Personal Data Processing Policy

1. General Provisions

1.1. This Personal Data Processing Policy (hereinafter - the Policy) is drafted in accordance with Clause 2, Article 18.1 of the Federal Law "On Personal Data" No. 152-FZ dated July 27, 2006, and other regulatory legal acts of the Russian Federation in the field of personal data protection and processing. It applies to all personal data (hereinafter - data) that the Organization (hereinafter - Operator, Company) may obtain from a personal data subject who is a party to a civil law contract, or from an Internet user (hereinafter - User) while using any of the websites, services, programs, products or services of Unitel Engineering LLC.

1.2. The Operator ensures the protection of processed personal data against unauthorized access, disclosure, unlawful use, or loss in accordance with the requirements of Federal Law No. 152-FZ "On Personal Data" dated July 27, 2006.

1.3. The Operator has the right to amend this Policy. When changes are made, the date of the last update is indicated in the Policy title. The new version of the Policy comes into force from the moment it is posted on the website, unless otherwise provided by the new version of the Policy.

2. Terms and Abbreviations

Personal Data - any information relating to a directly or indirectly identified or identifiable natural person (personal data subject).

Processing of Personal Data - any action (operation) or set of actions (operations) performed with personal data using automation tools or without them, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Automated Processing of Personal Data - processing of personal data using computer technology.

Personal Data Information System (PDIS) - a set of personal data contained in databases and information technologies and technical means ensuring their processing.

Publicly Available Personal Data - personal data to which unrestricted access has been granted by the personal data subject or at their request.

Blocking of Personal Data - temporary termination of personal data processing (except where processing is necessary to clarify personal data).

Destruction of Personal Data - actions resulting in the impossibility to restore the content of personal data in the personal data information system and/or resulting in the destruction of physical media containing personal data.

Operator - an organization that independently or jointly with others organizes the processing of personal data and determines the purposes of processing, the composition of personal data to be processed, and the actions (operations) performed with personal data. The Operator is Unitel Engineering LLC (OGRN 1157746039560).

3. Processing of Personal Data

3.1. Collection of Personal Data.

3.1.1. All personal data is obtained by the Operator directly from the data subject.

3.1.2. The Operator must inform the subject about the purposes, intended sources and methods of obtaining personal data, the nature of the personal data to be obtained, the list of actions with personal data, the period during which the consent is valid, the procedure for its withdrawal, as well as the consequences of the subject's refusal to provide written consent for their collection.

3.2. Processing of Personal Data.

3.2.1. Processing of personal data is carried out:

- with the consent of the personal data subject to the processing of their personal data;

3.2.2. Purposes of personal data processing:

- to identify users (visitors) of the website, to communicate with the user, including sending notifications, requests and information related to the use of the website, execution of agreements and contracts, as well as processing user requests and applications.

3.2.3. Categories of personal data subjects.

Personal data of the following categories of subjects is processed:

- individuals who are users of the website of Unitel Engineering LLC.

3.2.4. Personal data processed by the Operator:

- data obtained from website users: Name, phone number, email address;

3.2.5. Processing of personal data is conducted:

- without the use of automation tools.

3.3. Storage of Personal Data.

3.3.1. Personal data of subjects may be collected, further processed, and stored on both paper and electronic media.

3.3.2. Personal data recorded on paper media is stored in locked cabinets or in locked premises with restricted access.

3.3.4. Storage and placement of documents containing personal data in open electronic directories (file sharing services) is prohibited.

3.3.5. Storage of personal data in a form that allows identification of the personal data subject is carried out no longer than required by the processing purposes, and they are subject to destruction upon achieving the processing purposes or when no longer necessary.

3.4. Destruction of Personal Data.

3.4.1. Destruction of documents (media) containing personal data is carried out by burning, shredding (grinding), chemical decomposition, transformation into a shapeless mass or powder. Use of shredders is permitted for destroying paper documents.

3.4.2. Personal data on electronic media is destroyed by erasing or formatting the media.

3.4.3. The fact of destruction of personal data is documented by a media destruction act.

3.5. Transfer of Personal Data.

3.5.1. The Operator transfers personal data to third parties in the following cases:

- transfer is provided for by Russian or other applicable legislation within the framework of legally established procedures.

3.5.2. List of recipients of personal data:

- law enforcement agencies of the Russian Federation in cases established by law;

4. Protection of Personal Data

4.1. In accordance with regulatory requirements, the Operator has established a personal data protection system.

4.4. Key personal data protection measures used by the Operator include:

4.4.5.2. Identification of current threats to personal data security during processing and development of personal data protection measures and actions.

4.5.3. Development of a personal data processing policy.

4.5.4. Establishing rules for access to personal data, and ensuring logging and accounting of all actions performed with personal data.

4.5.5. Setting individual access passwords for employees in the information system according to their job responsibilities.

4.5.6. Use of information security tools that have undergone conformity assessment procedures.

4.5.7. Certified antivirus software with regularly updated databases.

4.5.8. Compliance with conditions ensuring the safety of personal data and preventing unauthorized access.

4.5.9. Detection of unauthorized access to personal data and taking appropriate measures.

4.5.10. Restoration of personal data modified or destroyed due to unauthorized access.

4.5.11. Training of the Operator's employees directly involved in personal data processing on the provisions of Russian legislation on personal data, including protection requirements, documents defining the Operator's policy regarding personal data processing, and local regulations on personal data processing.

4.5.12. Conducting internal control and audits.

5. Basic Rights of Personal Data Subjects and Operator's Obligations

5.1. Basic Rights of Personal Data Subjects.

The subject has the right to access their personal data and the following information:

- confirmation of personal data processing by the Operator;

- legal grounds and purposes of personal data processing;

- purposes and methods of personal data processing used by the Operator;

- name and location of the Operator;

- periods of personal data processing, including storage periods;

- procedure for exercising the rights provided by the Federal Law;

- contacting the Operator and sending requests;

- appealing against actions or inaction of the Operator.

5.2. Operator's Obligations.

The Operator is obliged to:

- when collecting personal data, provide information about the processing;

- notify the subject if personal data was not obtained directly from them;

- explain consequences of refusal to provide personal data;

- publish or otherwise ensure unrestricted access to the document defining its personal data processing policy and implemented protection requirements;

- take necessary legal, organizational and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, distribution, and other unlawful actions;

- respond to requests and appeals from personal data subjects, their representatives, and the authorized body for personal data subjects' rights protection.