Policy Regarding the Processing of Personal Data
LLC "Global Refund"

1. General Provisions

The Policy regarding the processing of personal data of LLC "Global Refund" was developed in accordance with the requirements of Clause 2, Part 1, Article 18.1 of the Federal Law dated July 27, 2006, No. 152-FZ "On Personal Data" and is intended to provide unlimited access to information regarding the processing of personal data, as well as information on the implemented requirements for the protection of personal data.

This Policy describes the procedure for the processing and protection of personal data of individuals for the purposes defined in Section 4.

Personal data belongs to the category of confidential information and is subject to protection against unauthorized as well as accidental access.

2. Basic Concepts in the Field of Personal Data

• Personal data – any information relating to a directly or indirectly identified or identifiable natural person (subject of personal data).
• Operator – a state body, municipal body, legal entity, or individual who, independently or jointly with other persons, organizes and (or) carries out the processing of personal data, and also determines the purposes of processing personal data, the composition of personal data to be processed, and the actions (operations) performed with personal data.
• Processing of personal data – any action (operation) or set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data.
• Automated processing of personal data – processing of personal data using computer technology.
• Distribution of personal data – actions aimed at disclosing personal data to an indefinite circle of persons.
• Provision of personal data – actions aimed at disclosing personal data to a specific person or a specific circle of persons.
• Blocking of personal data – temporary suspension of the processing of personal data (except in cases where processing is necessary to clarify personal data).
• Destruction of personal data – actions resulting in the impossibility of restoring the content of personal data in the personal data information system and (or) resulting in the destruction of material carriers of personal data.
• Depersonalization (Anonymization) of personal data – actions resulting in the impossibility of determining the ownership of personal data by a specific subject of personal data without the use of additional information.
• Personal data information system – a set of personal data contained in databases and information technologies and technical means ensuring their processing.
• Cross-border transfer of personal data – transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual, or a foreign legal entity.
• Personal data permitted by the subject of personal data for distribution – personal data to which access by an unlimited circle of persons is provided by the subject of personal data by giving consent to the processing of personal data permitted by the subject of personal data for distribution.

3. Principles and Conditions of Personal Data Processing

The processing of personal data at LLC "Global Refund" is carried out on the basis of the following principles:

• Existence of legal grounds for processing personal data;
• Limitation of personal data processing to the achievement of specific, predetermined, and legitimate purposes;
• Prohibition of merging databases containing personal data, the processing of which is carried out for incompatible purposes;
• Processing only those personal data that meet the purposes of their processing;
• Compliance of the content and volume (prevention of redundancy) of processed personal data with the stated purposes of processing;
• Ensuring the accuracy of personal data, their sufficiency, and, where necessary, relevance in relation to the purposes of personal data processing;
• Storage of personal data is carried out in a form that allows determining the subject of personal data, no longer than required by the purposes of personal data processing, unless the storage period for personal data is established by federal law or a contract to which the subject of personal data is a party, beneficiary, or guarantor.

Processing of personal data at LLC "Global Refund" may be carried out in the following cases:

• Consent of the subject to the processing of their personal data has been obtained;
• Processing of personal data is necessary for the implementation and performance of functions, powers, and duties imposed on the operator by the legislation of the Russian Federation;
• Processing of personal data is carried out in connection with the participation of a person in constitutional, civil, administrative, or criminal proceedings, or proceedings in arbitration courts;
• Processing of personal data is necessary for the execution of a judicial act in accordance with the legislation of the Russian Federation on enforcement proceedings;
• Processing of personal data is necessary for the execution of a contract to which the subject of personal data is a party, beneficiary, or guarantor, as well as for concluding a contract on the initiative of the subject of personal data;
• Processing of personal data is necessary to protect the life, health, or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible;
• Processing of personal data is necessary to exercise the rights and legitimate interests of the operator or third parties or to achieve socially significant goals, provided that the rights and freedoms of the subject are not violated;
• Processing of personal data is carried out for statistical or other research purposes, subject to mandatory depersonalization of personal data;
• Processing of personal data subject to publication or mandatory disclosure in accordance with the legislation of the Russian Federation is carried out.

4. Purposes of Personal Data Processing

4.1. Recruitment of personnel, including recruitment of personnel (applicants) for vacant positions

• Data categories and list: Surname, first name, patronymic; year of birth; month of birth; date of birth; place of birth; marital status; social status; gender; email address; residential address; registration address; phone number; SNILS; INN; citizenship; identity document data; profession; position; employment history; education details; information on personal qualities; photograph.
• Categories of subjects: Applicants.
• Special categories: Not processed; Biometric: Not processed.
• Processing methods: Mixed, with transmission over the internal network of the legal entity, with transmission over the Internet.
• Processing term: Until the goal is achieved.
• Storage term: Not provided.
• Destruction procedure: Destruction of personal data is carried out within the terms established by law by means of the information system; documents are destroyed by shredding or burning.

4.2. Personnel records and personnel management

Including execution of labor legislation; assistance to employees in obtaining education and career advancement; implementation of military registration.

• Data categories and list: Surname, first name, patronymic; year of birth; month of birth; date of birth; place of birth; marital status; social status; income; gender; email address; residential address; registration address; phone number; SNILS; INN; citizenship; identity document data; data of the document proving identity outside the Russian Federation; data contained in the birth certificate; bank card details; profession; position; employment history; attitude to military duty, military registration details; education details; driver's license data; family composition.
• Categories of subjects: Employees; relatives of employees; dismissed employees.
• Processing term: Until the termination of employment relations.
• Storage term: 50 years.
• Destruction procedure: Destruction of personal data is carried out within the terms established by law by means of the information system; documents are destroyed by shredding or burning.

4.3. Ensuring personnel activities

Including issuing business cards; organizing business trips; providing corporate mobile communications; providing corporate taxis.

• Data categories and list: Surname, first name, patronymic; email address; phone number; position; organization; year of birth; month of birth; date of birth; registration address; identity document data.
• Categories of subjects: Employees.
• Processing term: Until the goal is achieved.
• Storage term: Not provided.

4.4. Provision of additional benefits and personnel motivation

Including additional employee insurance.

• Data categories and list: Surname, first name, patronymic; year of birth; month of birth; date of birth; email address; registration address; phone number.
• Categories of subjects: Employees.
• Processing term: Until the goal is achieved.
• Storage term: 5 years.

4.5. Tax and accounting records maintenance

Including maintaining primary documentation; payroll calculation; settlements with personal data subjects; tax and social deductions; due diligence when choosing a counterparty.

• Data categories and list: Surname, first name, patronymic; year of birth; month of birth; date of birth; place of birth; email address; registration address; phone number; INN; identity document data; position; organization; bank details; OGRN (for Individual Entrepreneurs); income; bank card details; current account number; personal account number; employment history; marital status; social status; gender; SNILS; citizenship; data contained in the birth certificate; profession; department; information on awards, honorary titles; deduction amounts; information on leaves.
• Categories of subjects: Counterparties; representatives of counterparties; employees; relatives of employees; dismissed employees.
• Processing term: Until the termination of the contract, until the termination of employment relations, until the goal is achieved.
• Storage term: 50 years.

4.6. Implementation of main (business) activity

Including pre-contractual work; conclusion of contracts; provision of services; processing of appeals and communication with subjects; providing access to closed functionality of Internet resources.

• Data categories and list: Surname, first name, patronymic; email address; phone number; position; organization; year of birth; month of birth; date of birth; place of birth; registration address; SNILS; INN; identity document data; current account number; OGRN (for Individual Entrepreneurs); bank details; citizenship; bank card details.
• Categories of subjects: Representatives of counterparties; clients; counterparties; users of Internet services.
• Processing term: Until the goal is achieved, until the termination of the contract.
• Storage term: 5 years.

4.7. Implementation of marketing activities

Including organizing events; promoting goods, works, services in the market by making direct contacts with subjects; user behavior analytics.

• Data categories and list: Surname, first name, patronymic; email address; phone number; position; organization; information collected via metric programs; site visitor "Cookies".
• Categories of subjects: Representatives of counterparties; clients; subscribers; site visitors.
• Processing term: Until the goal is achieved, until the expiration of the consent.
• Storage term: Not provided.

4.8. Ensuring security

Including ensuring the pass regime.

• Data categories and list: Surname, first name, patronymic; organization.
• Categories of subjects: Employees; visitors.
• Processing term: Until the goal is achieved.
• Storage term: 3 years.

5. Personal Data Processing

Personal data is obtained directly from the personal data subject or from another person authorized by the subject to provide their personal data.

When collecting personal data, including via the information and telecommunication network "Internet", the recording, systematization, accumulation, storage, clarification (updating, modification), and extraction of personal data of citizens of the Russian Federation is ensured using databases located on the territory of the Russian Federation.

The processing of personal data may be entrusted to a third party with the consent of the personal data subject or on the grounds provided for by the legislation of the Russian Federation.

A person processing personal data on instructions is not required to obtain the consent of the subject for the processing of their personal data.

In case of confirmation of the fact of inaccuracy of personal data, such personal data must be updated within seven working days.

Storage of personal data is carried out in a form that allows determining the subject of personal data, no longer than required by the purposes of personal data processing, unless the storage period for personal data is established by the legislation of the Russian Federation or a contract to which the personal data subject is a party.

Storage of personal data is carried out taking into account the ensuring of their confidentiality regime.

Transfer of personal data to third parties is carried out only with the consent of the personal data subject or in cases provided for by the legislation of the Russian Federation.

Disclosure of personal data to third parties for commercial purposes without the consent of the relevant subject is prohibited.

Processing of personal data for the purpose of promoting goods, works, and services on the market, as well as for the purpose of political agitation, is carried out only subject to the prior consent of the subject.

6. Distribution of Personal Data

Processing of personal data permitted by the subject of personal data for distribution is carried out taking into account the requirements provided for by the legislation of the Russian Federation on personal data.

The subject gives consent to the processing of personal data permitted for distribution separately from other consents of the personal data subject to the processing of their personal data.

In the event that the subject independently discloses their personal data to an indefinite circle of persons using the functionality of the Internet site or service of LLC "Global Refund" without providing appropriate consent, further distribution by other operators of personal data is possible only on the basis of the consent of the relevant subject to the processing of personal data permitted for distribution.

In the consent to the processing of personal data permitted by the personal data subject for distribution, the personal data subject has the right to establish prohibitions on the transfer (except for granting access) of these personal data by the operator to an unlimited circle of persons, as well as prohibitions on processing or conditions for processing (except for obtaining access) of these personal data by an unlimited circle of persons.

7. Procedure for Interaction with Personal Data Subjects

Any subject whose personal data is processed at LLC "Global Refund" has the right to access their personal data, including the following information:

• confirmation of the fact of personal data processing;
• legal grounds and purposes of personal data processing;
• purposes and applied methods of personal data processing;
• name and location of the operator, information about persons (excluding employees of the operator) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the operator or on the basis of the legislation of the Russian Federation;
• list of processed personal data relating to the relevant subject and the source of their receipt;
• terms of personal data processing and terms of their storage;
• procedure for the subject to exercise rights provided for by the legislation of the Russian Federation;
• information on completed or intended cross-border data transfer;
• name of the person processing personal data on the instruction of the operator, if the processing is entrusted to a third party;
• information on the methods of the operator's fulfillment of duties established by Article 18.1 of Federal Law No. 152-FZ "On Personal Data".

LLC "Global Refund" provides the information specified in clause 7.1 within ten working days from the date of receipt of the request from the subject or their legal representative in the form in which the corresponding request was received (unless otherwise specified in the request).

The response to the request should not contain personal data relating to other personal data subjects, unless there are legal grounds for disclosing such personal data.

The term for responding to a request may be extended, but not more than by five working days, in the event that the operator sends a motivated notification to the subject indicating the reasons for extending the term for providing the requested information.

The request of the subject or their representative must contain:

• number of the main document proving the identity of the subject or their representative;
• information on the date of issue of the specified document and the issuing authority;
• information confirming the participation of the subject in relations with LLC "Global Refund" (contract number, date of conclusion of the contract, or other information), or information otherwise confirming the fact of personal data processing by LLC "Global Refund";
• signature of the personal data subject or their representative.

The subject has the right to repeatedly apply to LLC "Global Refund" with a request for information specified in clause 7.1 not earlier than thirty days after the initial appeal or sending of the initial request.

The subject has the right to demand clarification of their personal data, their blocking or destruction in the event that the personal data processed at LLC "Global Refund" is incomplete, outdated, inaccurate, illegally obtained, or is not necessary for the stated purpose of processing.

The subject has the right to withdraw their consent to the processing of personal data, if such was given.

The withdrawal of consent is sent by the subject to the address of LLC "Global Refund" and must contain the information specified in clause 7.3.

In the event of withdrawal by the subject of consent to the processing of personal data, LLC "Global Refund" has the right to continue processing personal data without the consent of the subject if there are grounds provided for by the legislation of the Russian Federation or a contract to which the personal data subject is a party, beneficiary, or guarantor.

8. Fulfillment of Duties Provided for by Legislation

In order for LLC "Global Refund" to fulfill the duties provided for by the legislation of the Russian Federation on personal data, the following measures are taken:

• appointment of a person responsible for organizing the processing of personal data;
• issuance of documents defining the policy regarding the processing of personal data, local acts on issues of personal data processing, as well as local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, and eliminating the consequences of such violations;
• application of legal, organizational, and technical measures to ensure the security of personal data;
• implementation of internal control over the compliance of personal data processing with the requirements of the legislation of the Russian Federation;
• assessment of the harm that may be caused to personal data subjects in case of violation of the legislation of the Russian Federation;
• familiarization of employees of LLC "Global Refund" with the provisions of the legislation of the Russian Federation and local acts of LLC "Global Refund".

In case of detection of the fact of illegal or accidental transfer (provision, distribution, access) of personal data, entailing a violation of the rights of personal data subjects, LLC "Global Refund" notifies Roskomnadzor:

• within 24 hours from the moment of detection of the incident, about the alleged causes that caused the violation of the rights of personal data subjects, and the alleged harm caused to the rights of personal data subjects, about the measures taken to eliminate the consequences of the corresponding incident, including information about the person authorized to interact on issues related to the detected incident;
• within 72 hours from the moment of detection, about the results of the internal investigation of the incident, as well as about the persons whose actions became the cause of the incident (if any).

9. Protection of Personal Data

When processing personal data, necessary legal, organizational, and technical measures are taken to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data.

In order to ensure the security of personal data at LLC "Global Refund", the following measures are carried out:

• determination of threats to the security of personal data during their processing in information systems;
• application of organizational and technical measures to ensure the security of personal data during their processing in information systems, which ensure the fulfillment of requirements for established levels of protection;
• assessment of the effectiveness of measures taken to ensure the security of personal data processed in personal data information systems;
• accounting of machine carriers of personal data;
• detection of facts of unauthorized access to personal data and response to these incidents;
• recovery of personal data modified or destroyed due to unauthorized access to them;
• establishment of rules for access to personal data processed in personal data information systems;
• registration and accounting of actions performed with personal data in personal data information systems;
• control over the measures taken to ensure the security of personal data in accordance with the established level of personal data protection.

10. Liability

For violation of the requirements established by the legislation of the Russian Federation, the Regulation on the processing and protection of personal data, and other local acts of LLC "Global Refund", employees and other persons who have obtained access to personal data bear disciplinary, administrative, civil-law, and criminal liability in accordance with the legislation of the Russian Federation.

11. Final Provisions

Unlimited access to this policy is provided to all interested parties, including personal data subjects and authorities exercising control and supervisory functions in the field of personal data.

This Policy comes into force from the moment of its approval and operates indefinitely.

Changes to the Policy are made by separate acts of LLC "Global Refund".

12. Details and Contact Information