THE POLICY OF LLC “I-RETAIL RUS” REGARDING PROCESSING OF PERSONAL DATA

1. GENERAL PROVISIONS
   1. This Policy regarding processing of personal data (hereinafter referred to as the “Policy”) is elaborated and applied by LLC “I-Retail Rus” (hereinafter referred to as the “Operator”) in accordance with the Federal Law of July 27, 2006 N 152-ФЗ “On Personal Data”, Federal Law of 13.03.2006 N 38-ФЗ “On Advertising”, Order of the Federal Service in the Sphere of Communications, Information Technologies and Mass Communications No.290 of 03.10.2017 on inclusion of I-Retail Rus in the register of operators for processing of personal data (registration number 77-17- 008327) and other normative acts in the field of protection of personal data, operating in the territory of the Russian Federation.
   2. This Policy applies to all personal data that may be obtained from individuals by the Operator during the implementation of services through the website https://sale-video.com/ (hereinafter referred to as “Website”), and which can be uniquely linked to a particular individual and his personal data. This Policy does not apply to relations:
      • arising during processing of personal data of the Operator's employees, as such relations are regulated by a separate local act regarding processing of personal data of LLC “I-Retail Rus”;
      • to which the Federal Law N 152-ФЗ “On Personal Data” does not apply
   3. The policy determines the behavior of the Operator in relation to processing of personal data accepted for processing, procedure and conditions of processing of personal data of individuals who have transferred their personal data for processing by the Operator (hereinafter referred to as “Personal Data Subject”, “Subject”) with and without the use of automation equipment, establishes procedures, aimed at preventing violations of the legislation of the Russian Federation, eliminating the consequences of such violations related to the processing of personal data.
   4. The policy is designed to ensure the protection of the rights and freedoms of the Personal Data Subjects during processing of their personal data, as well as to establish the responsibility of the officials of the Operator having access to personal data of the Personal Data Subjects, for failure to comply with the requirements and norms governing processing of personal data.
   5. The Operator processes the following personal data:
      • First name, Last name, Middle name
      • Phone number
      • E-mail address
   6. History of applications of the Personal Data Subject
   7. When using the services of the Website, the Operator also processes other anonymised data, which are automatically transmitted during the use of the website by means of the software installed on the computer:
      • Information about the used browser (or other program that accesses the website)
      • IP address
      • Cookie data
   8. The Operator carries out processing of personal data of Personal Data Subjects by maintaining databases in automated, mechanical, manual ways in order to:
      • process orders, requests or other actions of the Personal Data Subject related to the provision of services
      • notifications about changes in the offer, the order of rendering services, the list of actions events, discounts, etc. held by the Operator,
      • for other purposes, if the relevant actions of the Operator do not contradict the current legislation and the Operator's activities
      • the data specified in clause 1.6. of this Policy shall be processed for the purpose of carrying out analytics of the Website and the Application, tracking and understanding of the principles of use of the Website and the Application by visitors, improving the functioning of the Website, solving technical problems of the Website and the Application, developing new products, expanding services, identifying the popularity of events and determining the effectiveness of advertising campaigns; providing security and fraud prevention, providing effective customer support.
   9. The Operator processes personal data by performing any action (operation) or set of actions (operations), including the following:
      • Collection
      • Recording
      • Systematization
      • Accumulation
      • Storage
      • Clarification
      • Extraction
      • Usage
      • Transfer (distribution, provision, access)
      • Depersonalization
      • Blocking
      • Removing
      • Destruction
2. COLLECTION, USE AND DISCLOSURE OF PERSONAL DATA
   1. The Operator receives and begins processing of personal data of the Subject from the moment of obtaining his consent. Consent to processing of personal data may be given by the Personal Data Subject in any form allowing to confirm the fact of obtaining consent, unless otherwise provided for by the federal law: written, oral or other form provided for by the current legislation, including through the execution of implicative actions by the Personal Data Subject (acceptance of this Policy posted on the Website). In the absence of consent of the Personal Data Subject to processing of his personal data, such processing is not carried out.
   2. Personal data of Personal Data Subjects is received by the Operator:
      • by means of personal transfer by Personal Data Subject when entering information in the registration forms in electronic form on the Operator's Website
      • by means of personal transfer by Personal Data Subject in oral form
      • by other means that do not contradict the legislation of the Russian Federation and the requirements of international legislation on personal data protection
   3. Consent to processing of personal data is considered to be granted by means of performing any action or a combination of the following actions by Personal Data Subject:
      • putting a mark on the Website in the appropriate form of consent to processing of personal data in the amount, for the purposes and in the manner provided for in the proposed text before obtaining consent for review, or clicking the buttons "Register", "Learn about the launch", "Start selling your videos", "Try for free", " Send»
      • oral communication of personal data
   4. The consent is considered to have been received in accordance with the established procedure and is valid until the moment when the Personal Data Subject submits a corresponding application to terminate processing of personal data at the Operator's location.
   5. Personal Data Subject may withdraw his consent to processing of personal data at any time, provided that such a procedure does not violate the requirements of the legislation of the Russian Federation. In order to revoke consent to processing of personal data, the Personal Data Subject must send a written notification to the Operator's legal address. In case of revocation by Personal Data Subject of his consent to processing of personal data, the Operator shall cease processing or ensure the cessation of such processing (if processing is carried out by another person acting on behalf of the Operator) and in the case that the preservation of personal data is no longer required for the purposes of their processing, shall destroy personal data or ensure their destruction (if the processing of personal data is carried out by another person acting on behalf of the Operator) within a period not exceeding 30 (Thirty) calendar days from the date of receipt of the revocation, unless otherwise provided for by the contract, the party, the beneficiary or the guarantor of which is the Personal Data Subject, any other agreement between the Operator and the Personal Data Subject or unless the Operator is entitled to carry out personal data processing without consent of Personal Data Subject on grounds provided for by the Federal law N 152-ФЗ "On personal data" dated 27.07.2006 or other federal laws.
3. RULES AND REGULATIONS GOVERNING PROCESSING OF PERSONAL DATA
   1. In order to achieve the purposes of this Policy, only those employees of the Operator who are assigned with such a duty in accordance with their official (labor) duties are allowed to process personal data. The Operator requires its employees to respect the confidentiality and security of personal data when processing them.
   2. In accordance with this Policy, the Operator may process personal data independently, as well as with the involvement of third parties who are engaged by the Operator and carry out processing for the purposes specified in this Policy.
   3. If processing of personal data is entrusted to a third party, the amount of personal data transferred to a third party for processing and the number of processing methods used by this third party must be the minimum necessary for them to fulfill their obligations to the Operator. With regard to processing of personal data by a third party, the obligation of such a person to respect the confidentiality of personal data and to ensure the security of personal data during their processing is established.
   4. In the process of providing services, in the implementation of internal activities, the Operator uses automated, with the use of computer technology, and non-automated, with the use of paper document management, processing of personal data. The Operator stores personal data of Personal Data Subjects in accordance with the internal regulations.
   5. The personal information of the Personal Data Subject is kept confidential, except in cases when the Subject voluntarily provides information about himself for general access to an unlimited number of persons. In this case, the Personal Data Subject agrees that a certain part of his personal information becomes publicly available.
4. INFORMATION ABOUT IMPLEMENTED REQUIREMENTS FOR PERSONAL DATA PROTECTION
   1. The Operator's personal data processing activities are inextricably linked to the Operator's protection of the confidentiality of the information received.
   2. The Operator requires other persons who have obtained access to personal data not to disclose or distribute personal data to third parties without the consent of the Personal Data Subject, unless otherwise provided for by the Federal law.
   3. All employees of the Operator are obliged to ensure confidentiality of personal data, as well as other information established by the Operator, if this does not contradict the current legislation of the Russian Federation.
   4. In order to ensure the security of personal data during their processing, the Operator takes necessary and sufficient legal, organizational and technical measures to protect personal data from illegal or accidental access to them, destruction, alteration, blocking, copying, provision, distribution of personal data, as well as other illegal actions in relation to them. The Operator shall ensure that all measures implemented for the organizational and technical protection of personal data are carried out legally, including in accordance with the requirements of the legislation of the Russian Federation on processing of personal data.
   5. The Operator applies necessary and sufficient legal, organizational and technical measures to ensure the security of personal data, including:
      • identification of threats to the security of personal data during their processing in information systems of personal data
      • application of organizational and technical measures to ensure the security of personal data in their processing in the information systems of personal data necessary to meet the requirements for protection of personal data, the execution of which ensures those levels of personal data protection established by the Government of the Russian Federation
      • application of the duly established procedure of conformity assessment of means of information security
      • evaluation of the effectiveness of the measures taken to ensure the security of personal data prior to the commissioning of the personal data information system
      • accounting of personal data media
      • detection of unauthorized access to personal data and taking measures
      • recovery of personal data modified or destroyed as a result of unauthorized access to them
      • carrying out measures aimed at preventing unauthorized access to personal data and (or) transferring them to persons who do not have the right to access such information
      • timely detection of unauthorized access to personal data and taking necessary measures
      • prevention of impact on technical means of automated processing of personal data, as a result of which their functioning may be disturbed
      • control over the measures taken to ensure the security of personal data and the level of security of personal data information systems
   6. The measures to ensure the security of personal data implemented by the Operator within the framework of the personal data protection system, taking into account current threats to personal data security and applied information technology, include:
      • identification and authentication of access subjects and objects
      • access control of access subjects to access objects
      • limitation of the software environment
      • protection of machine media on which personal data are stored and/or processed
      • logging security events
      • anti-virus protection
      • intrusion detection (prevention)
      • ensuring the integrity of the information system and personal data
      • protection of virtualization environment
      • protection of technical means
      • protection of information system, its means, communication and data transmission systems
      • detection of incidents (one event or group of events) that may lead to failures or disruption in functioning of the information system and/or to the emergence of threats to the security of personal data, and responding to them
      • configuration management of information system and personal data protection system
   7. In order to ensure compliance of the level of protection of personal data with the requirements of the Federal Law dated 27.07.2006 N 152-ФЗ “On Personal Data” and the Federal Law dated 27.07.2006 N 149-ФЗ "On Information, Information Technologies and Information Protection” the Operator does not disclose information about specific tools and measures to ensure the information security of personal data.
   8. The Operator undertakes not to disclose the information received from the Personal Data Subject. The provision by the Operator of information to agents and third parties acting on the basis of a contract with the Operator for the performance of obligations to the Personal Data Subject shall not be considered a violation. Disclosure of information in accordance with reasonable and applicable requirements of the law is not considered a breach of the obligations.
5. CONSENT TO RECEIVING ADVERTISING INFORMATION
   1. Consent to receive mailing/subscription to receive advertising information received by:
      • placing on the Website in the appropriate form a mark about consent to processing of personal data in the amount, for the purposes and in the manner provided for review in the text proposed prior to obtaining consent
      • communication of personal data in oral form means the consent of the Personal Data Subject to receive from the Operator and the third parties involved by the Operator, via telecommunication networks (at the provided mobile phone number and e-mail address) of information messages, including information of commercial advertising nature (advertisements) specified in clause 1.7.2. of this Policy.
   2. By giving the consent specified in the clause 5.1. of this Policy, the Personal Data Subject confirms that it acts on its own will and in its interest, and that the personal data is trustworthy.
6. FINAL PROVISIONS
   1. This Policy is approved by the order of the General Director of LLC “I-Retail Rus” and comes into force from the date of its signing.
   2. This Policy may be amended and supplemented, subject to approval by the order of the General Director of LLC “I-Retail Rus”.
   3. The current version of the Policy is available in the open access of the Internet at: https://sale-video.com/personal_data_policy/

Publication date: June 25, 2018