Personal Data Processing Policy

1. General Provisions
This Personal data processing Policy is prepared in accordance with the requirements of the Federal Law No. 152-FZ of 27.07.2006 "On Personal Data" (hereinafter referred to as the Law on personal data) and defines the procedure for processing personal data and measures to ensure the security of personal data taken by National Electric LLC (hereinafter referred to as the Operator).
1.1. The Operator sets as its most important goal and condition for the implementation of its activities the observance of human and civil rights and liberties in the processing of personal data, including personal privacy, personal and family secrets protection.
1.2. This Operator's policy of personal data processing (hereinafter referred to as the Policy) is applied to all information that the Operator can receive about visitors of the https://nationalgroup.ru/ website.

2. Main definitions of the Policy
2.1. Automated personal data processing – personal data processing by means of computer technology.
2.2. Personal data blocking – personal data processing temporary suspension (except when processing is required to clarify personal data).
2.3. Web site – the set of graphics and content, as well as computer programs and databases, ensuring access to them on the Internet at https://nationalgroup.ru/ web address.
2.4. Personal data information system — a set of personal data contained in databases, and information technologies and technical means ensuring their processing.
2.5. Depersonalization of personal data — actions as a result of which it is impossible to determine, without the use of additional information, that personal data belong to a specific User or other subject of personal data.
2.6. Personal data processing – any action (operation) or set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
2.7. Operator – a government body, a municipal authority, a legal entity or an individual person, independently or jointly with other persons arranging and (or) performing personal data processing, as well as defining goals of personal data processing, composition of personal data to be processed, actions (operations) performed with personal data.
2.8. Personal data – any information relating directly or indirectly to a specific or being identified User of the https://nationalgroup.ru/ website.
2.9. Personal data, authorized for distribution by the personal data owner - personal data, to which access of an unlimited number of persons is provided by the personal data owner by giving approval for processing of personal data, authorized for distribution by the personal data owner, in accordance with the procedure specified by the Law on Personal Data (hereinafter - personal data authorized for distribution).
2.10. User – any visitor of the https://nationalgroup.ru/ website.
2.11. Personal data sharing – actions aimed at disclosing personal data to a certain person or a certain circle of persons.
2.12. Personal data distribution – any actions aimed at disclosure of personal data to an indefinite circle of persons (transfer of personal data) or at acquaintance of an unlimited circle of persons with the personal data, including the publication of personal data in the media, posting in information and telecommunications networks or providing access to personal data in any other way.
2.13. Cross-border personal data transfer – personal data transfer to the territory of a foreign state to the authority of a foreign state, a foreign individual or a foreign legal entity.
2.14. Personal data destruction – any actions, as a result of which personal data is permanently destructed with the impossibility of further restoration of the personal data content in the personal data information system and (or) personal data storage devices are destroyed.

3. Operator’s basic rights and obligations
3.1. Operator has right to:
– receive reliable information and/or documents containing personal data from the personal data owner;
– continue personal data processing even if the personal data owner withdraws approval for personal data processing if there are grounds specified in the Personal Data Law;
– determine independently the composition and list of measures necessary and sufficient to ensure the fulfillment of obligations prescribed by the Law on Personal Data and regulatory acts adopted in accordance with it, unless otherwise prescribed by the Law on Personal Data or other federal laws.
3.2. Operator is obliged to:
– provide the personal data owner, at his request, with information concerning the processing of his personal data;
– arrange personal data processing in accordance with the procedure established by the current legislation of the Russian Federation;
– respond to queries and requests from personal data owners and their legal representatives in accordance with the requirements of the Personal Data Law;
– inform the personal data protection authority at its request of the necessary information within 30 days from the date of receipt of such a request;
– publish or otherwise provide unlimited access to this Personal Data
Processing Policy;
– take legal, organizational and technical measures against unauthorized or accidental access, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as against other illegal actions on personal data;
– stop transfer (distribution, provision, access) of personal data, stop processing and destroy personal data in the manner and cases prescribed by the Law on Personal Data;
– fulfil other responsibilities stipulated by the Law on Personal Data.

4. Personal data owners’ basic rights and obligations
4.1. Personal data owners have right to:
– receive information concerning personal data processing, except for the cases specified by federal laws. The information is provided to the personal data owner by the Operator in an easily accessible form, and it should not contain personal data related to other personal data owners, except for the cases when there are legitimate grounds for disclosure of such personal data. The list of information and the procedure for receiving is established by the Law on Personal Data;
– demand that the Operator clarify their personal data, block or destroy it if the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing, as well as take measures specified by law to protect their rights;
– put forward condition of a prior approval for personal data processing in order to promote goods, works and services on the market;
– revoke personal data processing approval;
– appeal to the personal data protection authority or in court against illegal actions or omission of the Operator while processing its personal data;
– exercise other rights, stipulated by the law of the Russian Federation.
4.2. Personal data owners are obliged to:
– provide the Operator with the reliable personal data;
– inform the Operator about personal data update or change.
4.3. Persons, who have provided the Operator with false personal data or information about another personal data owner without the latter's approval, bear responsibility under the law of the Russian Federation.

5. Operator can process the following User’s personal data
5.1. Surname, first name, patronymic.
5.2. Email address.
5.3. Phone numbers.
5.4. Website also collects and processes anonymized data about visitors (including cookie files) using Internet statistics services (Yandex Metric and Google Analytics and others).
5.5. The aforesaid data hereinafter referred to as the Personal Data.
5.6. The Operator does not perform processing of the personal data relating to race, nationality, political views, religious or philosophical beliefs, private life.
5.7. Processing of personal data, allowed for distribution from among the special categories of personal data specified in Part 1 of Article 10 of the Personal Data Law, is allowed if the prohibitions and conditions stipulated in Article 10.1 of the Personal Data Law are observed.
5.8. The User's approval for the processing of personal data authorized for distribution is issued separately from other approvals for the processing of his personal data. At the same time, the conditions stipulated, in particular, in Article 10.1 of the Law on Personal Data are observed. The requirements for the content of this approval are established by the personal data protection authority.
5.8.1 The User gives approval for personal data processing allowed for distribution directly to the Operator.
5.8.2 The Operator, no later than three working days from the date of receipt of the User's approval, is obliged to publish information on the processing conditions, existing prohibitions and conditions for processing by an unlimited number of persons of personal data allowed for distribution.
5.8.3 The transfer (distribution, provision, access) of personal data authorized by the personal data owner for distribution must be terminated at any time at the request of the personal data owner. This request must include the surname, first name, patronymic (if any), contact information (phone number, email address or postal address) of the personal data owner, as well as a list of personal data whose processing is subject to termination. The personal data specified in this request can only be processed by the Operator to which it is sent.
5.8.4 The approval for the processing of personal data allowed for distribution stops being valid from the moment the Operator receives the request specified in clause 5.8.3 of this personal data processing Policy.

6. Principles of personal data processing
6.1. The processing of personal data is carried out on a legal and fair basis.
6.2. The processing of personal data is limited to the achievement of specific, predetermined and legitimate goals. Processing of personal data incompatible with the purposes of personal data collection is not allowed.
6.3. It is not allowed to combine databases containing personal data, processing of which is performed for incompatible with each other purposes.
6.4. Only personal data that meets the purposes of its processing are subject to processing.
6.5. The content and volume of the processed personal data correspond to the stated purposes of processing. Processed personal data excess in relation to the stated purposes of their processing is not allowed.
6.6. The personal data processing ensures the accuracy of personal data, its sufficiency, and, if necessary, relevance in relation to the purposes of personal data processing. The Operator takes necessary measures and/or ensures that these measures are taken to delete or clarify incomplete or inaccurate data.
6.7. The storage of personal data is carried out in a form that allows to determine the owner of personal data, not longer than the purposes of personal data processing require, unless the period of personal data storage is established by the federal law, an agreement to which the party, beneficiary or guarantor is the owner of personal data. The processed personal data are destroyed or anonymized upon achievement of the processing goals or in case of loss of the necessity to achieve these goals, unless otherwise specified by federal law.

7. Purposes of personal data processing
7.1. Purpose of the User’s personal data processing:
– informing the User by sending emails;
– informing the User by phone call.
7.2. The Operator also has the right to send notifications to the User about new products and services, special offers and various events. The User can always refuse to receive informational messages by sending an email to the Operator’s email address «tilda@nationalgroup.ru» marked "Refusal of notifications about new products and services and special offers".
7.3. Anonymized Users’ data collected using Internet statistics services are used to collect information about Users actions on the site, improve the quality of the site and its content.

8. Legal grounds for personal data processing
8.1. Operator’s legal grounds for personal data processing are:
– Operator’s charter;
– agreements between the Operator and the personal data owner;
– federal laws and other personal data protection regulatory acts;
– Users’ approval for personal data processing, for processing of personal data allowed for distribution.
8.2. The Operator processes the User's personal data only if they are filled in and/or sent by the User’s sole discretion through special forms located on the website https://nationalgroup.ru/ or sent to the Operator via e-mail. By filling in the appropriate forms and/or sending their personal data to the Operator, Users agree with this Policy.
8.3. The Operator processes anonymized User’s data if it is allowed in the User's browser settings (saving of cookies and use of JavaScript technology are enabled).
8.4. The personal data owner decides at its own discretion to provide its personal data and gives approval freely, willingly and for own benefit.

9. Personal data processing terms and conditions
9.1. Personal data processing is performed with the consent of the personal data
owner for the processing of its personal data.
9.2. Personal data processing is necessary to achieve purposes stipulated by an international agreement of the Russian Federation or by a law of the Russian Federation, empowering the Operator to execute its functions, powers and duties.
9.3. Personal data processing is necessary for the administration of justice, the execution of a judicial act, an act of another agency or official subject to execution in accordance with the law of the Russian Federation on enforcement proceedings.
9.4. Personal data processing is necessary for the execution of a contract, to which the personal data owner is a party or beneficiary or guarantor, as well as for the conclusion of a contract, initiated by the personal data owner, or a contract, under which the personal data owner will be a beneficiary or guarantor.
9.5. Personal data processing is necessary for the Operator’s and third parties’ rights and legitimate interests execution or for achievement of socially significant purposes, given that the rights and freedoms of the personal data owner are not violated.
9.6. Personal data, access to which of an unlimited circle of persons has been granted by the personal data owner or by its request, are the subject for processing (hereinafter referred to as publicly available personal data).
9.7. Personal data, liable for publication or mandatory disclosure in accordance with the federal law, are the subject for processing.

10. The procedure for collecting, storing, transferring and other types of personal data processing
The security of personal data, processed by the Operator, is ensured through the implementation of legal, organizational and technical measures necessary to fully comply with the requirements of current legislation in the field of personal data protection.
10.1. The Operator ensures the safety of personal data and takes all possible measures to exclude access to the personal data of unauthorized persons.
10.2. The User's personal data will never, under any circumstances, be transferred to third parties, except for the cases related to the implementation of current legislation or if the personal data owner has given approval to the Operator for data transfer to a third party for civil contract obligations fulfillment.
10.3. In the event of personal data incorrectness identification, the User can update it independently by sending a notification to the Operator's email address «tilda@nationalgroup.ru» marked "Updating of personal data".
10.4. The term of personal data processing is determined by the achievement of the purposes for which personal data were collected, unless another term is specified by the contract or current legislation.
The User can withdraw its approval for personal data processing at any time by sending a notification to the Operator's e-mail address «tilda@nationalgroup.ru» marked "Withdrawal of the approval for personal data processing”.
10.5. All information collected by third-party services, including payment systems, communication facilities and other service providers, is stored and processed by these parties (Operators) in accordance with their User Agreement and Privacy Policy. The owner of personal data and/or the User is obliged to familiarize themselves with these documents in a timely manner. The Operator is not responsible for the actions of third parties, including the service providers specified in this paragraph.
10.6. Personal data owner’s ban on transfer (except for granting access), as well as on processing or processing conditions (except for obtaining access) of personal data allowed for distribution, is not applied in the event of personal data processing for state, public and other public purposes, specified by laws of the Russian Federation.
10.7. The Operator ensures personal data confidentiality while processing personal data.
10.8. The Operator stores personal data in a form that allows defining the personal data owner, not longer than it is required by purposes of personal data processing, unless the period of personal data storage is established by federal law, an agreement to which the personal data owner is a party, beneficiary or guarantor.
10.9. Achievement of personal data processing purposes, the expiration of the personal data owner approval or the withdrawal of approval by the personal data owner, as well as personal data unlawful processing detection, can be a reason for personal data processing termination.

11. List of actions performed by the Operator with the received personal data
11.1. The Operator collects, records, organizes, accumulates, stores, clarifies (updates, changes), extracts, uses, transfers (distribution, provision, access), anonymizes, blocks, deletes and destroys personal data.
11.2. The Operator performs automated personal data processing with receiving and/or transmitting the received information via information and telecommunication networks.

12. Cross-border personal data transfer
12.1. Prior to the start of the cross-border personal data transfer, the Operator should make sure that the foreign state, to which territory the transfer of personal data is supposed to be carried out, provides reliable protection of the rights of personal data owners.
12.2. The cross-border personal data transfer to territories of foreign states that do not meet the above requirements can be carried out only if the personal data owner has agreed in writing on cross-border transfer of its personal data and/or if the contract, to which the personal data owner is a party, is executed.

13. Confidentiality of personal data
The Operator and other persons who have gained access to personal data are obliged not to disclose to third parties and not to distribute personal data without personal data owner’s approval, unless otherwise specified by federal law.

14. Final provisions
14.1. The User can get clarifications on issues concerning the its personal data processing by contacting the Operator via e-mail «tilda@nationalgroup.ru».
14.2. This document will reflect any changes to the Operator's personal data processing policy. The policy remains in force indefinitely until it is replaced by a new version.
14.3. The current version of the Policy is freely available on the Internet at https://nationalgroup.ru/policy-en/ website.