Personal Data Processing Policy

1. General Provisions
This Personal Data Processing Policy has been drafted in accordance with the requirements of Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” (hereinafter referred to as the Personal Data Law) and determines the procedure for processing personal data and measures to ensure the security of personal data undertaken by LLC “ElliorRus” (hereinafter referred to as the Operator).
1.1. The Operator considers the observance of human and civil rights and freedoms in the processing of personal data, including the protection of the rights to privacy, personal and family secrecy, as its most important goal and condition of its activity.
1.2. This Operator’s policy regarding the processing of personal data (hereinafter – the Policy) applies to all information that the Operator may obtain about visitors to the website ellior.ru.

2. Basic Terms Used in the Policy
2.1. Automated processing of personal data – processing of personal data using computer technology.
2.2. Blocking of personal data – temporary suspension of processing of personal data (except where processing is necessary to clarify personal data).
2.3. Website – a set of graphic and informational materials, as well as computer programs and databases, ensuring their availability on the Internet at the network address ellior.ru.
2.4. Personal data information system – a set of personal data contained in databases and information technologies and technical means that ensure their processing.
2.5. Depersonalization of personal data – actions that make it impossible to determine, without the use of additional information, whether personal data belongs to a specific User or another subject of personal data.
2.6. Processing of personal data – any action (operation) or set of actions (operations) performed with or without the use of automation with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
2.7. Operator – a state body, municipal body, legal entity or individual, independently or jointly with others, organizing and/or carrying out the processing of personal data, as well as determining the purposes of personal data processing, the composition of personal data to be processed, and the actions (operations) performed with personal data.
2.8. Personal data – any information relating directly or indirectly to a specific or identifiable User of the website ellior.ru.
2.9. Personal data authorized for dissemination by the personal data subject – personal data to which an unlimited number of persons are granted access by the personal data subject by giving consent in the manner prescribed by the Personal Data Law (hereinafter – personal data authorized for dissemination).
2.10. User – any visitor of the website ellior.ru.
2.11. Provision of personal data – actions aimed at disclosing personal data to a certain person or group of persons.
2.12. Distribution of personal data – any actions aimed at disclosing personal data to an indefinite number of persons or making personal data available to the general public, including disclosure in mass media, placement in information and telecommunication networks, or providing access to personal data by any other means.
2.13. Cross-border transfer of personal data – transfer of personal data to the territory of a foreign state, to a foreign authority, foreign individual or foreign legal entity.
2.14. Destruction of personal data – any actions that result in the irreversible destruction of personal data without the possibility of further restoring the content of personal data in the personal data information system and/or the destruction of the physical media of personal data.

3. Main Rights and Obligations of the Operator
3.1. The Operator has the right to:

• receive from the personal data subject reliable information and/or documents containing personal data;
• continue processing personal data without the consent of the personal data subject if grounds specified in the Personal Data Law exist, even after withdrawal of consent or submission of a request to cease processing;
• independently determine the composition and list of measures necessary and sufficient to ensure fulfillment of obligations prescribed by the Personal Data Law.

3.2. The Operator shall:

• provide the personal data subject with information regarding the processing of his/her personal data upon request;
• organize the processing of personal data in accordance with current Russian legislation;
• respond to requests from personal data subjects and their legal representatives in accordance with the Personal Data Law;
• provide the competent authority for the protection of the rights of personal data subjects, upon its request, with the necessary information within 10 days from the date of such request;
• publish or otherwise ensure unlimited access to this Policy regarding personal data processing;
• take legal, organizational, and technical measures to protect personal data against unlawful or accidental access, destruction, alteration, blocking, copying, provision, distribution, as well as other unlawful actions;
• cease transfer (distribution, provision, access), processing, and destroy personal data in cases stipulated by the Personal Data Law;
• fulfill other obligations stipulated by the Personal Data Law.

4. Main Rights and Obligations of Personal Data Subjects
4.1. Personal data subjects have the right to:

• receive information regarding the processing of their personal data, except in cases provided for by federal law;
• require the Operator to clarify, block, or destroy their personal data if it is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the declared purpose of processing;
• demand prior consent for processing personal data for marketing purposes;
• withdraw consent to the processing of personal data;
• appeal unlawful actions or omissions of the Operator to the competent authority or in court;
• exercise other rights provided by Russian law.

4.2. Personal data subjects must:

• provide the Operator with reliable information about themselves;
• inform the Operator about clarifications (updates, changes) of their personal data.

4.3. Persons who provided the Operator with false information about themselves, or information about another personal data subject without their consent, are liable under Russian law.

5. Principles of Personal Data Processing
5.1. Processing is carried out on a lawful and fair basis.
5.2. Processing is limited to achieving specific, pre-defined, and legitimate purposes.
5.3. Combining databases containing personal data for incompatible purposes is not permitted.
5.4. Only personal data relevant to the purposes of processing are subject to processing.
5.5. The content and scope of processed personal data must correspond to the declared purposes of processing. Excessive processing is not permitted.
5.6. Personal data must be accurate, sufficient, and, where necessary, up to date. The Operator shall take necessary measures to delete or clarify incomplete or inaccurate data.
5.7. Personal data must be stored in a form allowing identification of the subject no longer than required by the purposes of processing. Upon achieving the purposes, or if processing is no longer necessary, the data must be destroyed or depersonalized unless otherwise required by law.

6. Purposes of Personal Data Processing

• Purpose: informing the User by sending emails.
• Personal data: surname, first name, patronymic; phone numbers.
• Legal grounds: statutory documents of the Operator.
• Types of processing: collection, recording, systematization, accumulation, storage, destruction, and depersonalization of personal data.

7. Conditions for Personal Data Processing
7.1. Processing is carried out with the consent of the personal data subject.
7.2. Processing is necessary for achieving purposes provided by international treaties or Russian law, for fulfilling functions imposed on the Operator.
7.3. Processing is necessary for justice, execution of judicial acts, or acts of other authorities.
7.4. Processing is necessary for performance of a contract with the personal data subject, or for concluding such a contract at their initiative.
7.5. Processing is necessary for the legitimate interests of the Operator or third parties, provided this does not violate the rights and freedoms of the subject.
7.6. Processing may concern publicly available personal data.
7.7. Processing may concern data subject to mandatory disclosure under Russian law.

8. Procedure for Collection, Storage, Transfer and Other Processing of Personal Data
The security of personal data processed by the Operator is ensured through legal, organizational, and technical measures required by law.
8.1. The Operator ensures the safety of personal data and prevents unauthorized access.
8.2. Personal data will not be transferred to third parties except as required by law or with the consent of the subject.
8.3. Users may update their data by sending a notice to privacy@thismywebsite.com marked “Update of personal data.”
8.4. Personal data is processed until the goals are achieved unless otherwise provided by law or contract. Users may withdraw their consent by sending a notice to privacy@thismywebsite.com marked “Withdrawal of consent.”
8.5. Data collected by third-party services (payment systems, communication providers, etc.) is processed according to their own agreements and privacy policies. The Operator is not responsible for third-party actions.
8.6. Restrictions on dissemination established by the subject do not apply in cases of state or public interest as defined by law.
8.7. The Operator ensures confidentiality of personal data.
8.8. Storage is carried out no longer than necessary for the purposes of processing.
8.9. Processing is terminated upon achievement of purposes, expiration or withdrawal of consent, or in case of unlawful processing.

9. List of Actions Performed by the Operator with Received Personal Data
9.1. The Operator collects, records, systematizes, accumulates, stores, clarifies, extracts, uses, transfers, depersonalizes, blocks, deletes, and destroys personal data.
9.2. The Operator performs automated processing, including via telecommunication networks.

10. Cross-Border Transfer of Personal Data
10.1. Before starting cross-border transfer, the Operator must notify the competent authority.
10.2. The Operator must obtain the necessary information from foreign authorities, individuals, or legal entities receiving the personal data.

11. Confidentiality of Personal Data
The Operator and other persons who have access to personal data must not disclose or distribute them without the consent of the subject unless required by law.

12. Final Provisions
12.1. Users may request clarifications on processing their personal data by contacting the Operator at privacy@thismywebsite.com.
12.2. Any changes to this Policy will be reflected in this document. The Policy is valid indefinitely until replaced by a new version.
12.3. The current version of the Policy is publicly available online at ellior.ru/privacy_policy