Сайн.Медиа

LLC “SM”
PERSONAL DATA PROCESSING AND PROTECTION POLICY

1. General provisions

1.1. In order to maintain business reputation and ensure compliance with the norms of federal legislation LLC “SM” (hereinafter referred to as the "Company") considers ensuring the legitimacy of the processing and protection of personal data of subjects in Company's business processes to be a high priority task.

1.2. In order to solve this problem, the Company has introduced, operates and undergoes periodic review (control) of the personal data protection system.

2. Principles of personal data processing

Processing of personal data in the Company is based on the following principles:

legality of the purposes and methods of personal data processing and fair practice;
compliance of the purposes of personal data processing with the goals previously defined and declared during the collection of personal data, as well as with the rights of the Company;
compliance of the volume and nature of the processed personal data, and methods of personal data processing with the purposes of personal data processing;
reliability of personal data, their relevance and sufficiency for the purposes of processing, inadmissibility of excessive processing in relation to the purposes of collecting personal data;
legitimacy of organizational and technical measures to ensure the personal data protection;
continuous improvement of the Company's employees’ level of knowledge in the field of ensuring the security of personal data during its processing;
striving for continuous improvement of the personal data protection system.

3. Purposes of personal data processing

In accordance with the principles of personal data processing, the Company defines the composition and purposes of processing:

conclusion, maintenance, modification, termination of employment agreements, which are the basis for the emergence or termination of employment relations between employees and the employer;
fulfillment of obligations stipulated by federal legislation and other regulatory legal acts (including in the field of labor protection);
assistance in training and career growth of the employees;
assistance in obtaining social benefits and compensations;
providing information at the request of government agencies;
fulfillment of obligations under employment agreements;
conducting the agreement approval process and fulfilling the requirements of agreements with contractors;
conclusion, support, modification, termination of agreements;
fulfillment of obligations under civil agreements;
fulfillment of obligations under agreements with counterparties;
fulfillment of contractual obligations to individuals, including warranty obligations under the agreements;
cookies, which are used for the correct operation of the website, automatic transmission of information to the Yandex.Metrika and GoogleAnalytics services for analytics by these services, as well as for other purposes specified in Annex No. 7 to the Policy.

Fulfillment of obligations provided for by the Law No. 63-FZ "On Electronic Signature", including for the purpose of confirming the identification of the applicant in his personal presence, as well as for the purpose of confirming the reliability and completeness of personal data provided by the person, applying for the electronic signature verification key certificate.

4. Personal data processing rules

4.1. The Company processes only the personal data that is presented in the approved List of Personal Data Processed in LLC “SM”.

4.2. The Company processes personal data of the following categories of subjects:

employees of LLC “SM”;
relatives of the employees;
employees working under civil agreements;
representatives of legal entity contractors;
individual entrepreneur contractors;
individuals;
visitors to the Company's website

4.3. The Company FORBIDS processing of the following categories of personal data:

race;
political views;
philosophical beliefs;
health status;
state of personal life;
nationality;
religious beliefs.

4.4. With the consent of the personal data subject himself, except in cases established by federal laws of the Russian Federation:

4.4.1. In the course of its activities, the Company may provide personal data of subjects to the third parties.

4.4.2. The Company does NOT process biometric personal data.

4.4.3. The Company shall be allowed to make decisions regarding personal data subjects based solely on automated processing of their personal data.

4.5. The Company does NOT carry out cross-border transfer of personal data (transfer of personal data to the territory of a foreign state, to an authority of a foreign state, to a foreign individual or a foreign legal entity).

4.6. The Company does NOT process data on the criminal record of the subjects.

4.7. The Company does NOT post the subject's personal data in publicly available sources without his prior consent.

4.8. In order to carry out its activities, the Company provides personal data of subjects to legal entities and individual entrepreneurs, a list of which is contained on the Company's website at https://sign.me/support/legal/articles/11/190.

4.9. Provision of subjects' personal data to the persons specified in clause 4.8 of the Company's Personal Data Processing and Protection Policy (hereinafter referred to as the "Policy") shall be carried out exclusively within the framework of the rules of personal data processing (section 4 of the Policy) and in order for the Company to achieve the goals of personal data processing (section 3 of the Policy).

4.10. The persons to whom the personal data of the subjects is provided shall comply with the rules contained in the Policy, as well as in other documents of the Company related to the personal data processing and protection.

4.11. Each subject of personal data who has read the Policy, as well as other documents of the Company, related to the personal data processing and protection, gives its consent to the provision of its personal data to persons, the list of which is indicated on the Company's website at https://sign.me/support/legal/articles/11/190.

5. Implemented personal data protection ensurance requirements

5.1. In order to ensure the protection of the personal data during their processing the Company implements the requirements of the following regulatory documents of the Russian Federation in the field of personal data processing and protection:

Federal Law No. 152-FZ dated 27.07.2006 "On Personal Data";

Resolution of the Government of the Russian Federation No. 1119 dated 01.11.2012 "On Approval of the Personal Data Protection Requirements During its Processing in the Personal Data Information Systems" ;
Resolution of the Government of the Russian Federation No. 687 dated 15.09.2008 "On Approval of Provisions on the Specifics of Personal Data Processing Carried Out Without the Use of Automation Tools";
Methodological document. Methodology for assessing information security threats. (approved by the Federal Service for Technical and Export Control of Russia on 05.02.2021);
Order of the Federal Service for Technical and Export Control of Russia No. 21 dated 18.02.2013 "On Approval of the Composition and Content of Organizational and Technical Measures Aimed at Ensurance of the Personal Data Protection During its Processing in the Personal Data Information Systems" .

5.2. The Company evaluates the harm that may be caused to the personal data subjects and identifies threats to the security of the personal data. In accordance with the identified current threats, the Company applies the necessary and sufficient organizational and technical measures, including the use of information security tools, detection of unauthorized access, restoration of personal data, establishment of rules for access to the personal data, as well as monitoring and evaluation of the effectiveness of the measures applied.

5.3. The Company has implemented measures for personal data protection during their processing in the information systems:

level of personal data protection during its processing in information systems is determined;
necessary information security measures are applied;
accounting of machine-based personal data carriers is carried out;
rules for access to personal data processed in the information systems are established, and registration and accounting of actions performed with personal data in the information systems are provided where necessary.

5.4. The Company has appointed persons responsible for organizing processing and ensuring security of the personal data.

5.5. A list of persons who process personal data and have access to it has been determined.

5.6. The Company's management is interested in ensuring the security of personal data processed as part of the Company's core business, both from the point of view of the requirements of regulatory documents of the Russian Federation and from the point of view of business risks assessment.

6. Policy violation and liability

6.1. The Company shall be responsible for ensuring that the processing and security of personal data comply with the law. All Company's employees that process the personal data shall be responsible for compliance with the Policy and other local acts of the Company dealing with the personal data processing and protection.

6.2. Any violations of the Policy and other local acts of the Company dealing with the personal data processing and protection will be investigated in accordance with the applicable Company's procedures.

7. Final provisions

7.1. The following documents presented below are an integral part of the Company's Personal Data Processing and Protection Policy:

7.1.1. List of personal data transferred;

7.1.2. Purposes of processing, retention terms and conditions for termination of processing of personal data in LLC “SM”;

7.1.3. User's instruction;

7.1.4. List of personal data information systems;

7.1.5. List of persons, who are being provided with the personal data of subjects in accordance with the Policy.

List of processed personal data

Table 1. Processed personal data

No.	PD Group	PD Content
1	PD of employees
1.1	Information about birth	Full name Sex Date of birth
1.2	Information about citizenship	Full name Citizenship
1.3	Information about place of residence	Full name Registration address Actual residential address
1.4	Identity document details	Full name Document type Document series and number Date of issue of the document Name of the issuing authority
1.5	Information about education	Full name Names of completed educational institutions Specialization Qualification Level of education Academic title/degree Date of awarding the academic title/degree
1.6	Additional information about education	Full name Information about advanced training (period of study, type of advanced training, name of educational institution, information of the supporting document) Information on professional retraining (period, speciality, information of the supporting document)
1.7	Information about foreign language proficiency	Full name Foreign language proficiency Proficiency level
1.8	Information about marital status	Full name Marital status
1.9	Information about registration with the tax authority (INN)	Full name Date of registration with the tax authority Taxpayer identification number Name and code of the tax authority
1.10	Information about state pension insurance (SNILS)	Full name Individual insurance account number
1.11	Information about military enlistment	Full name Military rank Military status
1.12	Military record card details	Full name Date of issue of the military record card Name of the military commissariat that issued the military record card Military record card series and number Reserve category Full code designation of the military registration office
1.13	Information about place of work	Full name Organization name Structural division Position
1.14	Time keeping data	Full name Employee identification number
1.15	Information about worked hours	Full name Number of days/hours worked
1.16	Employment agreement details	Full name Date of conclusion of the agreement Agreement number Agreement term
1.17	Information about employment conditions	Full name Duration of probation period Type of work (main, part-time, to replace a temporarily absent employee, etc.)
1.18	Bank account details	Full name Personal account number Bank details
1.19	Information about salary	Full name Salary Bonuses amount
1.20	Information abour payroll	Full name Amount to be credited Amount to be withheld
1.21	Information about deductions to the Federal Tax Service	Full name Amount of income by month Total amount of income Amounts of tax deductions provided to the taxpayer Total amount of tax according to the results of the taxation period
1.22	Information about paid insurance premiums	Full name Amount of accrued insurance premiums
1.23	Information about employment	Full name Organization name Organization address Position Period of work
1.24	Information about work experience	Full name Continuous work experience Total work experience
1.25	Information about vacation	Full name Vacation type Vacation period Working year for which annual paid vacation is provided
1.26	Information about vacation payments	Full name Vacation payments amount
1.27	Personnel orders details	Full name Date of the order Order number
1.28	Information about dismissal	Full name Grounds for dismissal Date of dismissal Number and date of the dismissal order
1.29	Information about business trip	Full name Name of the organization to which the employee is sent Locality to which the employee is sent Business trip period Business trip purpose
1.30	Information about travel expenses incurred	Full name Amount of travel expenses Type of expenses
1.31	Information about the number of children	Full name Number of children
1.32	Disability certificate details	Full name Number of the disability certificate Code of the reason for temporary disability
1.33	Information about the amount of temporary disability allowance	Full name Amount of temporary disability allowance
1.34	Information about social benefits	Data of the document confirming the right to receive benefits Name of the social benefit
1.35	Power of attorney details	Full name Date of issue of the power of attorney Power of attorney number Power of attorney validity period
1.36	Received business trip ticket details	Full name Ticket number Flight/train number Flight/trip itinerary
1.37	Booked hotel details	Full name Name of the hotel Booking dates
1.38	Information about alimony	Full name Basis for the alimony payment Percentage of funds withheld from salary Amount of alimony paid
1.39	Additional information	Full name Additional information provided by the PD subject
1.40	Contact details	Full name Phone number Email address
2	PD of relatives of the employees
2.1	Full name	Full name
2.2	Information about the date of birth	Full name Date of birth
2.3	Information about the place of birth	Full name Place of birth
2.4	Personal account details	Full name Personal account number Bank details
2.5	Information about citizenship	Full name Citizenship
3	PD of employees working under civil agreements
3.1	Information about birth	Full name Sex Date of birth Place of birth
3.2	Information about the place of registration	Full name Registration address
3.3	Identity document details	Full name Document type Document series and number Date of issue of the document Name of the issuing authority
3.4	Civil agreement details	Full name Agreement number Date of conclusion of the agreement Agreement term
3.5	Bank account details	Full name Personal account number Bank details
3.6	Information about monetary payments	Full name Amount of payments to the contractor
3.7	Information about registration with the tax authority (INN)	Full name Date of registration with the tax authority Taxpayer identification number Name and code of the tax authority
3.8	Information about state pension insurance (SNILS)	Full name Individual insurance account number
3.9	Contact details	Full name Phone number Email address
4	PD of representatives of the legal entity contractors
4.1	Information about birth	Full name Sex Date of birth Place of birth
4.2	Information about the place of registration	Full name Registration address
4.3	Identity document details	Full name Document type Document series and number Date of issue of the document Name of the issuing authority
4.4	Information about place of work	Full name Organization name Structural division Position
4.5	Appointment order details	Full name Order number Date of the order
4.6	Power of attorney details	Full name Date of issue of the power of attorney Power of attorney number Power of attorney validity period
5	PD of representatives of the individual entrepreneur contractors
5.1	Identity document details	Full name Document type Date of issue of the document Subdivision code Name of the issuing authority Document series and number
5.2	Information about birth	Full name Sex Date of birth Place of birth
5.3	Information about citizenship	Full name Citizenship
5.4	Information about registration address	Registration address at the place of residence/stay
5.5	Information about the address of the actual residence	Full name Address of the actual residence
5.6	Information about state pension insurance	Full name SNILS (Individual insurance account number)
5.7	Information about registration with the tax authority	Full name Individual taxpayer identification number (INN)
5.8	Information about the agreement	Full name Date of conclusion of the agreement Agreement number Agreement term
5.9	Information about the amount of payments under the agreement	Full name Amount of payments under the agreement
5.10	Information about completed work	Full name Work performed under the agreement
5.11	Personal account details	Full name Personal account number Bank details
5.12	Contact details	Full name Contact phone number (mobile, work, home) Email address
6	PD of individuals
6.1	Information about the place of birth	Full name Place of birth Date of birth Sex
6.2	Information about registration with the tax authority (INN)	Full name Taxpayer identification number
6.3	Information about state pension insurance (SNILS)	Full name Individual insurance account number
6.4	Contact details	Full name Contact phone number Email address
6.5	Identity document details	Full name Document type Document series and number Date of issue of the document Subdivision code Name of the issuing authority
6.6	Biometric passport details	Full name Photo Date of birth Document number Date of issue and expiration date Additional information.
6.7	Information about the place of registration	Full name Registration address
6.8		A photo image of the individual who holds the certificate of the electronic signature verification key, with confirmation of familiarization with the information contained in the qualification certificate
7	Personal data of visitors to the Company's website	Cookies If you fill out a special feedback form on the website: Full name Contact phone number (mobile, work, home) Email address Place of work and position

Purposes of processing, retention terms and conditions for termination of processing of PD in LLC “SM”

The retention of personal data by LLC “SM” shall be carried out no longer than required by the purposes of their processing. Personal data shall be subject to destruction upon achievement of the processing objectives or in case of loss of the need to achieve them. The main purposes of personal data processing in LLC “SM” are presented in Table 2.

Table 2. Purposes of personal data processing in LLC “SM”

No.	Personal data	Purposes of personal data processing
1	Personal data of employees	Conclusion, maintenance, modification, termination of employment agreements, which are the basis for the emergence or termination of employment relations between employees and the employer Fulfillment of obligations stipulated by federal legislation and other regulatory legal acts (including in the field of labor protection) Fulfillment by the employer of obligations stipulated by federal legislation, local regulations and employment agreements Assistance in training and career growth of employees Assistance in obtaining social benefits and compensation Provision of information at the request of government agencies Fulfillment of obligations under employment agreements Conducting the process of coordination of agreements and fulfillment of requirements under them with contractors
2	Personal data of relatives of the employees	Fulfillment by the employer of obligations stipulated by federal legislation and other regulatory legal acts Assistance in obtaining social benefits and compensations
3	Personal data of employees working under civil agreements	Conclusion, maintenance, modification, termination of agreements Fulfillment of obligations under civil agreements Fulfillment of obligations provided for by the federal legislation and other regulatory legal acts
4	Personal data of representatives of legal entity contractors	Fulfillment of obligations under agreements with counterparties Conclusion, maintenance, modification, termination of agreements
5	Personal data of individual entrepreneur contractors	Fulfillment of obligations under agreements with counterparties Conclusion, maintenance, modification, termination of agreements
6	Personal data of individuals	Fulfillment of contractual obligations to individuals, including warranty obligations under the agreement Fulfillment of obligations under agreements with counterparties. Fulfillment of obligations stipulated by the Federal Law No. 63-FZ "On Electronic Signature", including in the framework of fulfilment of the agreements, in order to create certificates of electronic signatures keys verification and issuing such certificates to persons who applied for them, provided that the identity of the recipient of the certificate is established. Confirmation of the authenticity and completeness of the personal data provided by the person who applied for the certificate. Confirmation of the identification of the applicant in his personal presence.
7	Visitors to the Company's website	Correct operation of the website If you fill out a special feedback form: Ability to contact a visitor to the Company's website in order to answer his questions/messages Registration of incoming messages

The regulatory legal documents that are the basis for processing of the personal data in order to achieve the goals listed above are presented in table 3.

Table 3. The legal basis for the processing of personal data by the LLC “SM”

No.	Personal Data Group	The legal basis for the processing of personal data
1	Personal data of employees	Employment agreement Civil Code of the Russian Federation No. 51-FZ dated 30.11.1994 (First part), No. 14-FZ dated 26.01.1996 (Second part) Tax Code of the Russian Federation No.146-FZ dated 31.07.1998 (First part), No. 117-FZ dated 05.08.2000 (Second part) Labor Code of the Russian Federation No. 197-FZ dated December 30, 2001 Resolution of the State Statistics Committee of the Russian Federation No. 1 dated 05.01.2004 "On Approval of Unified Forms of Primary Accounting Documentation on Labor Accounting and Payment" Federal Law No. 152-FZ dated 27.07.2006 "On Personal Data" Federal Law No. 167-FZ dated 15.12.2001 "On Compulsory Pension Insurance" Federal Law No. 27-FZ dated 01.04.1996 "On Individual (Personalized) Accounting in the Compulsory Pension Insurance System" Federal Law No. 125-FZ dated 22.10.2004 "On Archival Business in the Russian Federation" Federal Law No. 402-FZ dated 06.12.2011 "On Accounting" Resolution of the Government of the Russian Federation No. 719 dated 27.11.2006 "On Approval of the Regulations on Military Registration" Court orders requesting information about the employees
2	Personal data of relatives of the employees	Labor Code of the Russian Federation No. 197-FZ dated December 30, 2001 Federal Law No. 125-FZ dated 22.10.2004 "On Archival Business in the Russian Federation" Federal Law No. 152-FZ dated 27.07.2006 "On Personal Data" Resolution of the State Statistics Committee of the Russian Federation No. 1 dated 05.01.2004 "On Approval of Unified Forms of Primary Accounting Documentation on Labor Accounting and Payment" Court rulings on alimony payments
3	Personal data of employees working under civil agreements	Civil agreement Tax Code of the Russian Federation No.146-FZ dated 31.07.1998 (First part), No. 117-FZ dated 05.08.2000 (Second part) Civil Code of the Russian Federation No. 51-FZ dated 30.11.1994 (First part), No. 14-FZ dated 26.01.1996 (Second part) Federal Law No. 152-FZ dated 27.07.2006 "On Personal Data" Federal Law No. 167-FZ dated 15.12.2001 "On Compulsory Pension Insurance" Federal Law No. 27-FZ dated 01.04.1996 "On Individual (Personalized) Accounting in the Compulsory Pension Insurance System"
4	Personal data of representatives of legal entity contractors	Agreement with the counterparty Federal Law No. 152-FZ dated 27.07.2006 "On Personal Data" Civil Code of the Russian Federation No. 51-FZ dated 30.11.1994 (First part), No. 14-FZ dated 26.01.1996 (Second part)
5	Personal data of individual entrepreneur contractors	Agreement with the counterparty Civil Code of the Russian Federation No. 51-FZ dated 30.11.1994 (First part), No. 14-FZ dated 26.01.1996 (Second part) Federal Law No. 152-FZ dated 27.07.2006 "On Personal Data"
6	Personal data of individuals	Agreement with the counterparty
7	Visitors to the Company's website	Civil Code of the Russian Federation No. 51-FZ dated 30.11.1994 (First part), No. 14-FZ dated 26.01.1996 (Second part) Federal Law No. 152-FZ dated 27.07.2006 "On Personal Data" Terms of Use

The purpose of personal data processing in LLC “SM” also includes archival retention of documents containing personal data, in accordance with the requirements of the federal legislation. The regulatory legal documents defining the terms of archival retention of documents containing personal data are presented in table 4.

Table 4. Regulatory legal documents defining the archival retention terms of documents containing personal data in LLC “SM”

No.	Personal data	Regulatory legal documents defining the archival retention terms
1	Personal data of employees	A list of standard administrative archival documents formed in the course of the activities of state bodies, local governments and organizations, indicating the archival terms (approved by the Order of the Ministry of Culture of the Russian Federation No. 558 dated 25.08.2010), sections 1, 4, 7, 8, 11 (retention term – up to 75 years) The Labor Code of the Russian Federation (Labor Code of the Russian Federation) No. 197-FZ dated 30.12.2001 (retention term – 75 years) Federal Law No. 125-FZ dated 22.10.2004 "On archival business in the Russian Federation", clause 1 of Article 17
2	Personal data of relatives of the employees	A list of standard administrative archival documents formed in the course of the activities of state bodies, local governments and organizations, indicating the archival terms (approved by the Order of the Ministry of Culture of the Russian Federation No. 558 dated 25.08.2010), sections 4, 7, 8 (retention etrm – up to 75 years) Federal Law No. 125-FZ dated 22.10.2004 "On Archival Business in the Russian Federation
3	Personal data of employees working under civil agreements	A list of standard administrative archival documents formed in the course of the activities of state bodies, local governments and organizations, indicating the archival terms (approved by the Order of the Ministry of Culture of the Russian Federation No. 558 dated 25.08.2010), sections 4, 8 (retention term – 5 years after the expiration of the agreement) Federal Law No. 125-FZ dated 22.10.2004 "On Archival Business in the Russian Federation", clause 1 of Article 17
4	Personal data of representatives of legal entity contractors	A list of standard administrative archival documents formed in the course of the activities of state bodies, local governments and organizations, indicating the archival terms (approved by the Order of the Ministry of Culture of the Russian Federation No. 558 dated 25.08.2010), sections 1, 4, 8, 11 (retention term – 5 years after the expiration of the agreement) Federal Law No. 125-FZ dated 22.10.2004 "On Archival Business in the Russian Federation
5	Personal data of individual entrepreneur contractors	A list of standard administrative archival documents formed in the course of the activities of state bodies, local governments and organizations, indicating the archival terms (approved by the Order of the Ministry of Culture of the Russian Federation No. 558 dated 25.08.2010), sections 1, 4, 8, 11 (retention term – 5 years after the expiration of the agreement) Federal Law No. 125-FZ dated 22.10.2004 "On Archival Business in the Russian Federation"
6	Personal data of individuals	Until the expiration of all obligations provided for by Federal Law No. 63-FZ "On Electronic Signature".
7	Personal data of visitors to the Company's website	A list of standard administrative archival documents formed in the course of the activities of state bodies, local governments and organizations, indicating the archival terms (approved by the Order of the Ministry of Culture of the Russian Federation No. 558 dated 25.08.2010), sections 4, 8 (retention term – 5 years after the expiration of the agreement) Federal Law No. 125-FZ dated 22.10.2004 "On Archival Business in the Russian Federation", clause 1 of Article 17

USER'S INSTRUCTION

1. General provisions

1.1. Purpose of the document

This document defines the working procedure, the main functions and responsibilities of users of personal data information systems "Sign.Me " and "1C".

1.2. Scope of the document

Users of personal data information systems shall know and use this document in their work with "Sign.Me" and "1C" (hereinafter – PDIS). Within the framework of this document, the term User shall include functional users who perform their official duties (functions) using information, information technologies and technical means of PDIS.

2. General requirements

2.1. General information

Users' access to the PDIS shall be carried out in accordance with the document

"Regulations on the Organization of Work on the Personal Data Protection according to the Information Security Requirements."

2.2. General responsibilities of users to ensure information security

PDIS users shall:

Not disclose information of limited access, as well as strictly comply with the requirements of organizational and administrative documents in the field of personal data processing and protection.

Before starting processing restricted access information, make sure that:

the workplace is organized in a way that excludes viewing of restricted access information by unauthorized persons;
there was no unauthorized access carried out during the user's absence from the workplace;
the workplace is in good condition.

- If there is a suspicion of the presence of malware (atypical operation of programs, appearance of graphic and sound effects, data distortion, missing files, frequent occurrence of system error messages, etc.), conduct an extraordinary anti-virus control (or, in the absence of such an opportunity, inform the Information Security Administrator). In case of detection of a virus and the impossibility of its automatic treatment with regular antivirus tools, the user shall suspend work and immediately inform the Information System Administrator about the incident.

- Comply with password protection requirements.

The User shall ensure the confidentiality of his personal passwords.
It is forbidden to transfer your identification data and passwords to other users, post the password electronically on magnetic media, as well as use other people's identification data and passwords.
The user must independently select a sequence of at least six characters as a personal password. It is recommended to use a combination of uppercase and lowercase letters, numbers and punctuation marks in the password. When choosing a new password, it is forbidden to reuse or "cycle" old passwords. The new password must differ from the previous one in at least four positions.

- Know and strictly follow the rules for working with established information security tools,

- Immediately notify his immediate supervisor:

about attempts to disclose restricted access information that became known to him, as well as about other reasons or conditions for possible information leakage;
in case of suspected compromise of personal keys and passwords;
in case of detection of facts or suspicions of unauthorized access attempts to the workstation, system, cabinet, etc.;
in case of detection of unauthorized changes in the configuration parameters of the system components;
in case of other information security incidents related to the personal data processing and protection.

- Immediately notify his immediate supervisor in case of deviations from normal operation, unstable operation or failure of technical components of the personal data information system.

- Provide all necessary information and documents during the investigation of incidents, and during internal control measures to ensure the security of personal data, as well as during inspections of regulatory authorities.

2.3. Actions prohibited to the users

PDIS users shall be prohibited from:

Using components (workstations, servers, communication channels, etc.) of PDIS for personal (non-official) purposes.
Independently making changes to the composition and configuration of software and hardware.
Making changes to the settings and parameters of information security tools at their workplace. Actions to change the settings of information security tools should be performed only by the Information Security Administrator.
Open the enclosures of technical means, make changes to their scheme and design, carry out maintenance (repair) of technical means without the consent of the Information Security Administrator.
Involve unauthorized persons for the repair (maintenance) of technical means included in the PDIS.
Intentionally use undocumented properties and errors in the software or in the settings of information security tools that may lead to a violation of the security of the protected information.
Move technical components without the consent of the Information Security Administrator.
Independently connect non-standard tools to the workplace.
Transfer (disclose) the processed information to other employees who are not allowed to process information according to the "List of Employees Allowed to Work with Personal Data".
Post restricted information in the public domain.

2.4. Users’ rights

Users shall have the right to:

- Gain access to information in the amount and volume required to perform certain official duties.

- Make suggestions on improving the personal data processing processes in which they participate.

- Get advice on the following issues:

processing and ensuring the protection of personal data from persons responsible for personal data processing and protection;
use of the technical components of the PDIS from the Administrator;
use of the information protection tools from the information protection system of the personal data information system from the Information Security Administrator.

2.5. Users’ responsibilities

- Users shall be subject to disciplinary responsibility for non-fulfillment and/or improper fulfillment of the requirements of this document, as well as other organizational and administrative documents of the Company in the field of personal data processing and protection.

- Termination of access to information does not release the user from the obligations assumed for non-disclosure of information that became available to him during the performance of official duties.

- Illegal distribution, disclosure to third parties or use of personal data for personal purposes entails liability provided for by the legislation of the Russian Federation.

LLC “SM” PERSONAL DATA PROCESSING AND PROTECTION POLICY