PRIVACY AND DATA PROTECTION POLICY

The Privacy Policy («Policy») defines the procedure for processing and protection of personal data of various categories of personal data subjects («subjects»), except for employees, dismissed employees and relatives of employees,¹ by Lidings Law Officess, Moscow (INN 7703481068), location: 123112, Moscow, Presnenskaya Naberezhnaya, 6 p. 2, floor 46, room 4614 (the «Law Offices»).

The Privacy Policy may be changed by the Law Offices. The new version of the Privacy Policy comes into force from the moment of its placement in the public domain.

Purposes, categories and bases of personal data processing

The Law Offices may process personal data solely for the purposes for which it was collected or obtained. In particular, the Law Offices may process the following personal data to achieve these purposes:

Purpose of processing	Categories of personal data	Categories of subjects	Processing time	Procedure for destruction
Recruitment and approval of personnel for vacant positions	Applicants: Surname, first name, patronymic Information on work experience Contact information Information from resumes and otherwise additionally communicated to the Law Offices Recommenders: Surname, first name, patronymic Position, place of work Contact phone numbers	Applicants Recommenders	Within 6 months from the date the applicant submits a resume for the vacant position	Removal from IT systems
Employment formalization	Surname, first name, patronymic Paul Date and place of birth Nationality Address of residence Contact phone numbers Contact e-mail addresses Job number Information on work experience Information on marital status (married status) Information about relatives Information on employment preferences Details of the identity document Information on tax registration Information on social insurance Educational background Information on work experience and length of service Information on military duty and military registration Information on social benefits Information on the terms of employment and dismissal from previous jobs	Applicants	Within 6 months from the date of the decision in respect of the applicant, if no contract has been concluded. If a contract has been concluded personal- during the term of validity of the labor contract and 5 years after its termination	Removal from IT systems, destruction of tangible media (shredder and other methods)
Interaction with counterparties, including verification of counterparties, conclusion, execution and termination of contracts, accounting of attracted counterparties, making settlements under contracts, ensuring communication on conclusion, execution and termination of contracts	Surname, first name, patronymic Place of work, position and unit Corporate e-mail address and telephone number Information on powers of attorney issued Information on positions held and participation in companies Other data in contracts and other documents with counterparties	Counterparties, representatives and other employees of counterparties Persons performing functions of management bodies and members of management bodies	During the term of the contract and 5 years after its expiration	Removal from IT systems, destruction of tangible media (shredder and other methods)
Access control and video surveillance in the office	Surname, first name Information on passageways Video image (without sound)	Office visitors	Within 1 week from the date of the office visit	Removal from IT systems
Web site user behavior analytics	Pixel ID and web analytics systems Information from cookies	Web site visitors	Within 12 months of the last visit to the website	Removal from IT systems
Marketing communications direction	Surname, first name, patronymic Contact e-mail addresses, telephone number Place of work and position Distribution channel Other PII collected through web forms	Persons subscribed to the newsletter	Within 5 years from the date of consent	Removal from IT systems
Organization of events, lectures, seminars	Surname, first name, patronymic Contact e-mail addresses, telephone number	Event attendees	Within 1 month of the event	Removal from IT systems
Interaction with customers	Surname, first name, patronymic Place of work and position Contact e-mail addresses, telephone number Details of the power of attorney Details of the identity document	Current and potential customers, representatives and other employees of customers	During the term of the contract with the counterparty and 5 years after its expiration	Removal from IT systems, destruction of tangible media (shredder and other methods)

For these purposes, the Law Offices has the right to enter personal data into information systems, store and process them by any means not contrary to the law. Upon achievement of the purposes of processing or in case of loss of necessity in achievement of these purposes, unless otherwise provided by the legislation or otherwise separately agreed by the parties, the processed personal data shall be destroyed.

The Law Offices does not process biometric data, as well as information concerning race, nationality, political views, religious or philosophical beliefs, intimate life of personal data subjects.

The processing of personal data for the purposes set out above is carried out by the Law Offices on the following lawful bases:

conclusion and execution of a contract to which the subject is a party or a beneficiary or guarantor,
with the subject's consent,
to fulfill the functions and responsibilities assigned to the Law Offices by applicable law,
to exercise the rights and legitimate interests of the Law Offices or third parties or to achieve socially significant goals, provided that the rights and freedoms of the subject are not violated.

Principles of personal data processing

When processing personal data, the Law Offices is governed by Federal Law No. 152-FZ dated 27.07.2006 "On Personal Data" («Personal Data Law»).

The Law Offices processes personal data on the basis of the following principles:

processing of personal data is carried out on a lawful and fair basis;
the processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes;
processing of personal data incompatible with the purposes of personal data collection is not allowed;
it is not allowed to merge databases containing personal data processed for incompatible purposes;
Only personal data that meet the purposes for which they are processed are subject to processing;
the content and scope of processed personal data correspond to the stated purposes of processing. The redundancy of processed personal data in relation to the stated purposes of their processing is not allowed;
when processing personal data, the accuracy of personal data, their sufficiency and, where necessary, relevance in relation to the purposes of personal data processing shall be ensured, necessary measures shall be taken to delete or clarify incomplete or inaccurate personal data;
personal data shall be stored in a form that allows identification of the subject or other subject of personal data for no longer than required by the purposes of personal data processing, unless the period of personal data storage is established by federal law, consent to processing, contract to which the subject is a party, beneficiary or guarantor;
processed personal data shall be destroyed when the purposes of processing have been achieved or when it is no longer necessary to achieve these purposes, unless otherwise provided for by federal law;
processing of personal data is not used for the purpose of causing property and/or moral damage to the subjects, impeding the realization of their rights and freedoms.

Use of cookies and other web analytics tools

Cookies are small files that are created and stored by your browser when you visit the Law Offices's websites. Cookies are stored on your device for a maximum of 24 months and allow you to monitor the quality of websites and its usage characteristics, as well as optimize your online marketing activities.

Visiting and using websites by default involves the generation and storage of cookies. However, the user can delete cookies from the device at any time through the settings of the browser used. The user can also refuse to accept cookies, however, all functions of the websites are not guaranteed.

The following types of web analytics tools are used on the website:

Technical and functional cookies	These files, generated by website engines, are used to ensure smooth operation of websites, as well as to memorize user-selected settings (in particular, pop-up banners and memorization of granted consents and permissions).
Marketing and analytical cookies	The Yandex.Metrica service is used to collect and statistically analyze data related to the use of websites. In addition, various pixels of additional services may also be used. The information obtained through the services does not allow identifying users.

Conditions of personal data processing

The Law Offices shall process personal data in accordance with this Policy, the Law Offices's internal regulations and the laws of the Russian Federation.

Processing of personal data is carried out by the Law Offices, as well as other third parties who are engaged by the Law Offices for processing, or to whom personal data is transferred for the specified purposes in accordance with the legislation of the Russian Federation. Such third parties may include, in particular:

the Law Offices's counterparties providing support services for the information systems used, hosting, organization of access control, legal, audit, advertising and information services and other services purchased by the Law Offices for the above purposes;
State/municipal authorities in cases prescribed by law.

The Law Offices has the right to engage third parties to process the received personal data and/or transfer the received data to them, as well as receive data from them for the above purposes without additional consent of the subject, provided that the said third parties ensure confidentiality and security of personal data during processing. Processing of personal data by these third parties with or without the use of automation tools is allowed, as well as any actions on processing of personal data that do not contradict the legislation of the Russian Federation. Processing of personal data by a third party may be carried out only on the basis of an agreement that specifies the list of actions (operations) to be performed with personal data and the purposes of processing, as well as provisions to ensure the security of personal data, including requirements not to disclose and not to disseminate personal data without the consent of the subject, unless otherwise provided for by the legislation of the Russian Federation, as well as requirements in accordance with Article 19 of the Law on Personal Data.

The data collected in cookies by the Yandex.Metrika web analytics system is also processed by the system provider Yandex LLC.

The Law Offices is prohibited from making decisions based solely on automated processing of personal data that give rise to legal consequences with respect to the subject or otherwise affect his or her rights and legitimate interests.

The Law Offices does not place personal data in publicly available sources without a proper legal basis.

If the Law Offices disseminates personal data of subjects to an indefinite number of persons, including on the Law Offices's website, the Law Offices collects the subjects' consent to the processing of personal data authorized by the subject for dissemination in accordance with Article 10.1 of the Personal Data Law. If subjects set additional conditions / prohibitions for further processing of personal data, the Law Offices communicates this information by placing the conditions / prohibitions on the relevant pages of the website where the personal data is disseminated.

Measures to ensure the security of personal data

The Law Offices takes all necessary legal, organizational and technical measures to protect received personal data from unlawful or accidental access to them, destruction, modification, blocking, copying, submission, dissemination of personal data, other unlawful actions in relation to personal data, and complies with the principles and rules of personal data processing provided by the Law on Personal Data and other relevant regulations.

Measures to ensure the security of PD in the Law Offices include, but are not limited to, the following:

record of categories and list of personal data processed in the Law Offices, categories of subjects whose personal data are processed, storage periods and procedure of destruction of such personal data;
accounting of personal data carriers and the Law Offices's information systems where personal data are processed;
determination of the required level of protection of personal data processed in the Law Offices's personal data information systems;
identification of threats to the security of personal data during their processing in information systems;
determination and implementation, prior to the introduction of new personal data processing processes and new personal data information systems, of technical and organizational measures ensuring personal data protection;
implementation and documentation of the assessment of the harm that may be caused to personal data subjects in case of violation of the Law on personal data, the correlation between the said harm and the measures taken by the Law Offices;
establishing rules of access to personal data processed in information systems, as well as ensuring registration and recording of actions performed with personal data in information systems;
use of duly passed conformity assessment procedure for information protection means, if applicable;
detection of unauthorized access to personal data and other incidents, taking measures to eliminate and mitigate the consequences;
recovery of personal data modified or destroyed due to unauthorized access to them;
accounting of positions of the Law Offices's employees whose access to personal data processed both with and without the use of automation tools is necessary for the performance of official (labor) duties;
ensuring that the Law Offices's employees who directly process personal data are familiarized with the provisions of the Russian Federation legislation on personal data, including requirements to personal data protection, this Policy and other local acts of the Law Offices on the issues of personal data processing and protection, training of the Law Offices's employees;
control and assessment of the effectiveness of the applied measures to ensure personal data security before putting into operation of the personal data information system;
regular internal control/audit of compliance of personal data processing and security with the current legislation of the Russian Federation in the field of personal data processing and security.

The Law Offices has appointed a person responsible for organizing the processing of personal data.

Internal documents binding on all employees of the Law Offices, as well as relevant agreements with partners, counterparties and other third parties insofar as they relate to them, define:

procedures for granting access to information;
procedures for amending personal data in order to ensure their accuracy, reliability and relevance, including in relation to the purposes of processing;
the procedure of destruction or blocking of personal data in case it is necessary to perform such a procedure;
procedures of processing of requests and personal data subjects (their legal representatives) for the cases provided for by the Law on personal data, in particular the procedure of preparing information on the availability of personal data related to a particular subject, information necessary to enable the subject (his/her legal representatives) to familiarize with his/her personal data, as well as procedures of processing requests for personal data clarification, blocking or destruction, if they are incomplete, outdated, no
procedures for processing the request of the authorized body for the protection of the rights of personal data subjects;
the procedure for obtaining the consent of the personal data subject to the processing of personal data;
procedures for transferring personal data to third parties;
procedures for handling tangible carriers of personal data;
the procedures necessary to notify the authorized body for the protection of personal data subjects' rights within the terms established by the Law on personal data.

When collecting personal data, the Law Offices ensures collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), blocking, deletion, destruction of personal data of citizens of the Russian Federation using databases located in the territory of the Russian Federation.

Rights of personal data subjects and contacts on personal data processing issues

When processing personal data, data subjects have the right to:

request information regarding the processing of their personal data,
to request clarification, destruction or blocking of their personal data if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing,
refuse to process personal data for direct contacts (including for the purpose of promoting goods, works, services), if personal data are processed for such purposes,
revoke the consent to the processing of personal data provided to the Law Offices,
appeal against the Law Offices's actions in administrative or judicial order.

If there are subscriptions to receive informational and promotional communications, in addition to the above methods, the user may request to unsubscribe from such communications by activating the automatic "Unsubscribe" function via a link present in the e-mail containing the communication. In this case, the sending of communications to the e-mail address from which the function was activated will cease.

In case of any questions and requests regarding the processing of personal data, in particular for withdrawal of consent to the processing of personal data, the data subject has the right to apply in the following ways:

by e-mail to moscow@lidings.com, or
send a written appeal to the address: 123112, Moscow, Presnenskaya Naberezhnaya, 6 p. 2, floor 46, room 4614. 4614.

The Law Offices shall respond to the subjects' requests within the time limits established by the legislation of the Russian Federation. If circumstances arise that require additional information to be established, the Law Offices, in cases established by the legislation of the Russian Federation, has the right to extend the deadline for responding to a subject's request by up to 5 business days, provided that a reasoned notice of the reasons for the extension is sent to the subject.

¹ Information on the processing of personal data for other purposes and/or other categories of personal data subjects shall be communicated by the Law Office to the personal data subjects by familiarizing them with other local regulations, in particular the Regulation on Personal Data Processing, available at the Law Office's office or otherwise provided by the Law Office.