Personal Data processing Policy

1. Purpose and scope

1.1. This document (hereinafter — Policy) defines the purposes and general principles of personal data processing, as well as the measures implemented to protect the rights of personal data subjects in SKB Kontur group of Companies (hereinafter — SKB Kontur, also the Group of Companies).

1.2. The Policy applies to the following legal entities (hereinafter — Companies) included in SKB Kontur:

• Joint Stock Company «PF «SKB Kontur»;
• Limited Liability Company «TK Kontur»;
• Limited Liability Company «Sertum-Pro»;
• Limited Liability Company «Kontur NTT»;
• Closed Joint Stock Company «TaxNet»;
• Limited Liability Company «UK» Office-Service»;
• Autonomous non-profit organization DPO «SKB Kontur Training Center»;
• Limited Liability Company «Kontur Innovations»;
• Limited Liability Company «Argos SPB»;
• Limited Liability Company «UralFinInvest»;
• Charitable Foundation «SKB Kontur»;
• Limited Liability Company «Customer Service Kontur-Park»;
• Limited Liability Company «RSC Info Buhgalter»;
• Limited Liability Company «Kontur-Park»;
• Limited Liability Company «CIB-Service»;
• Limited Liability Company «Kontur Factoring»;
• Limited Liability Company «SBK»;
• Limited Liability Company «Business-Soft St. Petersburg».

1.3. The Policy applies to all SKB Kontur personnel (including employees under labor contracts and employees working on the basis of other contracts with the Companies) and all company's subdivisions.

1.4. Requirements of the Policy are also considered and applied to other persons or organizations when there is a necessity for their participation in the SKB Kontur personal data processing, e.g. in cases of transferring personal data from SKB Kontur to contractors, partners, and other counterparties based on orders for personal data processing, agreements, and contracts by the established procedure.

2. Compliance with Applicable Laws

2.1. The policy is developed primarily on the basis of the legislation of the Russian Federation because of the registration of SKB Kontur companies in the Russian Federation. The Policy uses terms and definitions by their meanings as defined in Federal Law № 152-FZ «On Personal Data» dated 27.07.2006 (hereinafter — 152-FZ). SKB Kontur processes the personal data considering requirements of 152-FZ itself, its by-laws, and regulatory and methodological documents of the state bodies of the Russian Federation authorized in the field of information security and protection of the personal data subjects rights.

2.2. If possible, the Policy also considers the provisions of other legislation applicable to SKB Kontur activities in the field of personal data processing, e.g. the European General Data Protection Regulation (hereinafter — GDPR), or local legislation of certain countries in the part that does not contradict 152-FZ.

2.3. In separate cases of personal data processing in order to resolve possible contradictions between the different laws of certain states, the procedure, and principles of personal data processing in SKB Kontur can be regulated and detailed in addition to the Policy in special sections of the other SKB Kontur documents (e.g. contracts, agreements) relating to such separate cases and which performing for such cases the role of Data Processing Agreement (hereinafter — DPA) within GDPR terminology.

2.4. SKB Kontur Companies that process personal data of citizens of the Russian Federation are each individually registered in the register of the Authorised Body of the Russian Federation on Protection of Rights of Personal Data Subjects (hereinafter — Roskomnadzor) as personal data Operators. Any person can get information about the Operators by searching in the Personal data Operators registry publicly available on the Internet at https://pd.rkn.gov.ru/operators-registry/operators-list/. The registry contains information about the Operator provided by the legislation of the Russian Federation, including:

2.4.1. full name and location of the personal data Operator;
2.4.2. information about persons responsible for organization of personal data processing;
2.4.3. contact information for inquiries;
2.4.4. information on the location of personal data information systems databases;
2.4.5. information on personal data processing and security measures;
2.4.6. information on cross-border transfer of personal data;
2.4.7. other information on personal data Operators stipulated by 152-FZ.

3. Principles of personal data processing

3.1 The processing of personal data is carried out by SKB Kontur on a legal and fair basis, the main legal grounds for processing are:

3.1.1. The Constitution of the Russian Federation;
3.1.2. Labor Code of the Russian Federation;
3.1.3. Civil Code of the Russian Federation;
3.1.4. Tax Code of the Russian Federation;
3.1.5. Federal Law of 10.01.2002 Num. 1-FZ «On Electronic Digital Signature»;
3.1.6. Federal Law of 06.04.2011 Num. 63-FZ «On Electronic Signature»;
3.1.7. Federal Law of 07.07.2003 Num. 126-FZ «On Communications»;
3.1.8. Federal Law of 27.07.2006 Num. 149-FZ «On Information, Information Technologies and Information Protection»;
3.1.9. Federal Law of 04.05.2011 Num. 99-FZ «On licensing certain types of activities»;
3.1.10. Federal Law of 06.12.2011 Num. 402-FZ «On Accounting»;
3.1.11. Federal Law of 01.04.1996 Num. 27-FZ «On Individual (Personified) Accounting in the Compulsory Pension Insurance System»;
3.1.12. Federal Law of 24.07.2009 Num. 212-FZ «On Insurance Contributions to the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund and Territorial Funds of Compulsory Medical Insurance»;
3.1.13. Federal law of 22.10.2004. Num. 125-FZ «On archival affairs in the Russian Federation»;
3.1.14. Federal Law of 19.12.2012 Num. 273-FZ «On Education in the Russian Federation»;
3.1.15. Federal Law of 22.05.2003 Num. 54-FZ «On the Application of Cash Register Equipment in Settlements in Cash and/or via Electronic Means of Payment”;
3.1.16. Federal Law of 12.01.1996 Num. 7-FZ «On non-profit organizations»;
3.1.17. Federal Law of 26.12.1995 Num 208-FZ «On Joint Stock Companies»;
3.1.18. Law of the Russian Federation of 27.12.1991 Num. 2124-1 «On Mass Media»;
3.1.19. Regulations of the Certification Authority of JSC «PF «SKB Kontur»;
3.1.20. Regulations of the Certification Authority of LLC «Sertum-Pro»;
3.1.21. Regulations of the Certification Authority of LLC «CIB-Service»;
3.1.22. Regulations of the Certification Authority of LLC «RSC Info Buhgalter»;
3.1.23. Regulations of the electronic factoring platform of LLC «Kontur Factoring»;
3.1.24. Charters of the Companies;
3.1.25. Contracts and Agreements of the Companies;
3.1.26.Consents of personal data subjects.

3.2 The content and volume of personal data being processed are determined by the purposes of the processing. SKB Kontur does not process personal data that are excessive or incompatible with the following main purposes:

3.2.1. conclusion of labour relations with individuals, personnel recruitment;
3.2.2. signing, prolongation of contractual relations of the Companies;
3.2.3. identification of parties to contracts, agreements, deals of the Companies;
3.2.4. fulfillment of contractual obligations of the Companies, including provision of services, granting rights to use the software of SKB Kontur;
3.2.5. use by organizations and individuals of websites and other information resources of the Companies by their terms of use, license agreements;
3.2.6. registration, identification, and personalization of users of websites, applications, and other information resources of the Companies; provision of access to resources, and functions available only for registered users; improvement of user experience, products, and services of the SKB Kontur;
3.2.7. communication with individuals and organizations for sending them notifications, replies to inquiries, mailings, and information letters as well as marketing information to promote SKB Kontur and partner organizations products and services;
3.2.8. carrying out activities of the Certification Authority in accordance with the Russian Federation legislation on electronic signature;
3.2.9. carrying out activities of the fiscal data operator in accordance with the legislation of the Russian Federation on fiscal data;
3.2.10. carrying out activities of electronic workflow operators in accordance with the legislation of the Russian Federation, regulatory documents of the Russian Federation state authorities;
3.2.11. carrying out activities to provide supplementary vocational education;
3.2.12. carrying out activities of mass media in accordance with the legislation of the Russian Federation;
3.2.13. participation of individuals in referral, bonus, and loyalty programs of SKB Kontur and partner organizations;
3.2.14. protection of legal interests of the Companies, their partners and clients; countering illegal or unauthorized actions, fraudulent use by clients or within provision of the products, and services of the SKB Kontur to clients; provision of information security;
3.2.15. organizing access control on the territory of buildings and offices of SKB Kontur, ensuring the safety of property and security of employees and visitors of the Companies;
3.2.16. organizing conferences, seminars, webinars, and other public events in the interests of the SKB Kontur, partner organizations, and professional communities;
3.2.17. undertaking by individuals internships, traineeships in the Companies, studying in partner educational institutions;
3.2.18. provision of social benefits and material assistance, compensations and bonuses to the employees of the Companies;
3.2.19. carrying out researches on the fields of activity of the Companies, use of products and services of SKB Kontur for development of new products and services, quality assurance;
3.2.20. collection, processing of analytical and statistical data on the subject of activities of the SKB Kontur, use of information resources, products, and services of the SKB Kontur;
3.2.21. compliance with current labour, accounting, pension, and other legislation of the Russian Federation;
3.2.22. compliance with other legislation applicable to the activities of the SKB Kontur, including international or local legislation of the countries in respect of whose citizens the SKB Kontur or individual companies are operating.

3.3 The main categories of personal data subjects, whose data are processed in SKB Kontur, include:

3.3.1. visitors and users of the websites, applications, and information resources of the SKB Kontur;
3.3.2. individuals who are or have been in labour and civil legal relations with the SKB Kontur companies, their close relatives, referrals, as well as persons who intend to enter into such relations, e.g. candidates for the vacant job positions;
3.3.3. individuals, who are or have been in labour and civil legal relations with contractors of SKB Kontur companies, as well as persons who have intentions to enter such relations;
3.3.4. persons undertaking an internship in SKB Kontur, traineeship on an assignment of educational institutions;
3.3.5. individuals specified in various state registries, databases, in public and other sources, which are obtained by legal means and are used in the provision of services and in products of the SKB Kontur as data sources;
3.3.6. individuals who have contacted the SKB Kontur with their requests, messages, statements, complaints, suggestions using the contact information or feedback collecting means;
3.3.7. individuals participating in interviews, surveys, analytical and marketing research on the fields of the Companies' activities;
3.3.8. participants in events conducted by the SKB Kontur or partner organizations;
3.3.9. visitors to the offices of the SKB Kontur;
3.3.10. shareholders and founders of the Companies.

3.4. According to the processing purposes, the following data may be processed for the above-mentioned categories of subjects:

3.4.1. personal information (surname, name, patronymic, including former; sex; year, month, date of birth; age; place of birth, nationality, citizenship);
3.4.2. contact information (postal address, phone numbers, e-mail addresses, nicknames, social networks, and communication services IDs); registration and actual residence addresses;
3.4.3. information on identity documents; driver's license; information on subject's identification numbers in state registration systems (e.g. INN=taxpayer ID number, SNILS=Insurance individual account number, etc.); information on compulsory and voluntary health insurance plans;
3.4.4. professional activity (place of employment; job title; structural subdivision; staff number; work experience; membership in legal entities; competencies);
3.4.5. skills and qualification (education; profession; assigned specialties; knowledge of foreign languages; completed training courses, internships, and traineeships);
3.4.6. information on family (family status; family composition; legal representatives, close relatives);
3.4.7. social status; property status; information on vehicles;
3.4.8. information on contracts and agreements, their statuses; information on participation in partnership and bonus programs; referral promotional codes; information on products and services used;
3.4.9. recommendations and feedback; information on staff assessment;
3.4.10. financial state; payment details; incomes; information on tax and other payments to state funds; information on accruals and withholding of monetary funds, remuneration in other forms; information on purchases made, orders for goods and services; information on payments;
3.4.11. information on presence in certain state registries, databases, and lists;
3.4.12. information on military registration; information on migration registration;
3.4.13. photo and video image; speech data (voice recording);
3.4.14. electronic user data (user identifiers, network addresses, cookies, device identifiers, screen size and resolution, information on hardware and software, e.g. browsers, operating system, installed applications, geolocation, language settings, time zone, time and statistics on use of the applications and information resources of the SKB Kontur as well as user actions in the services and applications, sources of navigation to web pages, sent search and other queries, user-created content); electronic signature certificates;
3.4.15. hobbies and pastimes; personal interests; tastes and preferences; mailing list subscriptions;
3.4.16. health state; information about the disabilities, inability to work;
3.4.17. information on bonuses, awards, penalties, and prosecution;
3.4.18. other information provided by the standard forms, established procedure, and purposes of the processing.

3.5 Processing personal data in the SKB Kontur is carried out in a mixed way: with and without the use of automation.

3.6. Operations with personal data include: collection; recording; systematisation; accumulation; storage; clarification (updating, modification); extraction; use; transfer (distribution, provision, access); depersonalisation; blocking; removal, destruction.

3.7 During processing the accuracy of personal data, its sufficiency, and relevance about the purposes of personal data processing are ensured. At detection of inaccurate or incomplete personal data, it can be specified and updated. In cases where the updating of personal data is beyond the scope of responsibility of SKB Kontur, processing may be suspended until updates are made. Duties and responsibility for timely updating personal data for certain processing cases may be established by agreements or local acts of SKB Kontur.

3.8. Processing and storing personal data is carried out until it requires the purpose of processing personal data, if there are no legal grounds for further processing, for example, if the federal law or the agreement with the subject of personal data does not establish the appropriate storage period.

3.9. The personal data being processed shall be destroyed or depersonalized under the following conditions:

3.9.1. achievement of purposes of personal data processing or of maximum storage period — to be destroyed or depersonalized within 30 days;
3.9.2. loss of necessity in achieving the purposes of personal data processing — within 30 days;
3.9.3. provision by the subject of personal data or its legal representative of confirmation that personal data is illegally obtained or is not necessary for the stated purpose of processing — within 7 days;
3.9.4. impossibility to ensure the lawfulness of personal data processing — within 10 days;
3.9.5. withdrawal of consent to processing personal data by the subject of personal data, if the storage of personal data is no longer required for the purposes of personal data processing — within 30 days;
3.9.6. withdrawal of consent to processing personal data by the subject of personal data for contacts with potential clients while promoting products and services — within 2 days;
3.9.7. the expiration of the limitation period for legal relations within which the processing personal data is carried out or was carried out;
3.9.8. elimination (reorganization) of a certain select company of SKB Kontur Group if the processing was carried out exclusively in the interests of this Company and there is no legal successor of the Company in SKB Kontur.

3.10. In the case of cross-border transfer of personal data, prior to such transfer, SKB Kontur makes sure that the foreign country, in whose territory the transfer will take place, provides adequate protection of the rights of personal data subjects or that this foreign country is a party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.

3.11. Cross-border transfers in foreign countries that do not provide adequate protection of the rights of personal data subjects can be carried out in cases stipulated by the 152-FZ and the GDPR.

4. Processing as a subcontractor and engaging subcontractors

4.1. SKB Kontur Companies, in addition to their activities as personal data Operators, may act as entities processing personal data on behalf of other personal data Operators under contracts and other agreements. Such cases include, for example, the following:

4.1.1. providing the clients of SKB Kontur with rights to use the software products;
4.1.2. providing the clients of SKB Kontur with services on data processing;
4.1.3. implementation of joint processing with external organizations within a partnership of SKB Kontur.

4.2. If necessary, SKB Kontur Companies may involve third-party organizations in the processing of personal data as subcontractors on condition of compliance with processing principles and the existence of a relevant contract or agreement with such organizations. Such cases include, for example, the following:

4.2.1. providing products and services of SKB Kontur jointly by different Companies, as well as with third-party organizations, technological and other partners of SKB Kontur;
4.2.2. organizing a partner network of SKB Kontur for distribution of products and services on the market;
4.2.3. use of third-party services, computing resources, applications, and infrastructure for information processing, communication with clients of products and services.

4.3. Processing personal data on the basis of contracts and other agreements of the SKB Kontur, and orders for personal data processing is carried out in accordance with the terms and conditions of these contracts, agreements of the SKB Kontur with the persons to whom processing is entrusted or who have entrusted processing on legal grounds. Such agreements may determine, in particular:

4.3.1. purposes, conditions, operations with personal data, period of personal data processing;
4.3.2. roles, functions and obligations of the parties, including measures to ensure confidentiality, and information security;
4.3.3. rights and responsibilities of the parties regarding the processing of personal data.

4.4. In cases where the applicable law is the GDPR which assumes DPA agreements between the processing participants, the following documents can fulfill the role of the DPA after inclusion of special sections with conditions of the processing personal data:

4.4.1. license agreements for the right to use the software;
4.4.2. contracts and agreements including data processing orders;
4.4.3. agreements on confidentiality, information security;
4.4.4. terms of use of information resources, user agreements;
4.4.5. regulations, provisions, agreements on data processing, service level agreements.

5. Obtaining the consent of the subject for processing personal data

5.1. In cases of processing that is not provided by the current legislation or the agreement with the subject explicitly, processing is carried out after getting a consent from the personal data subject. An obligatory case of obtaining the preliminary consent is, for example, communication with a potential client for marketing purposes, when promoting products and services of SKB Kontur on the market.

5.2. The consent can be expressed in the form of committing conclusive actions by the subject of personal data, for example:

5.2.1. accepting terms and conditions of the offer agreement, license agreement, terms of using SKB Kontur information resources and services;
5.2.2. continuing interaction with user interfaces, working in applications, services, and information resources of SKB Kontur after notifying the user about data processing;
5.2.3. providing the necessary permissions to mobile applications when requested at the moment of installation or use;
5.2.4. putting checkmarks, filling in the appropriate fields in forms and blanks;
5.2.5. replying, continuing to email correspondence that refers to the processing;
5.2.6. entering the territory after familiarization with warning signs on processing;
5.2.7. other actions performed by the subject by which it is possible to form an opinion of his/her will.

5.3. In some cases by the legislation of the Russian Federation, the consent is made in writing, including the information as required by 152-FZ, as well as by other applicable requirements, standard forms.

5.4. In cases of processing the personal data received not from the subject directly, but from other persons on the basis of the contract or the order on processing, the duty of obtaining the consent of the subject can be assigned to the person from whom the personal data is received.

5.5. In case of the subject refuses to provide the necessary and sufficient volume of his/her personal data, SKB Kontur will not be able to carry out necessary actions for the achievement of relevant processing purposes. For example, in such case registration of the user in service can not be finished, service under the contract can not be provided, a CV of an applicant for a job vacancy will not be considered, etc.

6. Processing the user's electronic data, including cookies

6.1. SKB Kontur with the purpose of processing personal data in accordance with the policy, may collect  electronic user data without the need for user participation and without any actions to send the data.

6.2. The validity of the electronic data collected in this way in SKB Kontur is not verified and information is processed «as it is» the way it looks on the user's device.

6.3. Visitors and users of SKB Kontur websites may be shown notifications about collecting and processing the cookies with a link to the Policy and buttons to accept the processing conditions or close the notification.

6.4. Such notifications mean that when visiting and using websites, information resources and the web applications of SKB Kontur, some information (e.g. cookies) may be stored in the user's browser on the user's device, giving further identification of the user or device, session remembering or saving certain user preferences, and preferences specific to these particular websites. Such information, once stored in the user's browser and until expiration or deletion from the device, will be sent each time when a subsequent request is made to the website, on whose behalf it was stored, along with this request, for processing on SKB Kontur's side.

6.5. Processing these cookies is required by SKB Kontur for proper website functioning, in particularl, their functions related to the access of the registered users to SKB Kontur products, services, and resources; for personalization of the users; for improvement of efficiency and user experience on the websites and for other purposes stipulated in the Policy.

6.6. In addition to processing the cookies set by SKB Kontur websites, users and visitors may also receive cookies relating to third-party sites, for example, when SKB Kontur sites use third-party components and software. Processing such cookies are governed by the policies of the respective sites to which they relate, and is subject to change without notice to users of SKB Kontur sites. This may include using in the websites of the following:

6.6.1. counters of visits, analytical, and statistical services, such as Yandex.Metrics or Google Analytics to collect statistics of attendance of public pages of websites;
6.6.2. widgets of auxiliary services for collection of feedback, organizing of chats, and other types of communication with users;
6.6.3. context advertising systems, banner, and other marketing networks;
6.6.4. authorization buttons on websites using accounts in social networks;
6.6.5. other third-party components used by SKB Kontur on its websites.

6.7. Acceptance by the user of the terms and conditions of cookies or closure of a pop-up notification, in accordance with the Policy, is deemed to be consent to processing cookies on SKB Kontur websites.

6.8. In case the user does not agree with the processing cookies, he/she must accept the risk that the functions and features of the website may not be fully available and then follow one of the following options:

6.8.1. configure their browser themself, in accordance with its documentation or user guide, in a way that it will not permanently allow the acceptance and sending cookies for any website or for a particular SKB Kontur or third party website;
6.8.2. switch their browser to the special «incognito» mode to use cookies by the website until closing the browser window or before switching back to the normal mode;
6.8.3. leave the website to avoid further processing cookies.

6.9. The user can manage the stored data through the built-in web browser tools, including deleting or viewing information about the cookies set by the websites, including:

6.9.1. the addresses of the websites and the ways to the websites where cookies will be sent;
6.9.2. names and values of settings stored in cookies;
6.9.3. the expiration period of cookies.

7. Privacy and security of personal data

7.1. For personal data processed in SKB Kontur, privacy is ensured in accordance with the applicable legislation, local acts of the Companies, conditions of the signed agreements and contracts of SKB Kontur, except the following cases:

7.1.1. if personal data is publicly available, contained in publicly available sources of personal data or have been authorized by the subject for dissemination;;
7.1.2. if the information is subject to mandatory disclosure to third parties, including state bodies, in accordance with the legislation applicable to SKB Kontur.

7.2. SKB Kontur takes necessary and sufficient legal, organizational and technical measures to ensure the security of personal data for its protection against unauthorized (including accidental) access, destruction, modification, access blocking, and other unauthorized actions. Such measures include, in particular, the following:

7.2.1. appointment of individuals or legal entities responsible for the organization of processing and security of personal data in specific Companies;
7.2.2. approvement of local documents acts on personal data processing, information security, and also familiarisation of employees with them;
7.2.3. awareness, training of employees in the issues of personal data processing, information security;
7.2.4. ensuring the physical security of premises and processing facilities, access control, security, video surveillance;
7.2.5. restriction and access control to personal data and processing means for employees and other persons, monitoring of actions with personal data;
7.2.6. identification of threats to the safety of personal data, threat modeling while personal data processing in information systems;
7.2.7. use of security controls (antivirus tools, firewalls, protection against unauthorized access, cryptographic protection of the information), including, in necessary cases, passed the procedure of assessment in accordance with the established procedure;
7.2.8. accounting and safekeeping of data carriers, preventing their theft, substitution, unauthorized copying, and destruction;
7.2.9. backup of information for recovery possibility;
7.2.10. internal control and auditing over compliance with the established procedure, verification of the effectiveness of controls, incident response capabilities, and procedures;
7.2.11. checking the presence of personal data privacy and security clauses in the contracts and agreements where necessary;
7.2.12. other measures and controls in accordance with local document acts of the SKB Kontur.

8. Rights of personal data subjects

8.1.  Personal data subject has the right to revoke the consent to the processing of personal data by sending a corresponding request to the Company or authorized representatives of the SKB Kontur in other countries, by mail, or by contacting locally.

8.2. Personal data subject has the right to receive information related to the processing of his/her personal data, including those containing:

8.2.1. confirmation of the fact of personal data processing by the SKB Kontur companies;
8.2.2. legal grounds and purposes for processing personal data;
8.2.3. the purposes and ways of processing personal data applied in the SKB Kontur;
8.2.4. name and location of the SKB Kontur Company, information about persons (except for employees) who have access to personal data or to whom personal data can be disclosed on the basis of agreement, agreement with the Company or on the basis of the federal law;
8.2.5. the processed personal data relating to the respective personal data subject, the source of their reception, unless another procedure for submitting such data is stipulated by the federal law;
8.2.6. durations of personal data processing, including durations and terms of their storage;
8.2.7. an order of realization of the rights provided by 152-FZ to the personal data subject;
8.2.8. the information on the carried out or on assumed cross-border transfer of the data;
8.2.9. name or surname, first name, patronymic name, and address of the person or organization who carries out personal data processing on behalf of SKB Kontur Companies if the processing is or will be entrusted to such person;
8.2.10. other information provided by 152-FZ or other federal laws.

8.3. Personal data subject has the right to demand from SKB Kontur to clarify his/her personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained,  or is not necessary for the declared purpose of processing, as well as to take measures for the protection of his/her rights provided by the applicable legislation.

8.4. If personal data subject believes that SKB Kontur is processing his/her personal data with violations of the requirements of the 152-FZ or is otherwise violating his/her rights and freedoms, personal data subject has the right to appeal against the actions or omissions of the Company which is part of SKB Kontur to Roskomnadzor, other authorized supervisory authority, or in court.

8.5. Personal data subject has the right to be protected for his/her rights and lawful interests, including compensation for damages and/or compensation for moral damages in court.

9. Roles and responsibilities

9.1. The rights, duties, and responsibilities of the SKB Kontur are determined by the applicable laws, agreements of the Companies.

9.2. Responsibility of the employees of the Companies involved in personal data processing due to performance of functional duties, for proper processing and illegal use of personal data is established by the terms of the contract between the Company and an employee, the non-disclosure agreement, local acts of the Company.

9.3. Control over compliance with the requirements of the Policy in each of the SKB Kontur Company is generally carried out by the responsible for the organizing of personal data processing in the relevant Company, or by particular structural units and authorized persons in accordance with the local acts of specific Companies.

9.4. The responsibility of counterparts involved in the personal data processing on the basis of the order of the SKB Kontur, for the proper processing and illegal use of personal data is established in accordance with the terms and conditions of the contract, information's confidentiality agreement or other agreement concluded between the SKB Kontur Company and the contractor.

9.5. In separate cases by the applicable legislation, for example, GDPR or local legislation in the field of processing of personal data of the separate countries, SKB Kontur may appoint their representatives on the territories of the European Union or these countries. In such cases, the rights, duties, and responsibilities will be shared in accordance with the contracts, agreements between such representatives and the SKB Kontur, and the contact information of the representatives will be included in the Policy.

9.6. Persons who are guilty of a violation of rules regulating the processing and ensuring information security of personal data bear financial, disciplinary, administrative, civil, or criminal responsibility in the order established by the applicable legislation, local acts, agreements of SKB Kontur.

10. Policy publishing and actualization

10.1. The Policy is developed by the persons responsible for the organization of personal data processing in JSC «PF «SKB Kontur» and is put into force after approval in SKB Kontur.

10.2. The Policy is a publicly available document of SKB Kontur which provides an opportunity for any persons to familiarize themselves with its current version, including existing translations into foreign languages, by publishing it on the Internet at https://kontur.ru/about/policy.

10.3. Web forms, blanks, standard forms of SKB Kontur for collecting personal data necessarily contain user notifications about processing personal data in accordance with the Policy with reference to it.

10.4. The Policy is valid indefinitely after approval and until it is replaced by a new version. SKB Kontur may make changes to the Policy without notice to any person. The Policy shall be reviewed annually to keep it up to date and updated as necessary.

10.5. Proposals and comments for changes to the Policy may be sent by any persons to policy@skbkontur.ru.

11. Additional information about SKB Kontur Group of Companies and its representatives

11.1. Location and contact information of the organizations included in the SKB Kontur to which the Policy applies:

• Joint Stock Company «PF «SKB Kontur» (Russian Federation, 620144, Sverdlovskaya oblast', Yekaterinburg, Narodnaya Volya Street, 19A);
• Limited Liability Company «TK Kontur» (Russian Federation, 620144, Sverdlovskaya oblast', Yekaterinburg, Narodnaya Volya Street, 19A);
• Limited Liability Company «Sertum-Pro» (Russian Federation, 620057, Sverdlovskaya oblast', Yekaterinburg, Ul'yanovskaya Street, 13А, 209Б);
• Limited Liability Company «Kontur NTT» (Russian Federation, 620036, Sverdlovskaya oblast', Yekaterinburg, Maloprudnaya Street, 5);
• Closed Joint Stock Company «TaxNet» (Russian Federation, 420021, Republic of Tatarstan, Kazan, Kayum Nasyri Street, 28, 1010);
• Limited Liability Company «MC» Office-Service» (Russian Federation, 620036, Sverdlovskaya oblast', Yekaterinburg, Maloprudnaya Street, 5);
• Autonomous non-profit organization DPO «SKB Kontur Training Center» (Russian Federation, 127018, Moscow, Sushchovskiy Val Street, 18);
• Limited Liability Company «Kontur Innovations» (Russian Federation, 420500, Respublika Tatarstan, Innopolis, Universitetskaya Street, 7, 44);
• Limited Liability Company «Argos SPB» (Russian Federation, 196191, St Petersburg, Ploshchad' Konstitutsii, 7А, 109);
• Limited Liability Company «UralFinInvest» (Russian Federation, 620014, Sverdlovskaya oblast', Yekaterinburg, Kuybysheva Street, 55, 417);
• Charitable Foundation «SKB Kontur» (Russian Federation, 620144, Sverdlovskaya oblast', Yekaterinburg, Narodnaya Volya Street, 19A);
• Limited Liability Company «Customer Service Kontur-Park» (Russian Federation, 620036, Sverdlovskaya oblast', Yekaterinburg, Maloprudnaya Street, 5);
• Limited Liability Company «RSC Info Buhgalter» (Russian Federation, 360012, Kabardino-Balkarskaya Respublika, Nalchik, Kalinina Street, 226, 60);
• Limited Liability Company «Kontur-Park» (Russian Federation, 620036, Sverdlovskaya oblast', Yekaterinburg, Maloprudnaya Street, 5, 315);
• Limited Liability Company «CIB-Service» (Russian Federation, 656031, Altai Krai, Barnaul, Prospekt Stroiteley, 117);
• Limited Liability Company «Kontur Factoring» (Russian Federation, 620036, Sverdlovskaya oblast', Yekaterinburg, Maloprudnaya Street, 5);
• Limited Liability Company «SBK» (Russian Federation, 153002, Ivanovskaya oblast', Ivanovo, Prospekt Lenina, 21/1);
• Limited Liability Company «Business-Soft St. Petersburg» (Russian Federation, 194044, St. Petersburg, Gel'singforsskaya Street, 2а).