REGULATION
Ltd "NEVA-International"
on the Processing of Personal Data

dated May 20, 2020
as amended on June 1, 2025
(The current version of the Regulation is approved by the General Director of LLC "NEVA-International")

Ltd "NEVA-International,"
TIN 7820065840, KPP 782001001, OGRN 1187847161314
Address: 196140, St. Petersburg, Shushary settlement, Petersburg Highway, Building 64, Block 1, Letter A, Part of Premises 925 

1. Purpose and Scope of the Regulation

1.1. This Regulation of Limited Company "NEVA-International" (hereinafter referred to as the "Company") has been developed in accordance with the legislation of the Russian Federation regarding the processing of personal data. It defines the Company's position on the processing and protection of personal data to ensure and protect the rights and freedoms of every individual, particularly the right to privacy, personal and family secrets, and the protection of honor and good name.

1.2. The Regulation is strictly followed by the managers and employees of all structural divisions, as well as all representatives acting on behalf of the Company.

1.3. The Regulation applies to all personal data of subjects processed by the Company, both with and without the use of automation tools.

1.4. The Company periodically updates this Regulation and reserves the right to unilaterally amend its terms at any time. The Company recommends regularly checking the content of this Regulation for possible changes. In all other matters not provided for in this Regulation, the Company is guided by the provisions of the current legislation of the Russian Federation. 

2. Terminology

2.1. Personal Data — any information relating directly or indirectly to an identified or identifiable individual (personal data subject). Such information may include, but is not limited to: full name, year, month, date, and place of birth, address, information about marital, social, and property status, education, profession, income, and other information that allows identifying the personal data subject.

2.2. Processing of Personal Data — any action (operation) or a set of actions (operations) performed with or without the use of automation tools on personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data.

2.3. Personal Data Subject — an individual whose personal data is being processed.

2.4. Operator — a person who, independently or jointly with others, organizes and/or carries out the processing of personal data, as well as determines the purposes of processing personal data, the composition of personal data to be processed, and the actions (operations) performed with personal data. For the purposes of this Regulation, the Company, when processing personal data, acts as the operator unless otherwise explicitly stated in the Regulation.

2.5. Processor — any person who, under a contract with the operator, processes personal data on behalf of the operator, acting on behalf of and/or in the interests of the operator when processing personal data. The operator is responsible to the personal data subject for the actions or inactions of the processor. The processor is responsible to the operator.

2.6. Cookies — files containing certain information that are downloaded to the user's device (PC, smartphone, etc.) while browsing a web page.

2.7. Other terms used in this Regulation are interpreted in accordance with the meanings defined by the current legislation of the Russian Federation unless otherwise explicitly stated in the Regulation. 

3. Procedure and Conditions for Processing Personal Data

3.1. The processing and ensuring the security of personal data in the Company are carried out in accordance with the requirements of the Constitution of the Russian Federation, Federal Law No. 152-FZ "On Personal Data," subordinate acts, as well as other documents of the Government of the Russian Federation and Roskomnadzor of Russia.

3.2. The Company understands the security of personal data as the protection of personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, distribution, as well as from other unlawful actions concerning personal data. The Company takes the necessary legal, organizational, and technical measures to protect personal data.

3.3. When processing personal data, the Company adheres to the following principles:

• Legality and fairness;
• Limitation of personal data processing to achieving specific, pre-defined, and lawful purposes;
• Prohibition of processing personal data incompatible with the purposes of collecting personal data;
• Prohibition of combining databases containing personal data processed for purposes incompatible with each other;
• Ensuring the accuracy, sufficiency, and relevance of personal data concerning the purposes of processing;
• Ensuring transparency of personal data processing: the personal data subject may be provided with relevant information regarding the processing of their personal data;
• Storing personal data in a form that allows identifying the personal data subject no longer than required for the stated purposes of personal data processing.

3.4. The Company processes personal data in the following cases:

• Conducting activities related to the preparation and organization of exhibitions, conferences, forums, symposiums, and other public events, both independently and in cooperation with partners, as well as receiving (online and offline) applications, questionnaires, and other documents containing personal data via the Internet as the owner of relevant websites and online services for conducting the aforementioned events;
• Managing and regulating labor and other directly related relationships of the Company;
• Conducting the Company's regular business activities as a legal entity.

Specific conditions for processing, including the purposes of processing personal data, categories of personal data subjects, as well as categories and lists of processed personal data, depend on the specific case and purpose of personal data processing.

3.5. The Company processes personal data under at least one of the following conditions for the following periods:

• With the consent of the personal data subject for the processing of their personal data: for the duration of the consent provided for the processing of personal data;
• To achieve purposes stipulated by an international treaty of the Russian Federation or by law, to perform and fulfill the functions, powers, and obligations imposed on the operator by the legislation of the Russian Federation: for the period established by the relevant international treaties or laws;
• When processing personal data that must be published or disclosed in accordance with federal law: for the period established by the relevant laws;
• To execute a court decision, an act of another authority, or an official subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings: for the period necessary to execute the relevant act;
• In connection with the participation of an individual in constitutional, civil, administrative, or criminal proceedings, or proceedings in arbitration courts: for the duration of participation in the relevant proceedings, including the periods for appealing (challenging) court decisions, unless a longer period for processing personal data is established by the current legislation of the Russian Federation;
• To execute a contract to which the personal data subject is a party, beneficiary, or guarantor, as well as to conclude a contract at the initiative of the personal data subject or a contract under which the personal data subject will be a beneficiary or guarantor: for the duration of such a contract, unless a longer period for processing personal data is established by the current legislation of the Russian Federation or the contract;
• To protect the life, health, or other vital interests of the personal data subject if obtaining the consent of the personal data subject is impossible: until the moment when obtaining the consent of the personal data subject becomes possible or when the relevant grounds threatening life, health, or other vital interests cease to exist (whichever occurs first);
• To exercise the rights and legitimate interests of the operator or third parties, provided that the rights and freedoms of the personal data subject are not violated: for the period necessary to exercise rights and ensure legitimate interests.

The specific period is determined by the Company, taking into account the measures outlined in this Regulation, internal documents, and local regulatory acts of the Company, as well as the principles of personal data processing and the requirements of the current legislation of the Russian Federation, including the termination of personal data processing upon achieving specific, pre-defined, and lawful purposes of such processing.

3.6. The Company has the right to entrust the processing of personal data to Processors under contracts concluded with them. This means that the Company transfers part of its functions to a designated person, who acts on behalf of or in the interests of the Company.

The Company engages such persons based on its own decision when it deems it necessary and appropriate for better achieving the required results and ensuring the quality of services provided to third parties.

Processors are required to comply with the principles and rules for processing personal data as stipulated by Federal Law No. 152-FZ "On Personal Data," other laws, and subordinate acts. For each processor, the contract will specify:

• The list of personal data to be processed;
• The purposes of processing;
• The list of actions (operations) to be performed with personal data by the processor;
• The processor's obligations to maintain confidentiality and ensure the security of personal data during processing, as well as the list of measures the processor must take to protect the personal data they process, including the requirement to notify the Company of any incidents involving personal data;
• The obligation to provide the Company, upon request, during the term of the processing assignment, with documents and other information confirming the measures taken and compliance with the requirements established by Federal Law No. 152-FZ "On Personal Data."

The processor is not required to obtain the consent of the personal data subject for processing their personal data. If obtaining the consent of the personal data subject is necessary for processing personal data on behalf of the Company, such consent is obtained directly by the Company.

3.7. If there are legal grounds established by the legislation of the Russian Federation, the Company has the right to transfer personal data to third parties without assigning them the processing of personal data.

Such parties may include, for example, banks conducting settlements with the Company's counterparties, carriers and freight forwarders delivering goods in accordance with their rules, the Company's counterparties to whom the Company transfers data of its representatives' powers of attorney, government authorities requesting personal data within their competence, and others.

3.8. In cases where a specific party to whom the Company transfers personal data, including without assigning the processing of personal data, is foreign and the transfer is carried out outside the Russian Federation, the Company conducts cross-border transfers of personal data. Such transfers are carried out by the Company if there is a legal basis for processing personal data and upon notification of Roskomnadzor in the manner prescribed by Article 22 of Federal Law No. 152-FZ "On Personal Data."

3.9. Unless otherwise provided by the legislation of the Russian Federation, the Company ceases processing personal data (for any of the stated purposes) and destroys it in the following cases:

• Liquidation of the Company;
• Reorganization of the Company resulting in the termination of its activities;
• Absence of legal grounds for processing personal data and/or achieving the purposes of personal data processing.

The specific procedure for destroying personal data on media, including external/removable electronic media, paper media, and in personal data information systems, is determined by the Company in its internal documents and local regulatory acts.

3.10. In some cases, as described below, the Company collects and processes personal data automatically using software on the Company's websites and online services. For working with such data, the Company uses cookies.

Cookies allow websites to recognize user devices, determine user preferences, and collect statistics on how users interact with websites to improve the user experience or fix various errors or bugs that may occasionally occur. The list of purposes for which cookies are necessary is not exhaustive and depends on the specific website the user visits or otherwise uses.

The Company's websites may use the following types of cookies: technical, analytical, preference, and marketing cookies.

Users can also independently restrict or completely disable the installation of cookies through their web browser settings. However, without the use of technical cookies, the Company's websites and online services may not function correctly, and some of their features may be unavailable.

The Company, when using cookies, does not aim to identify specific users of the Company's websites and online services.

3.11. When processing personal data, the Company:

• Takes the necessary and sufficient measures to ensure compliance with the requirements of the legislation of the Russian Federation, internal documents, and local regulatory acts of the Company in the field of personal data;
• Implements legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, distribution, as well as from other unlawful actions concerning personal data;
• Appoints a person responsible for organizing the processing of personal data within the Company;
• Issues internal documents defining the Company's policy (including this Regulation) regarding the processing of personal data, local acts on personal data processing issues, as well as local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, and eliminating the consequences of such violations;
• Familiarizes employees of the Company, its branches, representative offices, and structural divisions directly involved in the processing of personal data with the provisions of the legislation of the Russian Federation, internal documents, and local regulatory acts of the Company in the field of personal data, including requirements for the protection of personal data, and provides training for these employees;
• Conducts regular mandatory training for its employees on personal data issues;
• Conducts internal control and/or audits to ensure compliance with the processing of personal data with the requirements of the legislation of the Russian Federation, regulatory legal acts adopted in accordance with it, other requirements for the protection of personal data, this Regulation, internal documents, and local regulatory acts of the Company in the field of personal data;
• Ceases the processing of personal data and destroys it in cases provided for by the legislation of the Russian Federation;
• Performs other actions provided for by the legislation of the Russian Federation in the field of personal data.

4. Rights of the Personal Data Subject

An individual whose personal data is processed by the Company has the following rights:

• The right to withdraw previously given consent for the processing of personal data;
• The right to receive information regarding the processing of personal data;
• The right to request the correction, blocking, or destruction of their personal data if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing, as well as to request the cessation of personal data processing if the purpose of such processing has been achieved by the Company.

If a different procedure for interaction between the Company and the personal data subject is not provided for by the relevant document between them (e.g., a contract or the text of consent for the processing of personal data), to exercise these rights, the personal data subject must submit a statement to the Company:

• In written form, signed with a handwritten signature, to the address: 196140, St. Petersburg, Shushary settlement, Petersburg Highway, Building 64, Block 1, Letter A, Part of Premises 925;
• In the form of an electronic document signed with an electronic signature, to the email address: a.vasilchenko@nevainter.com.

Such a statement must necessarily include a description of the personal data subject's requirements, as well as the following information:

• Full name of the personal data subject;
• The number of the main document identifying the personal data subject or their representative, information about the date of issuance of the specified document, and the issuing authority, OR other data allowing the unambiguous identification of the personal data subject;
• Information confirming the personal data subject's participation in relations with the Company, or information otherwise confirming the fact of the Company's processing of personal data;
• The signature of the personal data subject or their representative.

The personal data subject also has the right to appeal actions (inactions) and decisions of the Company that violate their rights during the processing of personal data to the authorized body for the protection of the rights of personal data subjects (Roskomnadzor) and to the court in the manner prescribed by the legislation of the Russian Federation.

5. List of Processed Personal Data

5.1. For the purpose of conducting activities related to the preparation and organization of exhibitions, conferences, forums, symposiums, and other public events, both independently and in cooperation with partners, as well as receiving (online and offline) applications, questionnaires, and other documents containing personal data via the Internet as the owner of relevant websites and online services for conducting the aforementioned events:

5.1.1. Participation, attendance, and registration for events such as exhibitions, conferences, forums, symposiums, and other public events organized and conducted by the Company, both independently and in cooperation with partners, as well as receiving (online and offline) applications, questionnaires, and other documents containing personal data (Subjects: participants (representatives of participants) of events organized and conducted by the Company, both independently and in cooperation with partners):

• User ID (if applicable);
• Full name;
• Place of work (TIN and company name, legal form, brand name, company activity field, etc.);
• Information about the position held (job title, information about authority to conclude contracts, ability to exercise authority without a power of attorney or based on a power of attorney, name and position of the manager, etc.);
• Contact information (phone number, company address, email address, personal phone number (landline, mobile), etc.);
• Information about ordered services or exhibition space, or information about the desire to order certain services or exhibition space (including the number of spaces, volume, number of square meters, location or other identifier of the exhibition space, event name, connected subscriptions, and other information necessary for participation in the event);
• Information about participation in previous events organized and conducted by the Company, both independently and in cooperation with partners;
• Information about consent to receive informational or promotional mailings, electronic tickets, and other information related to events organized and conducted by the Company, both independently and in cooperation with partners;
• Other data voluntarily provided by individuals to the Company (as part of filling out information in personal accounts on the Websites or other services of the Company) – for example, gender and age;
• Information collected through metric programs, including technical information about user devices and identifiers (cookies, device geolocation, metadata, etc.).

5.1.2. Use, including visiting, of the Company's websites and corresponding mobile applications (hereinafter collectively referred to as the "Websites"), as well as other services of the Company in accordance with the provided functionality, including registration and authorization on the Websites and such services (Subjects: Users of the Company's Websites and other services):

• User ID (if applicable);
• Full name;
• Contact information (phone number, email address, nicknames, or IDs in messengers, social networks, etc.);
• Information about the use of the functionality of the Websites or other services of the Company (e.g., purchased services, connected subscriptions, etc.);
• Other data voluntarily provided by individuals to the Company (as part of filling out information in personal accounts on the Websites or other services of the Company) – for example, gender and age;
• Information collected through metric programs, including technical information about user devices and identifiers (cookies, device geolocation, metadata, etc.).

5.1.3. Sending advertisements (Subjects: recipients of advertisements who have previously expressed their consent):

• User ID (if applicable);
• Full name;
• Contact information (phone number, email address, nicknames, and IDs in messengers, social networks, etc.);
• Other data voluntarily provided by individuals to the Company (as part of expressing consent to receive advertisements) – for example, specific preferences and interests for personalizing received advertisements;
• Information collected through metric programs, including technical information about user devices and identifiers (cookies, device geolocation, metadata, etc.).

5.1.4. Organization and conduct of promotions, contests, and events by the Company, including the subsequent awarding of prizes and payment of rewards to winners (Subjects: participants in promotions, contests, and events who have expressed consent):

• User ID (if applicable);
• Full name;
• Prize delivery address (in case of winning);
• Contact information (phone number, email address, nicknames, and IDs in messengers, social networks, etc.);
• Bank details for transferring rewards (in case of winning);
• Other data in accordance with the terms of promotions and contests (if necessary).

5.1.5. Quality control of the use of the Company's Websites and other services, as well as the collection of statistics and other analytics regarding the Company's Websites and other services (Subjects: Users of the Company's Websites and other services):

• User ID (if applicable);
• Full name;
• Contact information (phone number, email address, nicknames, and IDs in messengers, social networks, etc.);
• Information about the use of the functionality of the Websites or other services of the Company (e.g., purchased services, connected subscriptions, etc.);
• Other data voluntarily provided by individuals to the Company (as part of using the Company's Websites and other services) – for example, feedback on the use of the Company's Websites or other services;
• Information collected through metric programs, including technical information about user devices and identifiers (cookies, etc.).

5.2. For the purpose of managing and regulating labor and other directly related relationships of the Company:

5.2.1. Maintaining personnel records, including the formation, maintenance, and storage of employee personal files, employment records, and other personnel documents, as well as maintaining military and migration records within the Company (Subjects: employees, former employees, close relatives of employees, including former employees):

• Full name;
• Gender;
• Age;
• Date and place of birth;
• Passport details or other identity document details;
• Citizenship;
• Taxpayer Identification Number (TIN), Insurance Number of Individual Ledger Account (SNILS);
• Photograph;
• Bank details;
• Information contained in migration records documents;
• Address of registration at the place of residence and actual residence address;
• Contact information (phone number, fax, email address, postal address);
• Information about education, details of education documents, qualifications, professional training, information about advanced training, and other similar data;
• Marital status, information about family composition and close relatives, which may be required by the Company, including but not limited to providing the employee with benefits under labor and tax legislation of the Russian Federation;
• Information about military registration and information contained in military registration documents (for individuals subject to military registration);
• Information contained in the employment record, information about work experience, previous places of work, and income from previous places of work;
• Information about hiring, transfers, dismissals, and other events related to the employee's work activities at the Company;
• Information about income at the Company;
• Information about business and other personal qualities of an evaluative nature;
• Biographical information;
• Information about temporary incapacity for work and health status;
• Other data voluntarily provided by the employee, including former employees, to the Company – for example, information about individual achievements for inclusion in the employment record.

5.2.2. Compliance with and fulfillment of the requirements of the current labor legislation of the Russian Federation, such as calculating and paying wages, making other payments due under labor legislation, granting leave, sending on business trips, imposing disciplinary or material liability, etc. (Subjects: employees):

• Full name;
• TIN, SNILS;
• Citizenship;
• Bank details;
• Passport details or other identity document details, including those outside the Russian Federation (for international business trips);
• Information about education, details of education documents, qualifications, professional training, information about advanced training, and other similar data;
• Address of registration at the place of residence and actual residence address;
• Contact information (phone number, email address, nicknames, and IDs in messengers, social networks, etc.);
• Information contained in the employment record, information about work experience, previous places of work, and income from previous places of work;
• Information about hiring, transfers, dismissals, and other events related to the employee's work activities at the Company;
• Information about income at the Company;
• Information about income from previous places of work;
• Information about travel documents, hotel bookings, and other information required for organizing business trips;
• Information about business and other personal qualities of an evaluative nature;
• Biographical information;
• Information about temporary incapacity for work and health status;
• Other data voluntarily provided by the employee to the Company – for example, information about specific life circumstances that serve as the basis for payments due under labor legislation.

5.2.3. Monitoring the quantity and quality of work performed (Subjects: employees):

• Full name;
• Contact information (phone number, fax, email address, postal address);
• Information about hiring, transfers, dismissals, and other events related to the employee's work activities at the Company;
• Time of arrival/departure to the workplace (or off-site events organized by the Company);
• Information about business and other personal qualities of an evaluative nature;
• Biographical information.

5.2.4. Providing various guarantees, benefits, and compensations (Subjects: employees):

• Full name;
• Gender;
• Age;
• Date and place of birth;
• Citizenship;
• Passport details or other identity document details;
• Address of registration at the place of residence and actual residence address;
• Contact information (phone number, fax, email address, postal address);
• Information about hiring, transfers, dismissals, and other events related to the employee's work activities at the Company;
• Biographical information.

5.2.5. Communication with employees and organization of internal communications, including via email, telephone, and messengers, as well as inclusion of employees in the Company's internal directories (Subjects: employees):

• Full name;
• Gender;
• Age;
• Date of birth;
• Contact information (phone number, email address, nicknames, and IDs in messengers, social networks, etc.);
• Information about hiring, transfers, dismissals, and other events related to the employee's work activities at the Company;
• Information about business and other personal qualities of an evaluative nature;
• Biographical information;
• Photograph.

5.2.6. Sending employees for any type of training, both within the Company and to external organizations, platforms, and resources providing relevant services (Subjects: employees):

• Full name;
• Gender;
• Age;
• Date and place of birth;
• Citizenship;
• Passport details or other identity document details;
• Address of registration at the place of residence and actual residence address;
• Contact information (phone number, fax, email address, postal address);
• Details of education documents, qualifications, professional training, information about advanced training, and other similar data;
• TIN, SNILS;
• Information about hiring, transfers, dismissals, and other events related to the employee's work activities at the Company;
• Biographical information.

5.2.7. Inclusion in the personnel reserve, including subsequent notification about open vacancies and career events (Subjects: employees, former employees, candidates for vacant positions):

• Full name;
• Gender;
• Age;
• Date of birth;
• Citizenship;
• Address of registration at the place of residence and actual residence address;
• Contact information (phone number, email address, nicknames, and IDs in messengers, social networks, etc.);
• Details of education documents, qualifications, professional training, information about advanced training, and other similar data;
• Information about work experience, previous places of work;
• Information about hiring, transfers, dismissals, and other events related to work activities at the Company (if applicable);
• Information about income at the Company (if applicable);
• Information about business and other personal qualities of an evaluative nature;
• Biographical information.

5.2.8. Processing information (resumes) of candidates for employment (Subjects: candidates for vacant positions at the Company):

• Full name;
• Gender;
• Age;
• Contact information (phone number, email address, nicknames, and IDs in messengers, social networks, etc.);
• Other data voluntarily provided by the candidate to the Company and contained in the resume.

5.3. For the purpose of conducting the Company's regular business activities as a legal entity:

5.3.1. Conclusion, execution, and termination of other civil law contracts with third parties (Subjects: individuals who are parties to civil law contracts):

• Full name;
• Date of birth;
• Citizenship;
• Contact information (phone number, email address, nicknames in messengers, social networks, etc.);
• Address of registration at the place of residence and actual residence address;
• TIN;
• SNILS;
• Bank details;
• Registration number as an individual entrepreneur and other data contained in the Unified State Register (USR) and other open (public) registers (if the individual is also an individual entrepreneur);
• Other data in accordance with the terms of the contracts (if necessary).

5.3.2. Conclusion, execution, and termination of other contracts, such as service and work contracts, lease agreements, contractor agreements, agency agreements, commission agreements, civil law contracts with third parties, and other contracts provided for by the Civil Code of the Russian Federation (Subjects: representatives of the parties to the contracts):

• Full name;
• Position;
• Contact information (phone number, email address, etc.);
• Details of powers of attorney.

5.3.3. Verification of the reliability of individuals with whom the Company intends to establish business relations, for example, to conclude a civil law contract (Subjects: individuals with whom the Company intends to establish business relations):

• Full name;
• Citizenship;
• Contact information (phone number, email address, nicknames, and IDs in messengers, social networks, etc.);
• Passport details or other identity document details;
• Address of registration at the place of residence and actual residence address;
• Registration number as an individual entrepreneur and other data contained in the Unified State Register (USR) and other open (public) registers (if the individual is also an individual entrepreneur or self-employed);
• Information about the application of special tax regimes (if the individual is also an individual entrepreneur or self-employed);
• Actual place of entrepreneurial activity (if such activity is conducted);
• Bank details (if the planned business relationship is of a remunerative nature);
• Other data requested/received by the Company and provided/disclosed as part of the reliability verification.

5.3.4. Organization of access control and internal security measures, ensuring the safety of visitors on the Company's premises (Subjects: visitors to the Company's premises, including employees of the Company):

• Full name;
• Passport details or other identity document details;
• Contact information (phone number, email address);
• Photo and video images of the subject.

5.3.5. Issuance of powers of attorney to representatives of the Company (Subjects: potential representatives of the Company, including employees of the Company):

• Full name;
• Position (for employees of the Company);
• Passport details or other identity document details;
• Contact information (phone number, email address);
• Other information to be included in the power of attorney in accordance with its terms.

5.3.6. Compliance with and fulfillment of other requirements of the current legislation of the Russian Federation, such as conducting accounting and tax reporting, organizing document management, archiving documents, submitting relevant information to government authorities, complying with the requirements and instructions of government authorities, executing court decisions, handling claims from rights holders, and responding to inquiries from personal data subjects, consumers, etc. (Subjects: all categories of personal data subjects as specified above, to the extent that the relevant requirements of the legislation of the Russian Federation apply to them (e.g., storing personal data as part of a contract for accounting purposes, as well as other personal data subjects interacting with the Company within the stated purpose (e.g., responding to a rights holder's claim))):

• All personal data related to a specific category of personal data subjects, as specified above, to the extent that the relevant requirements of the legislation of the Russian Federation apply to them;
• Other data voluntarily provided by personal data subjects to the Company – for example, as part of a relevant request or claim. 

6. Requirements for the Protection of Personal Data

6.1. When processing personal data, the Company takes the necessary legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, distribution, as well as from other unlawful actions concerning personal data. The Company regularly reviews and updates the measures taken to ensure the best protection of processed personal data. These measures are described in this Regulation, internal documents, and local regulatory acts of the Company. 

7. Requirements for the Storage of Personal Data

7.1. The storage of personal data is carried out in accordance with the written consent of the personal data subject and for the period established in compliance with the requirements of the current legislation of the Russian Federation.

7.2. The storage of personal data is carried out no longer than required for the purposes of processing personal data. Processed personal data must be destroyed or anonymized upon achieving the purposes of processing or if the need to achieve these purposes is lost (e.g., deletion of the personal data subject's account).

7.3. The storage of personal data with different processing purposes must be carried out separately within the information system or, if stored on physical media, within the structure of the relevant department's files.

7.4. An employee of the Company who has access to personal data in connection with their job responsibilities ensures the storage of information containing personal data in a manner that prevents access by third parties.

If the employee is absent from their workplace, no documents containing personal data should be left at their workstation. When going on vacation, a business trip, or in other cases of prolonged absence, the employee must transfer documents and other media containing personal data to the person assigned by the Company's local act to perform their job responsibilities. If no such person is assigned, the documents and other media containing personal data must be transferred to another employee with access to personal data as directed by the head of the relevant structural division of the Company.

Upon the dismissal of an employee with access to personal data, documents and other media containing personal data must be transferred to another employee with access to personal data as directed by the head of the structural division and with notification to the person responsible for personal data processing. 

8. Control and Responsibility for Violations or Non-Compliance with this Regulation

8.1. Control over the implementation of this Regulation is assigned to the head of the Company.

8.2. Individuals who violate or fail to comply with the requirements of this Regulation are subject to disciplinary, administrative, or criminal liability.

8.3. Heads of the Company's structural divisions are personally responsible for ensuring that their subordinates fulfill their obligations.

9. Other Provisions

9.1. This Regulation comes into force on the date of its approval. Amendments to the Regulation come into force on the date of approval of the new version, as indicated in the updated version.

9.2. All employees of the Operator who are granted access to personal data must familiarize themselves with this Regulation before beginning work with personal data.

*This document has been translated from Russian. In the event of any discrepancies or conflicts between the Russian and English versions of the document, the original Russian version of the document, published on the website https://www.nevainter.com/, shall prevail.