1. Policy's Purpose

‍

1.1. This document defines the policy of Altus Capital LLC for processing personal data and ensuring its security (the “Policy”), and is public (publicly available).

‍

1.2. The Policy has been developed to comply with the requirements of the Federal Law dated 27.07.2006, No. 152-FZ "On Personal Data", and other personal data regulations of the Russian

Federation, and applies to all personal data processed by Altus Capital LLC (the “Company”).

‍

‍

‍

2. Terms and Definitions

‍

For the purposes of this Policy, the following terms and definitions apply:



• Company means Altus Capital LLC.
• Information Security ("IS") means the state of security in the face of threats in the information sphere.

• Personal Data Information System ("PDIS") means a set of personal data contained in databases and information technologies and facilities ensuring its processing.

• Personal Data Processing means any personal data activity (operation) or a set of personal data   activities (operations) performed with or without use of automation facilities, including collection,   recording, systematization, accumulation, storage, clarification (update, modification), extraction, use,   transmission (dissemination, provision, access), depersonalization, blocking, deletion, destruction of personal data.

• Operator means a government authority, municipal authority, legal entity or individual who   independently or in cooperation with other entities arranges and (or) performs personal data processing, and establishes the purposes of personal data processing, the composition of personal data to be processed, activities (operations) involving personal data.

• Personal Data ("PD") means any information related directly or indirectly to a particular or identifiable   individual (personal data subject), as defined in section   No. 5 of the Policy.

• Policy means this document.
• Personal Data Subject ("PDS") means an individual who owns personal data.
• FL No. 152 means the Federal Law dated 27.07.2006, No. 152-FZ “On Personal Data”.
• Cookies are small pieces of data that are stored in the browser of a computer, mobile phone or other device after visiting websites. Cookies are widely used to keep websites running and collect statistics.

‍

‍

‍

3. General

‍

3.1. One of the conditions for achieving the purposes of the Company's activities is to ensure the

required and sufficient level of information security of the Company's assets, which, among

other things, include personal data (PD) and the processes within the scope of which it is processed.

‍

3.2. Ensuring the lawful PD processing and the security of the processed PD is one of the priority

objectives of the Company.

‍

3.3. The Policy defines the principles, conditions and general procedure for the processing and

protection of PD of various categories of subjects whose PD is processed by the Company, and is

developed to ensure the protection of the individual's and citizen's civil rights and freedoms

when his/her personal data is being processed, including the protection of the rights for privacy,

personal and family secret.

‍

3.4. PD falls into the definition of confidential information of the Company and it is subject to all

requirements for information security (IS), which apply in the Company with the aim of

protecting the confidential information, unless PD falls into the category of publicly available

and/or anonymized data.

‍

3.5. The Policy is binding on all employees of the Company.

‍

3.6. Employees of the Company, whose official duties involve access to PD processed in the

Company, shall be made familiar with this Policy against signature when being hiring and (or)

when being transferred to the relevant position/role.

‍

‍

‍

4. Personal Data Processing Principles  

‍

4.1.   The   Company   considers   the   most   important   objective   is   to   ensure   the   lawfulness   and

fairness of PD processing, to maintain its confidentiality and security of its processing.

‍

4.2. The following principles underlie PD processing in the Company:



• processing personal data on a lawful and fair basis;
• limiting PD processing to achievement of particular, predetermined and lawful purposes;
• consistency of the content and scope of processed PD with the stated purposes of their processing, non-redundancy of processed PD in terms of the purposes of its processing;

• inadmissibility of combining databases that contain PD to be processed for incompatible purposes;

• ensuring the accuracy of PD, its sufficiency, and, where necessary, the relevance in terms of the purposes of PD processing;

• storing PD in a form that allows identifying the PD subject for no longer than the purpose of PD processing requires, unless a storage period for such personal data is set by the laws of the Russian Federation, an agreement to which the PD subject is a party, or under which the PD subject is a beneficiary or surety.

‍

‍

‍

5. Categories of Processed Personal Data

‍

5.1. The composition of PD processed in the Company is formed in accordance with FL No. 152,

regulations of the Russian Federation, and the Articles of Association of the Company,

agreements and business processes of the Company.

‍

5.2.   The Company shall not process special categories of PD related to race, ethnic origin,

political views, religious or philosophical views and intimate life, and shall not process biometric

PD.

‍

‍

‍

6. Grounds for Processing Personal Data in the Company

‍

6.1. PD shall be processed in the Company in the following cases:



• PD is processed with the PD subject's consent to the processing of his/her PD;
• PD processing is necessary to achieve the purposes stipulated by an international treaty of the   Russian Federation or law, for the fulfilment and performance of the functions, powers and obligations   vested in and imposed on the Company by the laws of the Russian Federation;

• PD processing is necessary to perform an agreement to which the PD subject is a party or under which the PD subject is a beneficiary or surety, or to enter into an agreement on the initiative of the   PD subject or an agreement under which the PD subject will be a beneficiary or surety;

• PD processing is necessary to protect the life, health or other vital interests of the PD subject, where obtaining the consent of the PD subject is impossible;

• PD processing is necessary to exercise the rights and observe the lawful interests of the Company or third parties, or to achieve socially significant goals, unless the PD subject's rights or freedoms are infringed;

• processing of PD, access to which is granted by the PD subject or at his/her request to an unlimited number of persons (the “publicly available personal data”);

• processing of PD that is subject to publication or mandatory disclosure in accordance with the federal law.

‍

‍

‍

7. Purposes of Processing Personal Data in the Company

‍

7.1. The Company shall process PD for the particular, predetermined and lawful purposes and on

lawful grounds;

‍

7.2. The information that the Company collects using cookies shall be used for the purpose of

analyzing the use of the Company's website and its subsequent improvement.

‍

‍

‍

8. General Personal Data Processing Procedure

‍

8.1. The Company shall process PD with or without use of automation facilities.

‍

8.2. If subject’s PD is received from a third party, the Company shall notify the PD subject of

this and inform him/her of the source of the PD, his/her rights with regard to the processed PD,

the name and address of the Company, the purposes and legal ground for the processing of the

PD, expected users of the PD. The exceptions are cases where:



• the PD subject has been notified of the processing of his/her PD by the relevant operator;
• the PD has been provided to the Company pursuant to the requirements of federal law or in connection with the performance of an agreement to which the PD subject is a party or under which the PD subject is a beneficiary or surety;

• the PD is publicly available;
• the Company processes the PD on behalf of a third party operator under an agreement made between the Company and such third party;

• the provision of the PD subject with the information listed in this paragraph infringes on the rights or lawful interests of third parties.

‍

8.3. The Company shall make available PD to government authorities and authorized persons

subject to the scope of their powers and competence in accordance with the laws of the Russian

Federation.

‍

8.4. The PD shall be made available to a representative of the PD subject (including a lawyer) in

the manner regulated by the applicable laws of the Russian Federation and to the extent set out in

the order of  the PD subject; provided that one of the following duly executed documents is presented:



• an original notarized power of attorney issued to such representative of the PD subject;
• an application from the PD to be written in the presence of an employee of the Company and certified by such employee of the Company who has accepted the application (or certified by a notary, if it has not been drawn up in the presence of an employee of the Company).

‍

8.5. If the person who has applied to the Company with a request to provide PD is not authorized

to receive information falling into the definition of PD, the Company shall refuse to provide such

information and shall appropriately notify the said person of such refusal.

‍

8.6. The Company may entrust PD processing to a third party, except as otherwise provided by

the laws of the Russian Federation. If this is the case:



• the PD provided to the Company by the PD subject (his/her legal representative) can be processed   only with the consent of the PD subject (his legal representative), if such consent must be obtained in compliance with the requirements of FL No. 152;

• PD can be processed by a third party only by virtue of an agreement that defines a list of PD   activities (operations) and the purposes of processing, and the PD security regulations, including the requirement not to disclose or distribute PD without consent of the PD subject, except as otherwise provided by the laws of the Russian Federation, and the requirements pursuant to article 19 of FL No. 152.

‍

8.7. The Company may carry out cross-border transmission of PD in the cases stipulated by the

laws of the Russian Federation, contracts and agreements with international organizations or

companies. In this connection, provisions ensuring adequate protection of the PD subjects’ rights

(including provisions ensuring PD security) must be included in the said contracts and agreements.

‍

8.8. The Company shall make arrangements to timely identify and modify the processed PD in

order to ensure its accuracy, reliability and relevance, in particular, in terms of the purposes of

PD processing.

‍

8.9. Modifications to the PD shall be made by an authorized employee of the Company only by

virtue   of   duly   executed   original   documents or their certified copies. If the subject

provides/modifies his/her PD when subscribing to the mailings of analytical materials on the

Company's website, the PD subject shall be directly responsible for the data accuracy.

‍

8.10.  If the PD subject detects inaccurate PD and when the PD subject or his/her legal

representative applies, or at their request or at the request of a competent authority that protects

PD subjects' rights, the Company shall ensure its blocking from the time of such appeal or

request for the check period, unless such blocking of the PD infringes on the rights and lawful

interests of the PD subject or third parties.

‍

8.11. If the inaccuracy of the PD is ascertained on the basis of information provided by the PD

subject or his/her representative or the competent authority that protects PD subjects’ rights, or

other relevant documents, the Company shall ensure its updating within the period prescribed by

FL No. 152 from the day of provision of such information and shall unblock it.

‍

8.12. If the inaccuracy of the PD is not ascertained on the basis of information provided by the

PD subject or his/her representative or the competent authority that protects PD subjects’ rights,

or other relevant documents, the Company shall unblock it.

‍

8.13. Storage of PD in a form that allows identifying the PD subject shall last no longer than the

purposes of PD processing require, except as otherwise set out in the laws of the Russian

Federation or an agreement to which the PD subject is a party, or under which the PD subject is a

beneficiary or surety.

‍

8.14.   When collecting PD, recording, systematization, accumulation, storage, clarification

(updating, modification), extraction of PDo PD subjects, including citizens of the Russian

Federation, shall be carried out using databases located in the Russian Federation.

‍

8.15. If the PD subject wants the Company to refuse to process  cookies, then he/she must stop

using the Company's website or disable cookies in the browser settings.

‍

‍

‍

9. Ensuring Personal Data Security

‍

9.1. The Company has adopted a set of legal, organizational and technical measures to ensure PD

security, which are aimed at preventing unauthorized or accidental access to it, destruction,

modification, blocking, copying, dissemination, or other unlawful activities involving it, in

particular, by third parties, in compliance with the requirements of FL No. 152 and its by-laws.

‍

9.2. The measures aimed at ensuring PD security in the Company include, among other things,

the following actions:

‍

• appointing a person responsible for organizing PD processing in the Company;
• providing unlimited access to this Policy;
• keeping records of PD processed in the Company, categories of subjects whose PD is processed;

• keeping records of the Company's information systems in which PD is processed;
• appointing a Commission to determine the required level of protection of personal data processed in the Company's personal data information  systems, and the destruction of personal data;

• formalizing and monitoring the implementation of the PD processing procedure in the Company;

• formalizing and monitoring the compliance with the PD and PD medium destruction requirements;

• keeping records of positions of the Company's employees who need access to personal data processed with and without the use of automation facilities in order to perform their job (employment) duties;

• ensuring that the employees of the Company who are directly involved in PD processing are made familiar with the PD processing and protection provisions of the laws of the Russian Federation, including the PD protection requirements, this Policy and other local PD processing and protection acts of the Company;

• controlling and delimiting access of the Company's employees and other persons to PD processed in the Company;

• restoring PD modified or destroyed as a result of unauthorized access to it;
• including the PD security ensuring provisions in contracts with third parties to whom the PD is provided, including the requirements to maintain the confidentiality of the provided PD;

• arranging  procedures for ensuring the security of premises where PDIS are located, which will prevent an eventual uncontrolled entry by persons, who do not have the right to access such premises, into these premises, or their stay in these premises;

• carrying out regular internal monitoring/audit of the conformity of PD processing and security to the PD processing and security laws of the Russian Federation currently in force.

‍

‍

‍

10. Personal Data Processing Timeframes

‍

10.1. PD processing timeframes shall be determined in compliance with the requirements of the

laws of the Russian Federation currently in force, including the Order of the Federal Archival

Agency (Rosarkhiv) dated 20.12.2019, No. 236 "On Approval of the List of Standard

Administrative Archival Documents Generated in the Course of the Activities of Government

Authorities, Local Self-Government Authorities and Organizations, With Indication of Their

Storage Periods”, the internal documents of the Company, the terms of contracts made with the

PD subjects, and other requirements of the laws of the Russian Federation.

‍

‍

‍

11. Termination of Personal Data Processing

‍

11.1.   PD processing shall be terminated, and the collected PD shall be destroyed or the

termination of PD processing and its destruction shall be ensured (if processing is carried out by

another person acting on behalf of the Company) in the following cases and within the

timeframes prescribed by FL No. 152, except as otherwise provided by the laws of the Russian

Federation:



• on expiration of the set PD processing period;
• on achievement of the purposes of PD processing or if there is no need to achieve them;
• on revocation by the PD subject of the consent to the processing of his/her PD, if such consent is required in accordance with the laws of the Russian Federation;

• at the request of the PD subject or the Competent Authority That Protects Rights of PD subjects, if the personal data is incomplete, outdated, unreliable, unlawfully obtained or is not necessary for the stated processing purpose;

• in case of detection of unlawful processing of PD by the Company or by a person acting on its behalf, if it is impossible to ensure the lawfulness of PD processing.

‍

‍

‍

12. Interactions with Federal Executive Authorities

‍

12.1. Interactions with federal executive authorities, in particular, with the competent authority

that protects PD subjects’ rights, on the issues related to processing and security of PD processed

by the Company, shall be based on the laws of the Russian Federation.

‍

‍

‍

13. Interactions with Personal Data Subjects

‍

13.1. The Company shall facilitate the exercising of the lawful rights of PD subjects and respond

to requests and appeals from PD subjects, including their provision with information related to

the processing of their PD, in compliance with the requirements of the laws of the Russian Federation.

‍

13.2. A description of the PD subjects’ rights enshrined in the laws of the Russian Federation is

given in section 14 of this Policy.

‍

‍

‍

14. Rights and Obligations

‍

14.1. The PD subject has the right:



• to make a decision whether or not to provide his/her PD or give consent to its processing freely, of his/her own free will and for his/her own benefit;

• to require updating of his/her PD, its blocking or destruction if the PD is incomplete, outdated,   unreliable,   unlawfully   obtained   or   not   necessary   for   the   stated   processing purpose, and to take measures stipulated by law to protect his/her rights;

• to obtain information related to processing of his/her personal data by submitting a request and in the manner prescribed by FL No. 152;

• to revoke the consent to the processing of his/her PD, if such consent is required in accordance with the laws of the Russian Federation;

• to require notification of all persons processing PD on behalf of the Company, who were previously provided with incorrect  or incomplete  PD, of all exceptions, corrections  or additions to it;

• to appeal to the competent authority that protects PD subjects' rights or in a judicial proceeding   against unlawful actions or omissions committed when processing his/her PD;

• to the protection of his/her rights and lawful interests, including the right to the compensation for  losses and (or) compensation for non-pecuniary damage by judicial means;

• to exercise other rights contemplated by laws of the Russian Federation.

‍

14.2. The PD subject is obliged:



• to provide reliable PD and affirm its accuracy by presenting original documents or their duly certified copies;

• to timely inform the Company about changes in his/her PD.



14.3. The Company, as a PD operator, has the right:



• to defend its interests in court;
• to provide subjects’ PD to government and other competent authorities, if this is contemplated by   the laws of the Russian Federation currently in force (tax, law enforcement agencies, the Bank of Russia, etc.);

• to refuse to provide PD in the cases stipulated by the laws of the Russian Federation, including the laws on the countering of legalization (laundering) of criminally obtained incomes and the financing of terrorism;

• to process the subject's PD without his/her consent, in the cases contemplated by the laws of the Russian Federation;

• to exercise other rights contemplated by the laws of the Russian Federation.

‍

14.4. The Company, as a PD operator, is obliged:



• to process and protect PD in compliance with the requirements of the PD processing and security regulations of the Russian Federation;

• to notify the subject of the processing of his/her PD, if such PD is received from third parties, except as otherwise provided by the laws of the Russian Federation.

• to provide the PD subject with information regarding the processing of his/her PD, at the request of   the subject, except as otherwise provided by the laws of the Russian Federation.

• check the accuracy of the data provided by the PD subject or his/her legal representative by verifying it against the information contained in the original documents or their duly certified copies presented by the PD subject or his/her legal representative;

• to explain to the PD subject the legal implications of refusal to provide his/her PD, if such provision   of PD is mandatory in accordance with the laws of the Russian Federation;

• to organize the reception and processing of appeals and requests from PD subjects or their representatives;

• to organize the reception and processing of requests from competent authorities.

‍

‍

‍

15. Final Provisions

‍

15.1. This Policy is subject to approval by the order of the General Director of the Company and

shall be posted on the Company's website in the public domain.

‍

15.2. Responsibility for monitoring compliance with this Policy is imposed on the person

appointed by an Officer Responsible for Organizing PD Processing in the Company.

‍

15.3. The Policy shall be reviewed and updated upon a change in the PD processing and security

ensuring legislation of the Russian Federation, or upon a change in the PD processing processes

in the Company, but no less than once every three (3) years.

‍

15.4. Any amendments  and/or additions  to this  Policy  will come into force from the date  of

approval of a new version of the document by the General Director of the Company.

‍

15.5. Any issues that are not settled by this Policy shall be resolved in accordance with the laws

of the Russian Federation.

‍

‍

‍

16. Contact Information

‍

16.1. PD subjects can send questions about PD processing by the Company to the e-mail address:

contact.ufgwmru@yandex.ru or to the postal address of the Company: 2, Tsvetnoy Boulevard,

floor 3, premises II, room 1, Moscow, 127051 (if the address changes, the relevant information

will be posted on Altus Capital LLC's website www.ufgwm.ru, English version of the website at

ufgwm.com).

‍