel.ru/en/.

Token – A unique set of characters identifying the User in accounts of third-party web services (social networks, messengers, and others). The token allows authorized connection to the Internet Portal using authorization through third-party web services (social networks, messengers, and others).

Personal Data - Any information relating to a directly or indirectly identified or identifiable individual (subject of personal data). An identifiable individual is a person who can be identified directly or indirectly, in particular, by reference to an identifier such as a name, surname, email address, phone number, and other data that is transmitted to the Operator during the use of the Internet Portal using software installed on the User's Device (including location data, HTTP headers, IP address, "cookie" file data, information about the User's browser, technical characteristics of the equipment and software used by the User, date and time of access to the Internet Portal, addresses of requested pages of the Internet Portal and other similar information), one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual. Furthermore, for the purposes of this policy, personal data also includes information about the User, the processing of which is provided for by the Agreement governing the procedure for using the Internet Portal. In accordance with Decree of the President of the RF of March 6, 1997 No. 188, personal data is classified as confidential information. The Operator collects only such personal data that is necessary for the performance of the Agreement.

Processing of Personal Data - Any action (operation) or set of actions (operations) performed with personal data, using automation tools or without them. Processing of personal data includes, among other things: collection; recording; systematization; accumulation; storage; clarification (update, change); extraction; use; transfer (distribution, provision, access); depersonalization; blocking; deletion; destruction.

Automated Processing of Personal Data - Processing of personal data using computer technology.

Non-Automated Processing of Personal Data - Processing of personal data without the use of automation means – processing of personal data contained in an information system of personal data or extracted from such a system in cases where such actions with personal data as use, clarification, distribution, destruction of personal data in relation to each of the subjects of personal data are carried out with the direct participation of a person.

Dissemination of Personal Data - Actions aimed at disclosing personal data to an indefinite circle of persons;

Provision of Personal Data - Actions aimed at disclosing personal data to a specific person or a specific circle of persons;

Blocking of Personal Data - Temporary cessation of processing of personal data (except for cases where processing is necessary to clarify personal data);

Destruction of Personal Data - Actions as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed;

Depersonalization of Personal Data - Actions as a result of which it becomes impossible without the use of additional information to determine the belonging of personal data to a specific subject of personal data;

Information System of Personal Data - A set of personal data contained in databases and information technologies and technical means ensuring their processing.

Use of Personal Data – Actions (operations) with personal data performed for the purpose of making decisions, concluding transactions or other actions generating legal consequences for the subjects of personal data or otherwise affecting their rights and freedoms or the rights and freedoms of other persons.

Publicly Available Personal Data – Personal data, access to which by an unlimited circle of persons is provided with the consent of the subject or which, in accordance with applicable law, is not subject to confidentiality requirements.

Processor – Means a natural or legal person, public authority, agency or other body that processes personal data on behalf of and on the instructions of the Operator. A Partner of the Operator may act as a Processor in the sense in which this term is defined by the User Documentation.

Recipient – Means a natural or legal person, public authority, agency or other body to which personal data are disclosed, whether they are third parties or not.

Third Party – Means a natural or legal person, public authority, agency or other body, other than the data subject, the processor, as well as persons authorized to process personal data under the direct authority of the Operator or the Processor.

Confidentiality of Personal Data – A mandatory requirement for the person who has gained access to personal data not to allow their dissemination without the consent of the subject or other legal grounds.

Device, User Device – A computer, mobile device, or virtual machine running on an operating system compatible with the Internet Portal with a compatible web browser installed.

Statistics – Information about the use of the Internet Portal, additional functionality, the website as a whole, about the interaction of Users with the Account, collected using Counters, "cookie" files, web beacons, and other similar technologies.

Counter, Tracker – Part of the Site, a computer program using a code fragment responsible for collecting statistical and personal data about the use of the Site. The Operator may use counters of its own development as well as those provided by third parties under a limited license (license agreement), for example, Yandex.Metrica and other similar counters. Counters collect personal data in a depersonalized form.

IP Address – A number from the numbering resource of a data transmission network built on the basis of the IP protocol (RFC 791), uniquely identifying, when providing telematic communication services, including Internet access, the subscriber terminal (computer, smartphone, tablet, other device) or communication means included in the information system and belonging to the User.

HTTP Header – A string in an HTTP message containing a colon-separated name-value pair. The format of HTTP headers corresponds to the general format of text network message headers of ARPA, described in document RFC 822.

Web Beacons – Images in electronic form (single-pixel (1x1) or empty GIF images). Web beacons can help the Operator recognize certain types of information on the User's device, for example, "cookie" files, the time and date of viewing the page, and a description of the page where the web beacon is placed.

All other terms and definitions found in the text of the Policy are interpreted by the Parties in accordance with the legislation of the Russian Federation, the User Agreement, current recommendations (RFC) of international standardization bodies on the Internet, and the customary rules for interpreting the relevant terms on the Internet.

2. Purposes of Collecting Personal Data

2.1. The processing of personal data is limited to achieving specific, predetermined, and lawful purposes. Processing of personal data incompatible with the purposes of collecting personal data is not permitted.

2.2. Only personal data that meets the purposes of their processing are subject to processing.

2.3. The processing of personal data by the Operator is carried out for the following purposes:

· Promotion of goods, works, services on the market.

· Conclusion and execution of the Agreement or any other contract with the Operator or between Users of the Internet Portal.

2.4. The processing of personal data of employees may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts.

3. Legal Grounds for Processing Personal Data

3.1. The legal grounds for processing personal data are a set of regulatory legal acts, in execution of and in accordance with which the Operator processes personal data, including:

· Constitution of the Russian Federation;

· Civil Code of the Russian Federation;

· Labor Code of the Russian Federation;

· Tax Code of the Russian Federation;

· Federal Law of July 27, 2006 N 152-FZ "On Personal Data";

· Federal Law of February 8, 1998 N 14-FZ "On Limited Liability Companies";

· Federal Law of December 6, 2011 N 402-FZ "On Accounting";

· Federal Law of December 15, 2001 N 167-FZ "On Mandatory Pension Insurance in the Russian Federation";

· Other regulatory legal acts governing relations related to the Operator's activities.

3.2. The legal grounds for processing personal data are also:

· The charter of LLC "Tsifrovoe sozvezdie";

· Contracts concluded between the Operator and the subjects of personal data;

· User Agreement on the use of the Internet Portal;

· Consent of the subjects of personal data to the processing of their personal data.

3.3. Processing of the User's personal data is carried out by the Operator only if the User has reached the age of 16. If the User is under 16 years old, the mandatory consent of the User's legal representatives is required; otherwise, upon detection of age discrepancy, the Operator deletes the User's data from the Internet Portal. If the requirements of applicable law set a lower or higher age, the provisions of the applicable law shall apply.

3.4. Processing of the User's personal data is carried out on the basis and in execution of the Agreement governing the procedure for using the Internet Portal and other agreements or contracts concluded between the User and the Operator.

3.5. Processing of the User's personal data may be carried out on the basis of his separate consent to such processing, which may be expressed, including directly when using the Internet Portal by pressing the appropriate button or by marking the indicator of the corresponding checkbox. The validity period of such User consent is specified in its text.

4. Volume and Categories of Processed Personal Data, Categories of Personal Data Subjects

4.1. The content and volume of processed personal data must correspond to the stated processing purposes provided for in Section 2 of this Policy.

4.2. The Operator may receive the User's personal data from various sources, in particular:

· From the Internet Portal or the Operator's website during their operation;

· When the User registers on the Internet Portal;

· When the User contacts the technical support service of the Internet Portal;

· When the User participates in marketing programs, various offers, promotions, and advertising events of the Operator related to the Internet Portal.

4.3. Personal data permitted for processing in accordance with the policy and provided by Users who are individuals using the Internet Portal both on their own behalf and on behalf of the individual entrepreneur or legal entity they represent, by filling in the relevant input fields when using the Internet Portal.

4.4. Processed personal data must not be excessive in relation to the stated purposes of their processing.

4.5. The Operator may process personal data of the following categories of personal data subjects.

No.1
Purpose of Personal Data Processing	Promotion of goods, works, services on the market
Categories of personal data	Last name, first name, patronymic, email address, "cookies" file data; data collected by counters; data obtained using web beacons; addresses of requested pages of the Internet Portal; User's geolocation data.
Categories of subjects whose personal data is processed	Counterparties, Representatives of counterparties, Clients, Users, Website Visitors, Beneficiaries under contracts.
Legal basis for processing personal data	Processing of personal data is carried out with the consent of the personal data subject to the processing of his personal data.
List of actions with personal data	Dissemination, Collection, Recording, Systematization, Accumulation, Storage, Clarification (update, change), Extraction, Use, Transfer (provision, access), Depersonalization, Blocking, Deletion, Destruction.
Processing of personal data	Mixed, with transfer via the internal network of the legal entity, with transfer via the Internet.
No. 2
Purpose of Personal Data Processing	Conclusion and execution of the Agreement or any other contract with the Operator or between Users of the Internet Portal.
Categories of personal data	Last name, first name, patronymic, email address, residential address, registration address, phone number, TIN of an individual; place of work; position, information about work activity (including work experience, data on current employment indicating the name of the organization), photo image, token; HTTP headers; IP address of the User's device; "cookies" file data; data collected by counters; data obtained using web beacons; information about the User's browser; technical characteristics of the device and software; technical data on the operation of the Internet Portal, including dates and times of use and access to the Internet Portal; addresses of requested pages of the Internet Portal; User's geolocation data;
Categories of subjects whose personal data is processed	Counterparties, Representatives of counterparties, Clients, Users, Website Visitors, Beneficiaries under contracts;
Legal basis for processing personal data	Processing of personal data is carried out with the consent of the personal data subject to the processing of his personal data;
List of actions with personal data	Dissemination, Collection, Recording, Systematization, Accumulation, Storage, Clarification (update, change), Extraction, Use, Transfer (provision, access), Depersonalization, Blocking, Deletion, Destruction.

4.6. The Operator does not process biometric personal data (information that characterizes the physiological and biological characteristics of a person, on the basis of which his identity can be established).

4.7. The Operator does not process special categories of personal data concerning race, nationality, political views, religious or philosophical beliefs, health status, intimate life, except for cases provided for by the legislation of the Russian Federation.

4.8. Processing of personal data permitted by the personal data subject for dissemination is carried out on the basis of the consent of the personal data subject for dissemination, subject to the prohibitions and conditions for processing personal data established by the personal data subject. When placing personal data in the Profile or in other sections of the Internet Portal, as a result of which such data is published on open pages of the Internet Portal, the User makes such data Publicly Available. Regarding such data, the User gives consent to the dissemination of the specified personal data with a limitation: dissemination exclusively on the Internet Portal.

4.9. If the subject of personal data, during the Registration process or during the use of the Internet Portal on his own initiative, provides personal data in a larger volume than provided for by the functionality of the Internet Portal, the Operator has the right not to process such personal data. When the Operator processes such personal data, the processing is carried out in accordance with the rules established by this Policy. Consent to the processing of such data from the subject of personal data is considered received by the Operator at the time of provision of such data.

4.10. The Operator does not carry out cross-border transfer of personal data.

5. Consent to the Processing of Personal Data

5.1. The subject of personal data makes the decision to provide his personal data and gives consent to their processing freely, of his own free will and in his own interest.

5.2. Consent to the processing of personal data is specific, substantive, informed, conscious, and unambiguous.

5.3. In the case of processing the User's personal data on the basis and in execution of the Agreement governing the procedure for using the Internet Portal, and other agreements or contracts concluded between the User and the Operator using the Internet Portal, such processing of the User's personal data is carried out on the basis of clause 5, article 6 of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data" and does not require separate consent.

5.4. In the case of processing the User's personal data on the basis of his separate consent to such processing, expressed directly when using the Internet Portal by pressing the corresponding button or by marking the indicator of the corresponding checkbox, such consent to the processing of personal data is provided by the User in the form of an electronic document signed with a simple electronic signature in accordance with the Agreement governing the procedure for using the Internet Portal.

5.5. By providing Personal Data, the Subject of personal data assures and guarantees to the Operator that:

- The User provides his Personal Data, which are reliable, complete, and up-to-date;

- The User providing Personal Data of other individuals has the appropriate authority and has obtained the consent required by the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data" for the transfer of his personal data to the Operator.

5.6. Consent to the processing of personal data may be withdrawn.

6. Procedure and Conditions for Processing Personal Data

6.1. Processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.

6.2. Processing of personal data is carried out with the consent of the subjects of personal data to the processing of their personal data, as well as without it in cases provided for by the legislation of the Russian Federation.

6.3. The Operator processes personal data for each purpose of their processing by the following methods:

· Non-automated processing of personal data;

· Automated processing of personal data with or without transmission of the received information via information and telecommunication networks;

· Mixed processing of personal data.

· Employees of the Operator whose job responsibilities include the processing of personal data are permitted to process personal data.

6.4. Processing of personal data for each processing purpose specified in clause 2.3 of the Policy is carried out by:

· Receiving personal data orally and in writing directly from the subjects of personal data;

· Entering personal data into journals, registers, and information systems of the Operator;

· Using other methods of processing personal data.

6.5. The Operator stores personal data in a form that allows identification of the subject of personal data for no longer than required by each purpose of personal data processing, unless the storage period for personal data is established by federal law or contract.

6.6. Personal data on paper media are stored in LLC "Tsifrovoe sozvezdie" for the storage periods of documents for which these periods are provided for by the legislation on archiving in the Russian Federation (Federal Law of October 22, 2004 N 125-FZ "On Archiving in the Russian Federation", the List of standard administrative archival documents generated in the course of activities of state bodies, local self-government bodies and organizations, indicating their storage periods (approved by Order of Rosarkhiv dated December 20, 2019 N 236)).

6.7. The storage period for personal data processed in personal data information systems corresponds to the storage period for personal data on paper media.

6.8. The Operator ceases the processing of personal data in the following cases: a fact of their unlawful processing is identified. The period is within 3 working days from the date of identification;

· The purpose of their processing has been achieved;

· The validity period has expired or the consent of the subject of personal data to the processing of the said data has been withdrawn, when according to the Law on Personal Data, the processing of this data is permitted only with consent.

6.9. Upon achieving the purposes of processing personal data, as well as in the case of the subject of personal data withdrawing consent to their processing, the Operator ceases the processing of these data if:

· Not otherwise provided for by the contract, of which the subject of personal data is a party, beneficiary, or guarantor;

· The Operator is not entitled to process without the consent of the subject of personal data on the grounds provided for by the Law on Personal Data or other federal laws;

· Not otherwise provided for by another agreement between the Operator and the subject of personal data.

6.10. When the subject of personal data contacts the Operator with a demand to cease the processing of personal data within a period not exceeding 10 working days from the date the Operator receives the corresponding demand, the processing of personal data shall cease, except for cases provided for by the Law on Personal Data. The specified period may be extended, but by no more than five working days. For this, the Operator must send a motivated notification to the subject of personal data indicating the reasons for the extension.

6.11. When collecting personal data, including via the information and telecommunications network Internet, the Operator ensures the recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for the cases specified in the Law on Personal Data.

7. Transfer of Personal Data

7.1. Disclosure to third parties and dissemination of personal data without the consent of the subject of personal data is not permitted, unless otherwise provided by federal law. Consent for the processing of personal data permitted by the subject of personal data for dissemination is formalized separately from other consents of the subject of personal data for the processing of his personal data.

7.2. The requirements for the content of consent to the processing of personal data permitted by the subject of personal data for dissemination are approved by Order of Roskomnadzor dated February 24, 2021 N 18.

7.3. The Operator has the right to transfer the User's personal data to third parties using modern encryption methods via the secure HTTPS protocol in the following cases:

· The User has consented to such actions, expressed in accordance with the terms of the Agreement on the use of the Internet Portal;

· The transfer is necessary for the User to use certain functionality of the Internet Portal (for example, for authorization through social network accounts) or for the execution of a specific agreement, contract, or transaction with the User;

· The transfer is provided for by the legislation of the Russian Federation or other applicable legislation within the framework of the procedure established by law;

· In case of transfer of rights to the Internet Portal, it is necessary to transfer personal data to the acquirer simultaneously with the transfer of all obligations to comply with the terms of the policy regarding the personal data received by him;

· If it is necessary to ensure the possibility of protecting the rights and legitimate interests of the Operator or third parties when the User violates the policy or the Agreement on the use of the Internet Portal;

· In other cases provided by law.

7.4. If a personal data breach could create a high risk to the rights and freedoms of individuals, the Operator shall notify the User of the personal data breach without undue delay. Communication to the data subject is not required if any of the following conditions are met: (a) The Operator has implemented appropriate technical and organizational protective security measures, and those measures were applied to the personal data affected by the breach, including measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption; (b) The Operator has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize; (c) It would involve disproportionate effort. In this case, a public communication or similar measure shall be undertaken whereby the data subjects are informed in an equally effective manner.

7.5. The Operator takes necessary organizational and technical measures to protect the User's personal data from unlawful or accidental access, destruction, alteration, blocking, copying, dissemination, as well as from other unlawful actions by third parties. In particular, all processed data is transmitted using modern encryption methods via the secure HTTPS protocol.

7.6. The Operator, together with the User, takes all necessary measures to prevent losses or other negative consequences caused by the loss or unauthorized disclosure of the User's personal data.

7.7. The transfer of personal data to inquiry and investigation bodies, the Federal Tax Service, the Social Fund of Russia, and other authorized executive bodies and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.

8. Rights and Obligations

8.1. The Operator has the right to:

1) Independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of obligations provided for by the Law on Personal Data and the regulatory legal acts adopted in accordance with it, unless otherwise provided by the Law on Personal Data or other federal laws;

2) Entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person. The person processing personal data on behalf of the Operator is obliged to comply with the principles and rules of personal data processing provided for by the Law on Personal Data, maintain the confidentiality of personal data, and take necessary measures aimed at ensuring the fulfillment of obligations provided for by the Law on Personal Data;

3) In case the subject of personal data withdraws consent to the processing of personal data, the Operator has the right to continue processing personal data without the consent of the subject of personal data if there are grounds specified in the Law on Personal Data.

8.2. The Operator is obliged to:

1) Organize the processing of personal data in accordance with the requirements of the Law on Personal Data;

2) Respond to appeals and requests from subjects of personal data and their legal representatives in accordance with the requirements of the Law on Personal Data;

3) Provide the authorized body for the protection of the rights of subjects of personal data (the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor)) with the necessary information upon request of this body within 10 working days from the date of receipt of such request. This period may be extended, but by no more than five working days. For this, the Operator must send a motivated notification to Roskomnadzor indicating the reasons for extending the period for providing the requested information;

4) In the manner determined by the federal executive body authorized in the field of security, ensure interaction with the state system for detecting, preventing, and eliminating the consequences of computer attacks on information resources of the Russian Federation, including informing it about computer incidents that led to the unlawful transfer (provision, dissemination, access) of personal data.

8.3. The subject of personal data has the right to:

1) Receive information relating to the processing of his personal data, except in cases provided for by federal laws. The information is provided to the subject of personal data by the Operator in an accessible form, and it must not contain personal data relating to other subjects of personal data, except in cases where there are legal grounds for disclosing such personal data. The list of information and the procedure for obtaining it are established by the Law on Personal Data;

2) Require the operator to clarify, block, or destroy his personal data if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing, as well as take legal measures to protect his rights;

3) Give prior consent to the processing of personal data for the purpose of promoting goods, works, and services on the market;

4) Appeal unlawful actions or inaction of the Operator in the processing of his personal data to Roskomnadzor or in court.

8.4. The subject of personal data is obliged to:

1) Provide only his current and reliable personal data.

8.5. Control over the fulfillment of the requirements of this Policy is carried out by the authorized person responsible for organizing the processing of personal data at the Operator.

8.6. Liability for violation of the requirements of the legislation of the Russian Federation and regulatory acts of LLC "Tsifrovoe sozvezdie" in the field of processing and protection of personal data is determined in accordance with the legislation of the Russian Federation.

9. Information on the Implemented Requirements for the Protection of Personal Data

9.1. The security of personal data during their processing in the information system is ensured by a personal data protection system that neutralizes current threats, defined in accordance with part 5 of article 19 of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data".

9.2. The personal data protection system used by the Operator includes legal, organizational, technical, and other measures to ensure the security of personal data, defined taking into account current threats to the security of personal data and the information technologies used in information systems.

9.3. Regarding personal data for which the User has consented to their processing by third parties, the Operator has the right to engage, on the basis of a contract, another person ensuring the security of personal data during their processing in the information system.

9.4. When processing personal data in the Operator's information system, the latter ensures:

• Conducting measures aimed at preventing unauthorized access to the User's personal data and/or their transfer to persons not entitled to access such information;

• Timely detection of facts of unauthorized access to personal data;

• Preventing impact on the technical means involved in the processing of personal data, which could disrupt their functioning;

• The possibility of immediate restoration of personal data modified or destroyed due to unauthorized access to them;

• Constant control over ensuring the level of protection of personal data.

• For the purposes of complying with security requirements and implementing the personal data security system, the Operator has developed and implemented a private threat model for the security of the personal data information system.

9.5. The Operator, in accordance with the Decree of the Government of the Russian Federation of November 1, 2012 No. 1119 "On Approval of Requirements for the Protection of Personal Data during their Processing in Personal Data Information Systems," has determined the level of protection of personal data during their processing in the personal data information system owned by the Operator.

9.6. The Operator, based on the results of determining the level of protection of personal data during their processing in the personal data information system without the use of automation means, has developed and implemented a set of measures for the protection and security of personal data.

9.7. The Operator uses technical means and software for processing and protecting personal data and maintains a log of accounting for personal data protection means.

9.8. The Operator maintains a log of accounting and storage of removable media containing personal data.

9.9. The technical means ensuring the functioning of the personal data information system are located in premises owned by the Operator under the right of ownership or other property right (lease, free use, etc.). The technical means ensuring the functioning of the personal data information system of Users - citizens of the Russian Federation are located on the territory of the Russian Federation.

9.10. All employees of the Operator permitted to work with personal data, as well as those related to the operation and maintenance of the personal data information system, are familiar with the requirements of the policy, as well as with the internal documents of the Operator regulating the procedure for working with personal data.

9.11. The Operator has organized a training process for employees on the procedure for using the personal data protection means operated by the Operator. Employees who have constant access to personal data and employees related to the operation and maintenance of the personal data information system and personal data protection means undergo training.

9.12. The internal documents of the Operator establish that employees are obliged to immediately report to the relevant official of the Operator about the loss, damage, or shortage of media containing personal data, as well as about attempts of unauthorized disclosure of personal data, its causes and conditions.

10. Procedure for Collecting Personal Data Using "Cookies" Files, Web Beacons, and Counters

10.1. "Cookies" files transmitted from the Operator to the User's device and from the User to the Operator may be used by the Operator to achieve the purposes of processing personal data in accordance with the privacy and personal data processing policy.

10.2.The Operator uses various types of "cookies" on the Internet Portal, which serve different purposes and, depending on them, may be classified into one of the following categories:

· "Mandatory," i.e., "cookies" files that are strictly necessary for the functioning of critical components of the Internet Portal, identification of the technical characteristics of the User's device and the software used, as well as authorization and payment by the User;

· "Analytical," i.e., "cookies" files that allow the Internet Portal to recognize Users, count their number, and collect information about the operations they performed on the Internet Portal, including information about actions performed on the Internet Portal;

· "Technical," i.e., "cookies" files that allow collecting information about the interaction of Users with the Internet Portal to identify errors and test new features to improve the performance of the Internet Portal;

· "Functional," i.e., "cookies" files that allow the User to receive certain functions of the Internet Portal, interact with the interface of the Internet Portal and use its capabilities, record information about actions performed on the Internet Portal and configure the Internet Portal in accordance with the User's needs to remember the information entered by the User, save the preferred language, location, etc.;

· "Third-party," i.e., "cookies" files that collect information about the User, traffic sources, User actions and advertising displayed to the User, as well as advertising through which the User clicked to the Internet Portal, for the purpose of displaying advertising that may interest the User based on the analysis of the collected information. The specified "cookies" are also used for statistical and research purposes.

10.3. The Operator does not explicitly request consent when using mandatory "cookies" files. If the User does not wish his personal data to be collected using mandatory "cookies" files, he can disable their provision to the Operator in the software (browser) on his device. In this case, the User will no longer have access to the functional capabilities of the Internet Portal related to mandatory "cookies" files, which may lead to complete inoperability or incorrect operation of the Internet Portal. 10.4. Functional and analytical "cookies" files the Operator may use only with the consent of the User, which is generally expressed by accepting the Agreement and starting to use the Internet Portal. Otherwise, the User has the right to refuse the use of such "cookies" files by disabling them in the settings without harm to its functionality.

10.5. The User agrees that his devices and software used to work with the Internet Portal, depending on their version and configuration, may or may not have the function to prohibit operations with "cookies" files for any or specific sites and applications, as well as the function to delete previously received "cookies" files (for example, the browser's private mode).

10.6. The Operator has the right to set a requirement for the User's device for mandatory permission to receive and accept "cookies" files in connection with security requirements.

10.7. The structure of the "cookies" file, its content and technical parameters are determined by the Operator and may be changed without prior notice to the User. The User has the right to obtain all necessary information about "cookies" files by sending a request to the Operator in the manner established by the privacy policy and the Agreement on the processing of personal data.

10.8. Counters placed by the Operator on the Internet Portal may be used by the Operator to analyze "cookies" files and collect personal data about the use of the Internet Portal for the purpose of improving the quality of the Internet Portal's work, the level of its usability, and improving the Internet Portal. The technical parameters of the counters' operation are determined by the Operator and may be changed without prior notice to the User.

10.9. The Operator may use web beacons both separately and in conjunction with "cookies" files to collect information about the use of the Internet Portal. The User has the right to block web beacons when using the Internet Portal by prohibiting the loading of images in the settings of his software (browser).

11. Updating, Correction, Deletion, Destruction of Personal Data

11.1. The subject of personal data can at any time change, update, supplement, or delete the personal data provided by him by sending a request to the Operator at the email address: info@nashel.ru with the note "Updating personal data" or "Withdrawal of consent to the processing of personal data".

11.2. The request must contain:

· The number of the main identity document of the subject of personal data or his representative, information about the date of issue of the specified document and the issuing authority;

· Information confirming the participation of the subject of personal data in relations with the Operator (contract number, date of contract conclusion, conditional verbal designation and (or) other information), or information otherwise confirming the fact of processing of personal data by the Operator;

· The signature of the subject of personal data or his representative.

· The request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

11.3. The User can also at any time change, update, supplement, or delete the personal data provided by him or part of them using the interface of the Internet Portal.

11.4. In case the Operator independently identifies a fact of incompleteness or inaccuracy of personal data, the Operator takes all possible measures to update the personal data and make appropriate corrections.

11.5. If it is impossible to update incomplete or inaccurate personal data of the User, the Operator takes measures to delete them.

11.6. If the unlawfulness of processing personal data is identified, their processing by the Operator is terminated, and the personal data are subject to deletion.

11.7. In case of malfunction of the Internet Portal interface or lack of functional capability of the Internet Portal for the User to change, update, supplement, or delete personal data, as well as in any other cases, the User has the right to demand in writing from the Operator to clarify his personal data, block or destroy them if the personal data are incomplete, outdated, inaccurate, unlawfully obtained, or are not necessary for the stated purpose of processing.

11.8. The Operator makes the necessary changes to personal data that are incomplete, inaccurate, or outdated within a period not exceeding seven working days from the date the Subject provides information confirming that the personal data are incomplete, inaccurate, or outdated.

11.9. If the Operator, Roskomnadzor, or another interested party identifies a fact of unlawful or accidental transfer (provision, dissemination) of personal data (access to personal data), which resulted in a violation of the rights of subjects of personal data, the Operator:

· Within 24 hours - notifies Roskomnadzor about the incident that occurred, the presumed reasons that led to the violation of the rights of subjects of personal data, the presumed harm caused to the rights of subjects of personal data, and the measures taken to eliminate the consequences of the incident, and also provides information about the person authorized by the Operator to interact with Roskomnadzor on issues related to the incident;

· Within 72 hours - notifies Roskomnadzor about the results of the internal investigation of the identified incident and provides information about the persons whose actions caused it (if available).

11.10. The Operator notifies about the changes made and measures taken and takes reasonable measures to notify third parties to whom the personal data of this Subject were transferred.

11.11. The rights of the Subject to change, update, supplement, or delete personal data may be limited in accordance with legal requirements. Such restrictions, in particular, may provide for the obligation of the Operator to save changed, updated, supplemented, or deleted personal data for a period specified by law and transfer such personal data in accordance with the established procedure to state authorities.

12. Procedure for Destruction of Personal Data by the Operator.

12.1. Conditions and terms for the destruction of personal data by the Operator:

· Achievement of the purpose of processing personal data or loss of the need to achieve this purpose - within 30 days;

· Achievement of the maximum storage periods for documents containing personal data - within 30 days;

· Provision by the subject of personal data (his representative) of confirmation that the personal data was obtained unlawfully or is not necessary for the stated purpose of processing, - within seven working days;

· Withdrawal by the subject of personal data of consent to the processing of his personal data, if their retention for the purpose of their processing is no longer required - within 30 days.

12.2. Upon achieving the purpose of processing personal data, and also in the case of the subject of personal data withdrawing consent to their processing, personal data are subject to destruction, if:

· Not otherwise provided for by the contract, of which the subject of personal data is a party, beneficiary, or guarantor;

· The operator is not entitled to process without the consent of the subject of personal data on the grounds provided for by the Law on Personal Data or other federal laws;

· Not otherwise provided for by another agreement between the Operator and the subject of personal data.

12.3. The destruction of personal data is carried out by a commission created by order of the General Director of LLC "Tsifrovoe sozvezdie".

12.4. Methods for the destruction of personal data are established in the local regulatory acts of the Operator.

13. Responses to User Requests for Access to Personal Data

13.1. The User has the right to receive from the Operator information relating to the processing of their personal data, including containing:

Confirmation of the fact of processing of personal data by the Operator;

• Legal grounds and purposes of processing personal data;

• Purposes and methods of processing personal data applied by the Operator;

• Name and location of the Operator, information about persons (except for employees of the Operator) who have access to personal data or to whom personal data may be disclosed on the basis of a contract with the Operator or on the basis of federal law;

• Processed personal data relating to the relevant User, the source of their receipt, unless a different procedure for presenting such data is provided for by federal law;

• Terms of processing personal data, including their storage periods;

• Procedure for the User to exercise the rights provided for by the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data";

• Information about the completed or intended cross-border transfer of data;

• Name or surname, first name, patronymic and address of the person processing personal data on behalf of the operator, if the processing is or will be entrusted to such a person;

• Information about the methods of the operator fulfilling the obligations established by Article 18.1 of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data";

• Other information provided by law.

13.2. The Operator provides the opportunity free of charge to review the processed and stored personal data of the User in the Operator's information system upon the User's request within ten working days from the date of receipt of the User's written request.

13.3. In case of the Operator's refusal to provide information about the existence of personal data about the User or personal data to the User upon his request or upon receipt of the User's request, the Operator provides a written motivated response, which is the basis for such refusal, within a period not exceeding thirty days from the day of the User's request or from the date of receipt of the User's request. The specified period may be extended, but by no more than five working days in case the Operator sends a motivated notification to the subject of personal data indicating the reasons for extending the period for providing the requested information.

14. Final Provisions

14.1. The start of use of the Internet Portal by the User means his agreement with the terms of the policy. In case of the User's disagreement with the terms of the policy, the use of the Internet Portal must be immediately terminated.

14.2. The law of the Russian Federation shall apply to the policy and to the relations arising in connection with the application of the policy.

14.3. The Policy regarding the processing of personal data is in constant open access on the Operator's website at the following link:https://nashel.ru/en/info/policy/