Operator's policy regarding personal data processing

Regulation on personal data processing

The general situation

Regulation on personal data processing It was developed in accordance with the Constitution of the Russian Federation, the Labor Code of the Russian Federation, the Civil Code of the Russian Federation, Federal Law No. 152-FZ dated July 27, 2006, "On Personal Data," and other regulations on the processing and protection of personal data in the Russian Federation. It defines the procedure for processing personal data by the Center for Justice LLC.

The following basic concepts are used in this Regulation:

1. Personal data is any information related to a directly or indirectly identified or identifiable individual (subject of personal data);

1.1. Personal data authorized by the subject of personal data for dissemination — personal data to which an unlimited number of persons has been granted access by the Subject of PD by giving consent to the processing of personal data authorized by the Subject of PD for dissemination in accordance with the legislation of the Russian Federation;

2. Operator – LLC "Center of Justice" and/or an authorized individual who independently or jointly with other persons organize and (or) process PD, as well as determine the purposes of PD processing, the composition of PD to be processed, actions (operations) performed with PD;

3. Processing of personal data is any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data.

4. Automated processing of personal data — processing personal data using computer technology;

5. Disclosure of PD — actions aimed at disclosing PD to an indefinite circle of persons;

6. Disclosure of personal data is an action aimed at disclosing personal data to a specific person or a specific group of persons;

7. Blocking PD — temporary termination of PD processing (except when processing is necessary to clarify PD);

8. Destruction of PD is an action that makes it impossible to restore the content of PD in the PD information system and (or) destroys the physical media of PD;

9. Personal data anonymization is an action that makes it impossible to identify a specific Personal Data Subject without using additional information.

10. Personal Data Information System is a set of personal data contained in databases and the information technologies and technical means that ensure their processing;

11. Cross-border transfer of personal data is the transfer of personal data to a foreign country, a foreign government agency, a foreign individual, or a foreign legal entity.

Legal grounds for personal data processing

2.1. The legal basis for the processing of personal data is a set of regulatory legal acts, in accordance with which the Operator processes personal data, including:

• The Constitution of the Russian Federation;
• The Civil Code of the Russian Federation;
• The Labor Code of the Russian Federation;
• The Tax Code of the Russian Federation;
• Federal Law No. 14-FZ of 08.02.1998 "On Limited Liability Companies";
• Federal Law No. 402-FZ dated December 6, 2011, "On Accounting";
• Federal Law No. 167-FZ dated December 15, 2001, "On Mandatory Pension Insurance in the Russian Federation";
• other regulatory legal acts governing relations related to the Operator's activities.

2.2. The legal basis for processing personal data also includes:

• Charter of the Center for Justice LLC;
• agreements concluded between the Operator and the subjects of personal data;
• the consent of personal data subjects to the processing of their personal data.

Goals

This regulation is designed to regulate the processing of personal data by the Center of Justice LLC and to comply with the requirements of the Russian legislation regarding:

• employees, clients, contractors, and users of the Center of Justice LLC website;
• PD required by the Operator for carrying out its activities;
• compliance with labor legislation in the framework of labor and other relations directly related to it, including: assistance to employees in finding employment, obtaining education and promotion, recruitment and selection of candidates for employment with the Operator, ensuring the personal safety of employees, monitoring the quantity and quality of work performed, ensuring the safety of property, maintaining personnel and accounting records, filling out and submitting to authorized bodies the required reporting forms, organizing the individual (personalized) registration of employees in the systems of mandatory pension insurance and mandatory social insurance;
• protection of the Operator's rights and legitimate interests in courts and other bodies;
• measures aimed at preventing unauthorized access and disclosure of personal data, preventing and detecting violations of Russian legislation, and eliminating the consequences of such violations. In addition, compliance with the requirements of Russian labor and tax legislation.

Procedure and conditions of personal data processing

4.1. The Operator performs the following operations with personal data:

— receipt (collection);

— recording;

— systematization;

— accumulation;

— storage;

— clarification (update, change);

— extraction;

— use;

— transmission (distribution, granting access);

— depersonalization;

— blocking;

— removal;

— destruction.

4.1.1. PD processing must be carried out in accordance with the following principles:

— personal data must be processed in a lawful and fair manner;

— processing must be limited to achieving specific, predetermined, and legitimate goals, which must be consistent with the content and scope of the personal data being processed. Only PD that is relevant to the processing goals can be processed;

— the processing must ensure the accuracy of personal data, its sufficiency, and, if necessary, its relevance to the purposes of processing. The organization must take necessary measures to delete or clarify incomplete or inaccurate data, or ensure that such measures are taken;

— personal data must be stored in a form that allows the personal data subject to be identified, and for no longer than is necessary for the purposes of processing personal data, unless a federal law or a contract in which the personal data subject is a party, beneficiary, or guarantor requires otherwise. Personal data must be destroyed or anonymized once the purposes of processing have been achieved or if it is no longer necessary to achieve those purposes, unless otherwise required by law.

Not allowed:

— processing personal data that is incompatible with the purposes of collecting personal data;

— merging databases containing personal data that are processed for incompatible purposes;

— the redundancy of the processed PD in relation to the declared purposes of their processing.

4.2. Personal data (documents on which it is recorded) is obtained directly from the PD Subject. If the relevant data can only be provided by a third party, the PD Subject must give written consent.

4.3. The Operator does not have the right to request or receive personal data from the subject of personal data regarding their race, nationality, political views, religious or philosophical beliefs, health status, or intimate life, except in cases provided for by law.

4.4. Personal data processing can only be carried out with the person's written consent, except in cases specified in paragraphs 2 to 11 of Article 6 of Federal Law No. 152-FZ dated July 27, 2006, "On Personal Data."

Consent to the processing of personal data must be specific, objective, informed, conscious, and unambiguous.

4.5. PD is processed by the Operator using automation tools and without using automation tools.

4.6. Personal data of the PD Subjects is placed by the Operator in the following information systems:

— the Operator's employees' personal data information system;

— information system for PD of individuals who are not employees of the Operator, but whose personal data the Operator must process in accordance with labor legislation;

— information system of personal data of the Operator's clients and contractors (individuals) and representatives of the Operator's clients and contractors (individuals and legal entities).

4.7. The transfer of PD is carried out taking into account the specifics of the specific information system:

— in a digital information system (designed for automated processing of personal data), data is transmitted via secure communication channels and using cryptographic protection measures;

— in a paper-based information system, data transfer is carried out by moving or copying the contents of these media with the participation of the Operator's employees who have access to the relevant information system, which is established by a separate local regulatory act.

4.8. LLC "Center of Justice" distributes PD permitted by the PD Subject for distribution, i.e. performs actions aimed at their disclosure to an indefinite circle of persons, in compliance with the prohibitions and conditions established by Article 10.1 of the Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data". Consent to the processing of PD permitted by the PD Subject for distribution is issued separately from other consents of such a Subject to the processing of his PD.

4.8.1. LLC "Center of Justice" processes a special category of data in the framework of fulfilling contracts with PD Subjects and its employees (applicants), only with their consent to process this category of data.

4.9. Storage of personal data.

4.9.1. Personal data is stored taking into account the specifics of the specific information system:

— in the digital information system, data is stored on the PC of IP Kocharyan Armen Kamoyevich, TIN 231297082784 (conducting personnel and accounting records in accordance with the contract), and on the cloud servers of zp1c.ru;

— in the digital information system, data is stored on the servers of JSC amoCRM, 115093, Moscow, internal territory of the municipal district of Zamoskvorechye, 38 Lyusinovskaya Street (https://centrpravosudia.amocrm.ru.

— in the paper-based information system, data is stored in the premises of the Center for Justice LLC in compliance with the requirements of the legislation of the Russian Federation.

4.9.2. PD is stored for the period established by the legislation of the Russian Federation. Personal data for which no such period is established is stored for 3 years.

4.9.3. When processing personal data without using automation tools, the personal data must be separated from other information, including by recording it on separate physical media, in special sections, or on the fields of forms (blanks).

4.9.4. When personal data is recorded on tangible media, it is not allowed to record personal data on the same tangible media for purposes that are clearly incompatible.

A separate physical medium is used for each category of personal data.

The organization ensures separate storage of PD (tangible media) that are processed for various purposes.

When storing physical media, the following measures are taken to ensure the safety of personal data and prevent unauthorized access to it:

— installation of safes with locks for storing physical media containing personal data;

— installation of locks on doors and grates on windows in rooms where personal data is stored;

— access to storage facilities for material media containing personal data only for those persons who are included in the list of persons who have access to personal data in order to perform their work (official) duties;

— organization of round-the-clock security of premises for storing material media with personal data (agreement on the provision of security services with LLC PChO Kuban-Security, license for carrying out security activities L056-00106-23/00014792).

4.9.5. When the storage period of PD expires, or in other cases, PD is destroyed, which is confirmed as follows:

— an act on the destruction of personal data is drawn up if they were processed without the use of automation tools;

— an act on the destruction of personal data is compiled and the data is downloaded from the event log in the personal data information system if the PD was processed using automation tools. These documents are stored together;

— an act on the destruction of personal data is drawn up and the data is downloaded from the event log in the personal data information system, if the PD processing was carried out with and without automation tools. These documents are stored together.

4.9.6. The act of destroying personal data and the download from the event log are stored for 3 years after the destruction of PD.

4.10. When processing personal data in information systems, the Operator complies with the Requirements for the Protection of Personal Data when Processing in Information Systems of Personal Data, approved by the Decree of the Government of the Russian Federation No. 1119 dated November 1, 2012, and the Order of the Federal Service for Technical and Export Control No. 21 dated February 18, 2013, "On Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data when Processing in Information Systems of Personal Data."

4.11. When processing personal data without using automation tools, the Operator complies with the requirements established by the Regulation on the Features of Processing Personal Data without Using Automation Tools, approved by the Decree of the Government of the Russian Federation dated September 15, 2008, No. 687.

4.12. The Operator ensures interaction with the state system for detecting, preventing, and eliminating the consequences of computer attacks on the information resources of the Russian Federation, including informing about computer incidents that resulted in the unauthorized transfer (provision, distribution, or access) of personal data.

4.13. Updating (clarifying) personal data.

4.13.1. In the event that the fact of PD inaccuracy is confirmed, the Operator, based on the information provided by the personal data subject or their representative, or by the authorized body for the protection of the rights of personal data subjects, or by other necessary documents, is obliged to clarify the personal data within 7 business days from the date of submission of such information and to remove the blocking of PD.

4.13.2. Updating (clarification) of PD is carried out in the following order: a request is sent to the PD Subject or their representative to provide up-to-date PD; obtained from open sources on the Internet

4.14. Blocking personal data.

4.14.1. The organization must block PD in the following cases and within the following timeframes:

— if the processing of personal data is found to be illegal upon the request of the Subject of personal data or their representative, or upon the request of the Subject of personal data or their representative or the authorized body, from the moment of such a request or receipt of such a request for the period of verification;

— if inaccurate personal data is identified upon the request of the Personal Data Subject or their representative, or upon their request or upon the request of an authorized body, the personal data will be blocked from the moment of such request or receipt of the specified request for the period of verification, unless blocking the personal data violates the rights and legitimate interests of the Personal Data Subject or third parties;

— if it is not possible to destroy the PD within the period specified in parts 3 to 5.1 of Article 21 of Federal Law No. 152-FZ of July 27, 2006, “On Personal Data,” until the PD is destroyed.

4.15. LLC "Center of Justice" must stop processing personal data in the following cases:

— if the reasons for processing special categories of personal data in cases specified in Part 2 and Part 3 of Article 10 of Federal Law No. 152-FZ dated July 27, 2006, “On Personal Data” have been eliminated;

— if the Organization is found to be processing personal data in an unlawful manner, within 3 business days of the date of detection;

— if the goals of processing personal data are achieved;

— if the PD Subject withdraws their consent to the processing of their personal data;

— if the subject of personal data submits a request to the Operator to stop processing personal data within 10 business days from the date of receipt of the request by the Operator, the processing of personal data will be stopped, except in cases specified in the Law on Personal Data. This period may be extended, but not more than five business days. To do this, the Operator must send a motivated notification to the subject of personal data, indicating the reasons for extending the period.

4.16. When collecting personal data, including through the Internet, the recording, systematization, accumulation, storage, clarification (update, modification), and extraction of personal data of citizens of the Russian Federation using databases located outside the Russian Federation are not allowed, except in cases specified in the Law on Personal Data.

4.17. In the event of inaccurate personal data being identified upon the request of the personal data subject or their representative, or upon their request or upon the request of Roskomnadzor, the Operator shall block the personal data related to this personal data subject from the moment of such request or receipt of the specified request for the period of verification, provided that blocking the personal data does not violate the rights and legitimate interests of the personal data subject or third parties.

If the inaccuracy of personal data is confirmed, the Operator will update the personal data based on the information provided by the subject of personal data or their representative, Roskomnadzor, or other necessary documents within seven business days of receiving such information and will remove the block on personal data.

4.18. In case of detection of unlawful processing of personal data when contacting (requesting) a personal data subject or his representative or Roskomnadzor, the Operator blocks unlawfully processed personal data related to this personal data subject from the moment of such request or receipt of the request.

4.19. If the Operator, Roskomnadzor, or another interested party identifies an unlawful or accidental transfer (provision, distribution) of personal data (access to personal data) that violates the rights of personal data subjects, the Operator shall:

— within 24 hours, the Operator notifies Roskomnadzor about the incident, the alleged causes of the violation of the rights of personal data subjects, the alleged harm caused to the rights of personal data subjects, and the measures taken to eliminate the consequences of the incident, as well as provides information about the person authorized by the Operator to interact with Roskomnadzor on issues related to the incident;

Within 72 hours, the company notifies Roskomnadzor about the results of its internal investigation of the identified incident and provides information about the individuals whose actions caused the incident (if any).

Procedures aimed at identifying and preventing violations of personal data legislation.

5.1. To detect and prevent violations of the legislation on personal data, the Operator uses the following procedures:

— implementation of internal control (audit) of compliance with the requirements for personal data protection;

— assessment of the harm that may be caused to personal data subjects;

— familiarizing employees who directly process personal data with the legislation on personal data, including the requirements for protecting personal data and this Regulation;

— limiting the processing of personal data to achieving specific, predefined, and legitimate goals;

— processing personal data in accordance with the principles and conditions of personal data processing established by the legislation on personal data;

— ensuring that personal data is not processed in a manner incompatible with the purposes of collecting personal data;

— ensuring that databases containing personal data are not combined for incompatible purposes;

— ensuring that the content and scope of the processed personal data correspond to the declared purposes of processing; the processed personal data should not be excessive in relation to the declared purposes of processing;

— ensuring that personal data is accurate, sufficient, and relevant for the purposes of personal data processing.

5.2. Procedure for assessing the harm that may be caused to personal data subjects.

5.2.1. The assessment of the harm that may be caused to personal data subjects in the event of a violation of personal data legislation is carried out by the person responsible for organizing the processing of personal data or by a commission formed by the Operator.

5.2.2. For the purpose of assessing harm, the Operator determines one of the degrees of harm that may be caused to the personal data subject in the event of a violation of personal data legislation:

5.2.2.1. High in the following cases:

— processing information that characterizes a person's physiological and biological features, based on which it is possible to establish their identity (biometric personal data), and which is used by the Operator to establish the identity of the personal data subject, except in cases specified by federal laws that provide for the purposes, procedures, and conditions for processing biometric personal data;

— processing special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, health status, intimate life, and criminal record information, except in cases specified by federal laws that establish the purposes, procedures, and conditions for processing special categories of personal data;

— processing the personal data of minors in order to execute a contract in which the minor is a party, a beneficiary, or a guarantor, as well as to conclude a contract at the initiative of a minor or a contract in which the minor will be a beneficiary or a guarantor in cases not provided for by the legislation of the Russian Federation;

— anonymization of personal data, including for the purpose of conducting assessment (scoring) studies, providing services for predicting the behavior of consumers of goods and services, as well as other studies not provided for in Part 9 of Article 6 of Federal Law No. 152-FZ dated July 27, 2006, “On Personal Data”;

— instructions to a foreign person (or persons) to process the personal data of citizens of the Russian Federation;

— collecting personal data using databases located outside the Russian Federation.

5.6.2.2.2. Average in the following cases:

— dissemination of personal data on the Operator's official website on the Internet, as well as provision of personal data to an unlimited number of persons, except in cases established by federal laws that provide for the purposes, procedures, and conditions of such processing of personal data;

— processing personal data for additional purposes other than the original purpose of collection;

— promoting goods, works, and services on the market by making direct contacts with potential consumers using personal data bases owned by another operator;

— obtaining consent to the processing of personal data by implementing functionality on the official website that does not require further identification and/or authentication of the personal data subject;

— carrying out activities related to the processing of personal data, which involves obtaining consent to the processing of personal data, which contains provisions on granting the right to process personal data to a specific and/or indefinite circle of persons for purposes that are incompatible with each other.

5.6.2.2.3. Low in the following cases:

— maintaining publicly available sources of personal data formed in accordance with Federal Law No. 152-FZ dated July 27, 2006, "On Personal Data";

— Designation of a person who is not a full-time employee of the Operator as the person responsible for processing personal data.

5.6.2.3. The results of the damage assessment are documented in the damage assessment report.

5.6.2.4. The damage assessment act must contain:

— the name or surname, first name, patronymic (if any), and address of the Operator;

— the date of publication of the harm assessment act;

— the date of the harm assessment;

— the last name, first name, patronymic (if any), position of the person (persons) (if any) who conducted the assessment of the damage, and their (his) signature;

— the degree of harm that can be caused to a personal data subject.

5.6.2.5. An electronic damage assessment act signed in accordance with federal law and the Operator's local regulations using an electronic signature is recognized as an electronic document equivalent to a paper-based damage assessment act signed with a handwritten signature.

5.6.2.6. If the assessment of harm reveals that the personal data subject may suffer different degrees of harm as a result of the personal data processing activities, the higher degree of harm shall be applied.

Organization of access to personal data

6.1. Access to PD that does not require confirmation and is not subject to restriction is provided to the following officials of the Center for Justice LLC:

— General Director;

— employees holding the following positions: commercial director, head of the legal department in Moscow, lawyer, legal assistant, and specialist in personnel training and development. 

The person responsible for processing personal data at the Center of Justice LLC is personally responsible for organizing the processing of personal data, including the receipt, storage, transfer, and destruction of personal data at the Center of Justice LLC.

6.2. The Operator's employees and other persons who have access to PD are required to:

— carry out transactions with PD in compliance with the regulations established by this Regulation and the current legislation of the Russian Federation;

— inform their immediate supervisor and the Organization's supervisor about any emergencies related to personal data operations;

— ensure the confidentiality of personal data operations;

— ensure the safety and immutability of personal data if the task being performed does not require their adjustment or addition.

6.3. The Operator's employees who have access to PD have the right to:

— to acquire the authority necessary for carrying out transactions with personal data;

— receiving consulting support from management and other competent employees regarding the implementation of PD operations;

— issuing orders and sending instructions to employees who transfer the Operator's personal data, related to the need to provide additional or clarifying information in order to ensure the correct implementation of operations with personal data.

Rights and obligations of the personal data subject

7.1. The subject of personal data has the right to:

• receive information regarding the processing of his personal data;
• request clarification, blocking, or destruction of your personal data;
• revoke consent to PD processing;
• to appeal the Operator's actions to the authorized bodies or to a court;
• to obtain information about the name and contact details of the person who processes personal data on behalf of the Operator, if such processing is commissioned;
• to obtain other information provided for by Federal Law No. 152-FZ of July 27, 2006, "On Personal Data," and other regulations on the processing and protection of personal data in the Russian Federation;
• other rights provided for by the legislation of the Russian Federation.

7.2. The specified information is provided to the PD Subject, and it should not contain PD related to other PD Subjects, except in cases where there are grounds for disclosing such personal data.

7.3. Requests from Personal Data Subjects are considered by the operator within 30 days of receipt of the request in written or electronic form (certified by an electronic digital signature).

Rights and obligations of the Operator

8.1. The Operator independently takes measures necessary and sufficient to ensure the fulfillment of the obligations provided for by Federal Law No. 152-FZ of July 27, 2006, "On Personal Data," and other regulations on the processing and protection of personal data in the Russian Federation.

8.2. The Operator has the right to request reliable information and documents containing personal data from the Subject of PD.

8.3. The Operator is entitled to the rights provided for by Federal Law No. 152-FZ of July 27, 2006, "On Personal Data," and other regulations on the processing and protection of personal data in the Russian Federation.

8.4. The Operator is obliged to comply with the requirements of Federal Law No. 152-FZ dated July 27, 2006, "On Personal Data," and other regulations on the processing and protection of personal data in the Russian Federation.

8.5. When collecting personal data, the Operator is obliged to provide the information provided for by Federal Law No. 152-FZ "On Personal Data" dated July 27, 2006, upon request from the Subject of Personal Data.

8.6. The Operator is guided by the following documents when processing personal data: the organization's charter documents; the legislation of the Russian Federation regulating the protection of personal data; the concluded agreement for legal services; and the Subject's consent to the processing of personal data (when processing for purposes unrelated to the agreement, as well as when processing a special category of personal data).

8.7. In order to comply with the requirements of Federal Law No. 152-FZ dated July 27, 2006, "On Personal Data," and other regulations on the processing and protection of personal data in the Russian Federation, Order No. ___ dated __.09.2025 has appointed a person responsible for organizing the processing of personal data.

Categories of subjects and processed data

The Center of Justice LLC website uses Internet statistics websites to collect and process anonymized data about website visitors (including cookies).

Personal data permitted by the PD Subject for dissemination is processed in accordance with the requirements specified in Federal Law No. 152-FZ dated July 27, 2006, "On Personal Data," and other regulations governing the processing and protection of personal data in the Russian Federation.

Information that characterizes a person's physiological and biological features, on the basis of which it is possible to establish their identity (biometric personal data), and which is used by the Operator to establish the identity of the PD Subject, may be processed only with the written consent of the PD Subject.

Transfer of personal data to third parties

10.1. Personal data may be transferred to third parties only in the following cases:

• with the written consent of the PD Subject;
• as part of the execution of a contract with the PD Subject;
• at the request of government agencies, courts, and prosecutor's offices, in accordance with the procedures established by Russian legislation;
• when an assignment is transferred to another employee, lawyer, or attorney, confidentiality must be maintained.

10.2. When data is transferred to third parties, a power of attorney or confidentiality agreement is concluded, which defines the terms of processing and liability.

10.3. The Operator distributes PD, that is, it takes actions to distribute these data to an unlimited number of persons, only with the consent of the PD Subject and in accordance with the agreed volume and requirements regulated by Federal Law No. 152-FZ of July 27, 2006, "On Personal Data," and other regulations on the processing and protection of personal data in the Russian Federation.

Cross-border transfer of personal data

11.1. The Operator may transfer personal data cross-border in compliance with the requirements of Federal Law No. 152-FZ dated July 27, 2006, "On Personal Data," and other regulations on the processing and protection of personal data in the Russian Federation, as well as international treaties of the Russian Federation.

Personal data protection

12.1. When processing personal data, the Center for Justice LLC takes necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to them.

In accordance with the requirements of Federal Law No. 152-FZ dated July 27, 2006, "On Personal Data," and other regulations on the processing and protection of personal data in the Russian Federation, the Operator has identified the following threats to the security of personal data:

— the threat of unauthorized access to personal data by persons authorized in the PD information system, including during the creation, operation, maintenance and (or) repair, modernization, decommissioning of the personal data information system;

— the threat of exposure to malicious code external to the personal data information system;

— the threat of using social engineering methods against individuals with authority in the personal data information system;

— the threat of unauthorized access to alienable personal data carriers;

— the threat of loss (theft) of personal data carriers, including portable personal computers of the PD information system users;

— the threat of unauthorized access to personal data by persons who do not have the necessary permissions in the PD information system, using: vulnerabilities in the PD protection system; vulnerabilities in the PD information system software; vulnerabilities in the protection of network communication and data transmission channels; vulnerabilities in the protection of the PD information system's computer networks; vulnerabilities caused by non-compliance with the requirements for the use of cryptographic information protection tools.

The security threats to personal data that are permitted by the PD Subject for dissemination, and are relevant when processing such data in PD information systems, include threats to the integrity (substitution) and availability of PD that are permitted by the PD Subject for dissemination.

In accordance with the criteria approved by the Decree of the Government of the Russian Federation No. 1119 dated November 1, 2012, "On Approval of Requirements for the Protection of Personal Data during Their Processing in Personal Data Information Systems," the Operator must ensure the 4th level of personal data protection during their processing in the information system.

In this regard, the following requirements must be met in order to ensure the 4th level of personal data protection during their processing in information systems:

— organizing a security regime for the premises where the information system is located, which prevents uncontrolled entry or stay by persons who do not have access to these premises;

— ensuring the safety of personal data carriers;

— approval by the operator's manager of a document defining the list of individuals whose access to personal data processed in the information system is necessary for them to perform their official (employment) duties;

— the use of information protection tools that have passed the compliance assessment procedure of the Russian Federation legislation in the field of information security, if such tools are necessary to neutralize current threats.

To meet these requirements, the Operator determines the composition and content of measures to ensure the security of personal data on the basis of Order No. 21 of the FSTEC of Russia dated February 18, 2013 "On Approval of the Composition and Content of Organizational and technical measures to ensure the security of personal data during their processing in Personal Data Information Systems."

12.2. The person responsible for organizing the processing of personal data is obliged, in particular, to:

— to carry out internal control over the Operator's compliance with the legislation of the Russian Federation on personal data, including requirements for the protection of personal data;

— to inform the Operator's employees about the provisions of the Russian Federation's legislation on personal data, local acts on the processing of personal data, and requirements for the protection of personal data;

— organize the reception and processing of appeals and requests from Personal Data Subjects or their representatives, and (or) exercise control over the reception and processing of such appeals and requests.

Liability for violation of requirements по защите персональных данных

13.1 Persons guilty of violating the requirements for personal data protection are liable under the laws of the Russian Federation.

13.2. Employees of the Operator who have allowed the disclosure of the subject's personal data may be dismissed at the employer's initiative under subparagraph "b" of paragraph 6 of part 1 of Article 81 of the Labor Code of the Russian Federation. Dismissal does not exclude other forms of liability provided for by current legislation.

13.3. Moral damage caused to the Personal Data Subject as a result of a violation of his rights, a violation of the rules for processing personal data established by the legislation of the Russian Federation, as well as the requirements for the protection of personal data, shall be compensated in accordance with the legislation of the Russian Federation. Compensation for moral damage shall be carried out independently of compensation for property damage and losses incurred by the Personal Data Subject.

13.4. The General Director of the Operator is administratively liable under Articles 5.27 and 5.39 of the Code of Administrative Offenses of the Russian Federation for violating the regulations governing the receipt, processing, and protection of an employee's personal data, and shall compensate the employee for any damage caused by the misuse of information containing the employee's personal data.

The final provision

14.1. The Regulation on Personal Data Processing in LLC Center of Justice comes into force on the date of its signing.

14.2. The Operator has the right to make adjustments, changes, and additions to this Policy in accordance with the requirements of Federal Law No. 152-FZ dated July 27, 2006, "On Personal Data," and other regulations on the processing and protection of personal data in the Russian Federation.

14.3. In accordance with the requirements of Federal Law No. 152-FZ dated July 27, 2006, "On Personal Data," and other regulations on the processing and protection of personal data in the Russian Federation, Center of Justice LLC develops and implements additional local regulations.