This Policy is publicly available and shall be posted on the information stand in the Company's office.

The requirements of this Policy are mandatory for all employees of the Company.

The following terms, definitions and abbreviations are used in this document:

Automated Processing of Personal Data

processing of personal data using computer technology.

Blocking of Personal Data

temporary cessation of personal data processing (except for cases where processing is necessary to clarify personal data).

Personal Data Information System (PDIS)

a set of personal data contained in databases and information technologies and technical means ensuring their processing.

Material Carrier of Personal Data

paper, electronic, machine and other information carriers used for reproduction (including copying, downloading, saving, recording) and/or storage of information containing personal data processed in automated form (using computer technology) and non-automated form (without using computer technology).

Depersonalization of Personal Data

actions as a result of which it becomes impossible without the use of additional information to determine the belonging of personal data to a specific personal data subject.

Processing of Personal Data

any action (operation) or set of actions (operations) performed with or without the use of automation means with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Company

Limited Liability Company "Production Company Izhsintez-Khimprom" (LLC "PC Izhsintez-Khimprom").

Personal Data Operator

a state body, municipal body, legal entity or individual that independently or jointly with other persons organizes and (or) carries out the processing of personal data, as well as determines the purposes of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data. In the context of this Policy, the Company is the personal data operator.

Personal Data (PD)

any information relating to a directly or indirectly identified or identifiable individual (personal data subject).

Potential Client

an individual with whom there are no contractual relations, but information for identification of such individuals is available in the accounting systems of LLC "PC Izhsintez-Khimprom", including for the purpose of concluding contractual relations.

Provision of Personal Data

actions aimed at disclosing personal data to a specific person or a specific circle of persons.

Employee

an individual who has entered into employment relations with LLC "PC Izhsintez-Khimprom".

Dissemination of Personal Data

actions aimed at disclosing personal data to an indefinite circle of persons.

Personal Data Subject (Data Subject)

an individual who is directly or indirectly identified or identifiable by means of personal data.

Cross-Border Transfer of Personal Data

transfer of personal data to the territory of a foreign state to a foreign state authority, foreign individual or foreign legal entity.

Destruction of Personal Data

actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed.

This Policy has been developed taking into account the current norms of international law in the field of personal data, including international treaties of the Russian Federation, as well as the provisions of the current legislation of the Russian Federation, including the following regulatory documents:

• Constitution of the Russian Federation of December 12, 1993;
• Labor Code of the Russian Federation No. 197-FZ of December 30, 2001;
• Tax Code of the Russian Federation No. 146-FZ of July 31, 1998;
• Federal Law of the Russian Federation "On Personal Data" No. 152-FZ of July 27, 2006;
• Federal Law of the Russian Federation "On Information, Information Technologies and Information Protection" No. 149-FZ of July 27, 2006;
• Federal Law No. 14-FZ of February 8, 1998 "On Limited Liability Companies";
• Federal Law No. 326-FZ of November 29, 2010 "On Compulsory Medical Insurance in the Russian Federation";
• Federal Law No. 167-FZ of December 15, 2001 "On Compulsory Pension Insurance in the Russian Federation";
• Federal Law No. 27-FZ of April 1, 1996 "On Individual (Personalized) Accounting in the System of Compulsory Pension Insurance";
• Federal Law No. 173-FZ of December 17, 2001 "On Labor Pensions in the Russian Federation";
• Federal Law No. 165-FZ of July 16, 1999 "On the Basics of Compulsory Social Insurance";
• Federal Law No. 402-FZ of December 6, 2011 "On Accounting";
• Federal Law No. 181-FZ of November 24, 1995 "On Social Protection of Disabled Persons in the Russian Federation";
• Federal Law No. 125-FZ of July 24, 1998 "On Compulsory Social Insurance against Industrial Accidents and Occupational Diseases";
• Federal Law No. 115-FZ of August 7, 2001 "On Countering the Legalization (Laundering) of Proceeds from Crime and the Financing of Terrorism";
• Decree of the President of the Russian Federation No. 188 of March 6, 1997 "On Approval of the List of Confidential Information";
• Decree of the Government of the Russian Federation No. 512 of July 6, 2008 "On Approval of Requirements for Material Carriers of Biometric Personal Data and Technologies for Storing Such Data Outside Personal Data Information Systems";
• Decree of the Government of the Russian Federation No. 1119 of November 1, 2012 "On Approval of Requirements for the Protection of Personal Data during Their Processing in Personal Data Information Systems";
• Decree of the Government of the Russian Federation No. 687 of September 15, 2008 "On Approval of the Regulation on the Features of Personal Data Processing Carried Out Without the Use of Automation Means";
• Order of Roskomnadzor No. 179 of October 28, 2022 "On Approval of Requirements for Confirmation of Destruction of Personal Data".

Processing of personal data in the Company is carried out on a lawful and fair basis.

Processing of personal data in the Company is limited to the achievement of specific, predetermined and lawful purposes. The Company does not allow processing of personal data incompatible with the purposes of personal data collection.

When accumulating and processing personal data, the Company does not combine databases containing personal data, the processing of which is carried out for incompatible purposes.

Only personal data that meets the purposes of their processing are subject to processing in the Company.

The Company ensures that the content and volume of processed personal data correspond to the stated purposes of processing. The Company controls that the processed personal data in the Company are not excessive in relation to the stated purposes of their processing.

When processing personal data, the Company ensures the accuracy of personal data, their sufficiency, and, where necessary, relevance in relation to the purposes of personal data processing.

Storage of personal data in the Company is carried out in a form that allows identification of the personal data subject no longer than required by the purposes of personal data processing defined in the Company, unless the storage period for personal data is established by federal law, an agreement to which the personal data subject is a party, beneficiary, guarantor or representative. In this case, the storage period for personal data is limited to the period established by federal law, an agreement to which the personal data subject is a party, beneficiary, guarantor or representative.

In the course of its activities, the Company may provide personal data of personal data subjects to third parties in accordance with the requirements of Federal Law No. 152-FZ of July 27, 2006 "On Personal Data". In this case, a mandatory condition for the provision of personal data to a third party is the obligation of the parties to maintain confidentiality and ensure the security of personal data during their processing.

If the Company entrusts the processing of personal data to another person, the Company shall be liable to the personal data subject for the actions of said person. At the same time, the Company establishes the obligation of persons to whom the Company entrusts the processing of personal data, upon request during the term of the entrustment for personal data processing, including before the processing of personal data, to provide documents and other information confirming that these persons have taken measures and complied with the established requirements for ensuring confidentiality and security of personal data in order to fulfill the Company's entrustment.

Contracts concluded by the Company include conditions regarding the observance of confidentiality and ensuring the security of transferred personal data, as well as other conditions provided for by the legislation of the Russian Federation in the field of personal data processing.

In addition, the Company is obliged to transfer personal data to authorized state authorities of the Russian Federation in cases provided for by the current legislation of the Russian Federation.

In the course of its activities, the Company may carry out cross-border transfer of personal data in accordance with and in the manner determined by Federal Law No. 152-FZ of July 27, 2006 "On Personal Data".

Before commencing activities on cross-border transfer of personal data, the Company requests from the state authorities of a foreign state, foreign individuals, foreign legal entities to whom cross-border transfer of personal data is planned, the following information:

• information on the measures taken by the state authorities of the foreign state, foreign individuals, foreign legal entities to whom cross-border transfer of personal data is planned, to protect the transferred personal data and on the conditions for termination of their processing;
• information on the legal regulation in the field of personal data of the foreign state, under the jurisdiction of which are the state authorities of the foreign state, foreign individuals, foreign legal entities to whom cross-border transfer of personal data is planned (if it is supposed to carry out cross-border transfer of personal data to state authorities of a foreign state, foreign individuals, foreign legal entities under the jurisdiction of a foreign state that is not a party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and not included in the list of foreign states ensuring adequate protection of the rights of personal data subjects);
• information on the state authorities of the foreign state, foreign individuals, foreign legal entities to whom cross-border transfer of personal data is planned (name or surname, first name and patronymic (if any), as well as contact phone numbers, postal addresses and email addresses).

Before commencing activities on cross-border transfer of personal data, the Company notifies the authorized body for the protection of the rights of personal data subjects of its intention to carry out cross-border transfer of personal data in the form provided for by Federal Law No. 152-FZ of July 27, 2006 "On Personal Data".

After sending the above notification, the Company has the right to carry out cross-border transfer of personal data to the territories of the foreign states specified in such notification, which are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data or provided that the legal norms in force in the respective state and the applied measures to ensure confidentiality and security of personal data during their processing comply with the provisions of the said Convention, as well as in cases where such cross-border transfer of personal data is necessary to protect the life, health, other vital interests of the personal data subject or other persons. In other cases, the Company does not carry out cross-border transfer of personal data until the expiration of the decision-making periods by the authorized body for the protection of the rights of personal data subjects provided for by Federal Law No. 152-FZ of July 27, 2006 "On Personal Data".

In case the authorized body for the protection of the rights of personal data subjects makes a decision to prohibit or restrict cross-border transfer of personal data, the Company takes measures to ensure the destruction of previously transferred personal data by the state authority of the foreign state, foreign individual, foreign legal entity.

When processing personal data, the Company takes the necessary legal, organizational and technical measures to ensure the security of personal data against accidental or unauthorized access, destruction, modification, blocking, copying, provision, distribution of personal data, as well as against other unlawful actions in relation to personal data, provided for by Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" and by-laws in the field of personal data protection.

The Company complies with the obligations of the personal data operator established by Articles 18-19 of Federal Law No. 152-FZ of July 27, 2006 "On Personal Data".

The following requirements of the legislation in the field of personal data protection are defined and implemented in the Company:

• requirements for maintaining confidentiality of personal data;
• requirements for the protection of personal data against unlawful or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as against other unlawful actions in relation to personal data;
• requirements for the obligation of the Company when collecting personal data, established by Article 18 of Federal Law No. 152-FZ of July 27, 2006 "On Personal Data".

In accordance with Federal Law No. 152-FZ of July 27, 2006 "On Personal Data", the Company determines the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the legislation in the field of personal data, in particular:

• persons responsible for the processing and protection of personal data have been appointed in the Company;
• threats to the security of personal data during their processing in personal data information systems have been identified;
• measures are carried out to detect facts of unauthorized access to personal data and take appropriate response measures in accordance with the current legislation of the Russian Federation;
• measures aimed at restoring personal data in case of their modification or destruction as a result of unauthorized access to them have been defined;
• accounting of machine carriers of personal data is maintained;
• assessment of the effectiveness of measures taken to ensure the security of personal data is carried out before putting the personal data information system into operation;
• an information protection system for the personal data information system has been developed, taking into account the requirements of by-laws of the Russian Federation in the field of personal data protection and the results of modeling threats and violators of the personal data information system;
• information protection means that have passed the conformity assessment procedure in the prescribed manner are used to neutralize actual security threats;
• local acts on personal data processing issues have been issued in the Company, as well as local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation in the field of personal data processing, procedures aimed at eliminating the consequences of such violations;
• employees admitted to the processing of personal data of personal data subjects are familiarized with the requirements established by the current legislation of the Russian Federation in the field of personal data, this Policy, as well as local regulatory acts of the Company and/or training of said employees is conducted;
• proper processing of personal data carried out using automation means has been organized (including the use of certified software, access control to computers, local network, information systems processing personal data, establishment of the procedure for destruction of personal data in information systems);
• proper procedure for working with personal data carried out without the use of automation means has been organized (including the organization of proper storage of documents containing personal data, establishment of the procedure for destruction or depersonalization of personal data processed without the use of automation means);
• access of employees to information containing personal data of personal data subjects is organized in accordance with their official (functional) duties;
• internal control and/or audit of compliance of personal data processing with Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" and regulatory legal acts adopted in accordance with it, requirements for the protection of personal data, this Policy, local acts of the Company is carried out;
• assessment of the harm that may be caused to personal data subjects in the Company in case of violation of Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" is carried out.

Storage of personal data in the Company is carried out in a form that allows identification of the personal data subject no longer than required by the purposes of personal data processing, except for cases where the storage period for personal data is not established by federal law, an agreement to which the personal data subject is a party, beneficiary, guarantor or representative.

When storing personal data, the Company uses databases located on the territory of the Russian Federation, in accordance with Part 5 of Article 18 of Federal Law No. 152-FZ of July 27, 2006 "On Personal Data".

Processing of personal data in the Company, carried out without the use of automation means, is conducted in such a way that for each category of personal data it is possible to determine the storage locations of personal data (material carriers of personal data) and establish a list of persons processing personal data or having access to them.

The Company ensures separate storage of personal data (material carriers of personal data) used for various purposes of processing carried out without the use of automation means.

When storing material carriers of personal data, conditions ensuring the safety of personal data and excluding unauthorized access to them are observed. The list of measures necessary to ensure such conditions, the procedure for their adoption, as well as the list of persons responsible for the implementation of said measures, are established by the Company.