The text of consent to the processing of personal data:

1. General Provisions

1.1. The present Regulations determine the policy, procedure and conditions for personal data processing of personal data subjects at Questoria LLC (hereinafter referred to as the Company), establish procedures aimed at preventing and revealing violations of the legislation of the Russian Federation, as well as eliminating the consequences of such violations related to personal data processing. All issues related to personal data processing not established in the present Regulations shall be resolved in accordance with the current legislation of the Russian Federation in the field of personal data.

2. Types and location of personal data.

2.1. The Company processes personal data of the following subjects:
- employees of the Company, including persons working under job contracts and paid services agreements;
- individuals who are in contractual and other civil law relationships with the Company.
2.2. Personal data of the Company’s employees is contained in the employees’ personal files, financial documents, and additionally in other documents created in the course of the Company’s professional activities.
2.3. The composition of the processed personal data of the Company’s employees:
- full name;
- photo;
- date of birth;
- place of birth;
- gender;
- data contained in the employee’s identity document;
- military rank;
- TIN (if available);
- personal insurance policy number (SNILS);
- registered address/address of actual place of residence;
- citizenship;
- work capacity;
- contact details (contact phone number; email address);
- place of work and position;
- income details;
- education;
- information about children.
2.4.Personal data of other subjects is contained in the contracts concluded with them, documents related to the performance of such contracts, and the information system for personal data processing.
2.5. The composition of the processed personal data of other subjects:
- full name;
- date of birth;
- data contained in the identity document;
- TIN (if available);
- personal insurance policy number (SNILS),
- registered address/address of actual place of residence;
- citizenship;
- contact details (contact phone number; email address).

3. The objectives of personal data processing.

3.1. Personal data processing of the Company’s employees is carried out with a view to regulating labor relations between the Company and employees.
3.2. Personal data processing of other subjects is carried out in order to ensure the performance of works and provision of services defined by the Company’s Bylaws, fulfillment of the Company’s contractual obligations to customers, providing opportunities for the Company’s counterparties to fulfill the obligations stipulated by the contracts between the Company and its counterparties, quality control of the provision of services by employees of the Company and its counterparties.

4. General provisions on personal data processing.

4.1. Personal data processing in information systems for personal data using automated means.
4.1.1. Personal data processing in personal data information systems using automated means is carried out in compliance with the requirements of the Regulation of the Government of the Russian Federation «On Approval of the Requirements for Personal Data Protection for Personal Data Processing in Information Systems» No. 1119 of November 1, 2012, regulatory and governing documents by the authorized federal executive bodies.

4.2. Personal data processing carried out without the use of automation.
4.2.1. The processing of personal data contained in the personal data information system or extracted from such a system is considered to be carried out without the use of automated means (manual), if such operations with personal data, such as use, clarification, distribution, or destruction of personal data in respect of each of the personal data subjects are carried out with the direct participation of a human.
4.2.2. Personal data processing cannot be recognized as carried out using automated means only on the grounds that the personal data is contained in the personal data information system or has been extracted from it.
4.2.3. When using standard document forms, in which the nature of information presumes or allows the inclusion of personal data (hereinafter, standard forms), the following requirements must be observed:
- the standard form or related documents (instructions for its completion, cards, registers and journals) should contain information about the purpose of personal data processing carried out without the use of automated means; about the name and address of the Company; last name, first names, patronymic and the address of the personal data subject; source of personal data receipt; dates of personal data processing; a list of operations with personal data that will be performed in the course of its processing; a general description of the Company’s methods of personal data processing;
- the standard form should provide for a field in which the personal data subjects can mark their consent to the personal data processing, carried out without the use of automated means, in case a written consent for the personal data processing is necessary;
- the standard form should be designed in such a way that each personal data subject listed in the document was given an opportunity to review their personal data contained in the document without the violation of the rights and legitimate interests of other personal data subjects;

5. The procedure for ensuring personal data safety.

5.1. Personal data collection

5.3.1. Obtaining subjects’ personal data is possible both from the subjects themselves and from other sources.
The consent of the subject to obtain their personal data from third parties is not required when the subject’s consent for the transfer of their personal data to third parties was received from them in writing when concluding a contract with the Company (only personal data specified in the contract), and in cases established by the Federal Law.
5.3.2. The company has the right to audit the accuracy of the information provided by the personal data subject, verifying the data provided by the subject against the documents available at the Company.
5.3.3. Before personal data processing, the company is obliged to inform the subject of the purpose of personal data processing and its legal reasons, including information on the nature of the personal data to be processed and personal data sources, prospective users of the personal data, methods of personal data processing, and the procedure of the personal data subject’s refusal to grant the right for their personal data processing and possible consequences of such refusal.

5.4. Storage of personal data
5.4.1. Personal data of parties is stored:
- in paper form in folders in securely locked cabinets, drawers of tables and safes, providing protection from unauthorized access;
- in electronic form in the personal data information system. Access to the personal data information system containing personal data is provided by means of protection against unauthorized access and copying.
5.4.2. An employee who has access to the personal data of the Company employees in relation to the performance of work duties:
- provides storage of information containing personal data that excludes access to them by third parties.

5.5. Access to personal data and transfer of personal data
5.5.1. Access to a subject’s personal data is available for the Company employees who need the personal data in connection with the performance of their work duties and only in the required amount. The list of persons having access to personal data is determined by the Director General of the Company and approved in the Company Directive.
5.5.2. In case the Company receives services from legal entities and individuals under concluded contracts that may grant them access to confidential information (including the personal data of subjects), an agreement on non-disclosure of confidential information shall be signed between the Company and the said individuals or legal entities prior to the contract performance, or provisions on non-disclosure of confidential information shall be included in the text of the relevant contracts with the said individuals and legal entities.
5.5.3. A personal data subject has the right to free access to their personal data. The subject has the right to make proposals for altering their data in the case of inaccuracies.
The personal data subject has the right to receive information regarding the processing of their personal data, including:
- confirmation of the fact of the personal data processing by the Company, as well as the purpose of such processing;
- methods of the personal data processing used by the Company;
- the list of the processed personal data and the source of its collection;
- the terms of personal data processing, including the terms of its storage;
5.5.6. Access to personal data is provided to a personal data subject who is not the Company’s employee or their legal representative upon request from the personal data subject or legal representative thereof. The request shall contain the number of the main identification document of the personal data subject or their legal representative, information about the date of issue and the issuing body of the specified document, and the personal signature of the personal data subject or their legal representative.
5.5.7. Transfer of personal data within the Company is carried out only between employees who have access to personal data.
5.5.8. Transfer of personal data to third parties (individuals and legal entities):

1) Transfer of a subject’s personal data to third parties is carried out only with the written consent of the subject (information that should be contained in the subject’s written consent), except for cases stipulated by federal laws.
2) The subject’s representative is forwarded personal data upon presentation of the power of attorney to represent the subject, or an application from the subject written in the presence of a Company employee.
3) Provision of subjects’ personal data to the authorized body for protection of rights of personal data subjects, entrusted with the functions of ensuring control and supervision over the compliance of personal data processing with the requirements of the Federal Law No. 152 «On Personal Data», is made upon request.
4) Provision of subjects’ personal data to other state bodies is carried out in accordance with the requirements of the current legislation of the Russian Federation.
5.5.9.Transboundary transfer of personal data on the territory of foreign states is carried out in accordance with the Federal Law No. 152-FZ «On Personal Data».
5.5.10. The purpose of the transboundary transfer of the personal data of the Company’s customers is exclusively to fulfill the contract where the personal data subject is a party.

5.7. Destruction of personal data
5.7.1. Personal data is subject to destruction upon achievement of processing objectives or in case of loss of the need to achieve them, unless otherwise stipulated by federal laws, as well as in the case of revealing wrong acts with personal data and the impossibility of eliminating the committed violations within the time limits established by law.
5.7.2. In the event of the personal data subject’s withdrawal of consent to the processing of their personal data, the Company shall stop personal data processing and destroy personal data within the period not exceeding three working days from the date of the said withdrawal, unless otherwise stipulated in the agreement between the Company and the personal data subject. The Company should notify the personal data subject of the personal data destruction.

5.8. Rights and obligations of personal data subjects
5.8.1. Rights and obligations of personal data subjects
А) Access their personal data and examine it.
Б) Receive from the Company:
- confirmation of the fact of personal data processing, information about the purpose of such processing;
- information on personal data processing methods used by the Company;
- information about persons having access to personal data or who may be granted such access;
- the list of the processed personal data and the source of its collection;
- the terms of personal data processing, including the terms of its storage;
- withdraw of the subject’s consent to personal data processing by the Company.

6. Procedure for activation and alteration of the Regulations.

8.1. The present Regulations come into force from the moment of their approval by the Company’s CEO.
8.2. All alterations to the Regulations are introduced by order.