1. Purpose and scope of application

This Personal Data Processing Policy (hereinafter— the "Policy") has been developed pursuant toArticle18.1 ofFederal Law 152-FZ "OnPersonal Data", the requirements ofthe Constitution ofthe Russian Federation, the Council ofEurope Convention onthe Protection ofIndividuals with regard toAutomated Personal Data Processing, international treaties towhich the Russian Federation isaparty, federal laws, and other regulations ofthe Russian Federation concerning personal data.

This Policy shall apply torelations involving the processing and security assurance ofsensitive data that may bequalified aspersonal data pursuant tothe legislation ofthe Russian Federation (hereinafter— "Personal Data, PD").

This Policy determines ground rules, objectives, procedure, and terms ofprocessing Personal Data ofemployees ofJSC CTC Metallokonstruktsiya (hereinafter— the "Company") and other subjects whose Personal Data isprocessed bythe Company. This Policy sets forth provisions concerning liability ofthe Company and its employees for violation ofpersonal data processing legislation.

This Policy isapublic document available onthe Company’s official website. This Policy shall not apply torelations arising outof:

  • Storage, arrangement, recording, and use ofdocuments that contain personal data and are qualified asarchival documents inaccordance with the archiving legislation ofthe Russian Federation,
  • Processing ofpersonal data classified asinformation, which constitutes the state secrets pursuant tothe established procedure.

All the Company employees shall follow this Policy.

2. Terms and abbreviations

PDmeans Personal Data

PDISmeans Personal data information systems

UAmeans Unauthorized access

3. Personal Data processing principles

The Company shall process PD following the following principles:

  1. PDshall beprocessed lawfully and fairly
  2. PDmay only beprocessed for specific, pre-defined, and legal purposes
  3. The Company shall only processPD incompliance with personal data collection purposes
  4. The Company shall separate databases that containPD tobeprocessed for the purposes incompatible with each other
  5. The Company shall only processPD incompliance with its processing purposes
  6. Content and scope ofPD tobeprocessed shall meet the stated processing purposes
  7. PDtobeprocessed shall not beinexcess ofthe stated processing purposes
  8. PDprocessing shall ensurePD accuracy, sufficiency, and, ifnecessary, relevance with respect toPD processing purposes
  9. Necessary steps shall betaken toremove orupdate incomplete orinaccurate PDн;
  10. PDshall bestored inaform that allows forPD subject identification and only aslong asisneeded forPD processing purposes, unless the period ofPD storage isestablished byafederal law oranagreement towhich aPD subject isaparty orunder whichPD subject isabeneficiary oraguarantor
  11. PDshall bedestroyed ordepersonalized upon achievement ofprocessing purposes orwhen achievement ofsuch purposes isnolonger required, unless otherwise stipulated bythe federal law.

4. Personal Data processing objectives

The Company shall process personal data inorder tocarry out its activities pursuant tothe legislation ofthe Russian Federation and the Company’s Articles ofAssociation.

5. Categories ofPersonal Data subjects

The Company shall processPD (using orwithout automation tools) ofthe following subjects

  • Applicants for positions within the Company
  • The Company employees and their family members (spouses and close relatives)
  • The Company former employees
  • Persons that have pre-contractual relations with the Company, orare parties tocivil agreements with the Company, orhave already fulfilled their obligations under the same
  • Persons doing aninternship (being onprobation) inthe Company
  • The Company shareholders
  • The Company counterparties represented byindividual entrepreneurs, their employees, founders, directors, representatives (persons acting under powers ofattorney) and byemployees oflegal entities that have orhad contractual relations with the Company orwish toenter into agreements with the Company
  • The Company office visitor
  • Other persons iftheirPD istobeprocessed for the Company toachieve the purposes specified inSection 4hereof.

6. Personal Data categories

The Company shall processPD ofthe following categories:

  • GeneralPD (otherPD) that donot fall inspecial personal data categories, biometric personal data, orpublicly available personal data
  • Biometric PD
  • Publicly available PD

7. List of persons who arrange and take part in PD processing and security

The Company has appointed aperson responsible forPD processing arrangement

The Company has appointed aperson responsible forPD andPD information system security

The Company has appointed persons responsible forPD processing arrangement within business units

The Company employees take part inPD processing within the scope oftheir job duties.

8. PD Processing and security

8.1 PD processing and processing termination procedure

The Company may processPD inthe following cases:

  • PDmay beprocessed with the consent ofPD subject
  • PDprocessing isrequired toperform anagreement towhichPD subject isaparty orunder whichPD subject isabeneficiary oraguarantor, including the event when the processor exercises its right toassign rights (claims) under such agreement, aswell astoenter into anagreement atthe initiative ofPD subject oranagreement under whichPD subject shall beabeneficiary oraguarantor.
  • PDprocessing isrequired toexercise rights orlegitimate interests ofthe processor orthird parties, orachieve socially significant objectives, provided that noPD subject’s rights and liberties are infringed thereby.
  • PDisprocessed for statistical orother research purposes, subject tomandatoryPD depersonalization, with the exception ofPD processing for the marketing ofgoods, work, services bydirectly contacting potential consumers using communication tools, aswell asfor political agitation.
  • PDsubject authorized access tosuchPD ormade suchPD available togeneral public
  • PDissubject topublishing ormandatory disclosure pursuant tofederal law
  • The Company may also processPD inother cases stipulated byfederal legislation.

The Company may only includePD subjects into publicly availablePD sources asrequired bythe federal legislation orupon receipt ofPD subject’s written consent.

The Company shall carry out cross-border transmission ofemployees’ PDfor the purpose offulfillment ofcontractual obligations bycounterparties only uponPD subject’s written consent.

The Company shall not, solely based onautomatedPD processing, make any decisions that may entail legal consequences forPD subject orotherwise affect its rights and legitimate interests.

Unless otherwise stipulated bythe federal law, the Company may only assignPD processing toanother person upon the consent ofPD subject based onanagreement entered into with that person (hereinafter— "Processor’s assignment"). Inthis case the Company shall oblige the person assigned toprocessPD, tocomply withPD processing principles and rules stipulated inthe federal law. Ifthe Company assignsPD processing toother person then the Company shall beliable beforePD subject for actions ofsuch person. The person assigned bythe Company toprocessPD shall beliable before the Company.

The Company shall itself and shall oblige other persons having access toPD, not todisclosePD tothird parties and not disseminatePD withoutPD subject’s consent, unless otherwise stipulated bythe federal law.

The Company shall terminatePD processing inthe following cases:

  • Achievement ofPD processing purposes
  • Expiration ofPD processing term stipulated bythe federal legislation, agreement, orPD subject’s consent toitsPD processing
  • IfPDsubject revokes its consent toitsPD processing incases that are compliant with federal legislation requirements.

8.2 Implementing requirements to personal data protection

When processingPD, the Company takes all necessary legal, organizational and technical measures toprotectPD from unauthorized oraccidental access, destruction, modification, blocking, copying, submission, distribution, and other wrongful acts with respect toPD.

The Company takes the following measures toarrange processing and protection ofPD that isprocessed without using automation tools, including:

  • PD(physical media) storage locations are defined for eachPD category, and alist ofpersons having access toand eligible forPD processing isdefined
  • PD(physical media) that are processed for different purposes are stored separately
  • Conditions are observed that ensurePD safety and prevent unauthorized access during physical media storage

information systems are implemented, including:

  • PDsafety level when processing inPD information systems isdetermined
  • Requirements toPD protection inPD information systems are fulfilled incompliance with the definedPD security levels
  • Necessary information protection tools are used
  • Efficiency ofPD security measures isaccessed before puttingPD information system inoperation
  • PDmachine-readable media are accounted
  • PDunauthorized access isdetected, and then relevant measures are taken
  • Those PDthat were modified ordestroyed due tounauthorized access are recovered
  • Rules are set for access toPD that are processed inPD information system, and actions concerningPD inPD information system are detected and logged, where necessary
  • PDsecurity measures andPD information system security level are monitored.

9. Policy violation and responsibility

The Company isresponsible for personal data processing and protection incompliance with legislation. All the Company employees involved inPD processing are responsible for compliance with this Policy and other internal regulations ofthe Company relating toPD processing and security.

Any employee who has been aware ofthis Policy violation orsuspects such violation must report toaperson responsible for organization ofPD processing incompliance with procedures adopted inthe Company.

Any violations ofthis Policy and other internal regulations ofthe Company relating toPD processing and security shall beinvestigated incompliance with procedures adopted inthe Company.

The persons found guilty ofviolation ofexisting order and procedures ofPD processing and security may besubject todisciplinary, financial, civil, administrative and criminal liability incompliance with the legislation ofthe Russian Federation.