1.1. This Personal Data Processing Policy (hereinafter, the Policy) has been developed in accordance with Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” (hereinafter, the Personal Data Law) for the purpose of ensuring the protection of the rights and freedoms of individuals in the processing of their personal data, including the protection of the right to privacy, and personal and family confidentiality. 1.2. This Policy applies to all personal data processed by Joint Stock Company “Center for Autonomous Robotic Systems” (hereinafter, the Operator, the Company). 1.3. The Policy extends to relations in the field of personal data processing that have arisen at the Operator both before and after the approval of this Policy. 1.4. In fulfillment of the requirements of the Personal Data Law, the Operator provides unrestricted access to this Policy. 1.5. Key terms used in the Policy:

• personal data: any information relating to an identified or directly or indirectly identifiable natural person (personal data subject);
• personal data operator (operator): the Company or a Company employee admitted to the processing of personal data, who also determines the purposes of personal data processing, the scope of personal data to be processed, and the actions (operations) performed with personal data;
• processing of personal data: any action (operation) or set of actions (operations) performed with personal data, with or without the use of automation tools, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization (depersonalization), blocking, deletion, destruction;
• automated processing of personal data: processing of personal data using computer technology;
• dissemination of personal data: actions aimed at disclosing personal data to an indefinite circle of persons;
• provision of personal data: actions aimed at disclosing personal data to a specific person or a specific circle of persons;
• blocking of personal data: the temporary suspension of personal data processing (except where processing is necessary to clarify personal data);
• destruction of personal data: actions as a result of which it becomes impossible to restore the content of personal data in a personal data information system and/or as a result of which physical media containing personal data are destroyed;
• anonymization (depersonalization) of personal data: actions as a result of which it becomes impossible, without the use of additional information, to determine whether personal data belong to a specific personal data subject;
• personal data information system: a set of personal data contained in databases and the information technologies and technical means that ensure their processing. 1.6. Main rights and obligations of the Operator. 1.6.1. The Operator has the right to:

1. independently determine the composition and list of measures necessary and sufficient to ensure fulfillment of the obligations established by the Personal Data Law and the regulations adopted pursuant thereto, unless otherwise provided by the Personal Data Law or other federal laws;
2. entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, on the basis of a contract concluded with such person. A person processing personal data on behalf of the Operator must comply with the principles and rules of personal data processing established by the Personal Data Law;
3. in the event the personal data subject withdraws consent to the processing of personal data, continue processing without the subject’s consent where grounds specified in the Personal Data Law exist. 1.6.2. The Operator shall:
4. organize the processing of personal data in accordance with the requirements of the Personal Data Law;
5. respond to appeals and requests of personal data subjects and their legal representatives in accordance with the requirements of the Personal Data Law;
6. provide the authorized body for the protection of the rights of personal data subjects (the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor)) with the necessary information upon that body’s request. 1.7. Main rights of the personal data subject. A personal data subject has the right to:
7. receive information relating to the processing of his/her personal data, except in cases provided for by federal laws. Information is provided to the personal data subject by the Operator in an accessible form and must not contain personal data relating to other personal data subjects, except where there are lawful grounds for disclosing such personal data. The list of information and the procedure for obtaining it are established by the Personal Data Law;
8. require the Operator to clarify (update) his/her personal data, or to block or destroy them if the personal data are incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing, and to take measures prescribed by law to protect his/her rights;
9. stipulate a condition of prior consent when personal data are processed for the purpose of promoting goods, works, and services on the market;
10. appeal to Roskomnadzor or to a court against unlawful actions or inaction of the Operator in the processing of his/her personal data. 1.8. Control over compliance with the requirements of this Policy is carried out by the authorized person responsible for organizing personal data processing at the Operator. 1.9. Liability for violations of the legislation of the Russian Federation and the Company’s internal regulations in the field of personal data processing and protection is determined in accordance with the legislation of the Russian Federation.

2.1. The processing of personal data is limited to achieving specific, predetermined, and lawful purposes. Processing of personal data that is incompatible with the purposes of personal data collection is not permitted. 2.2. Only personal data that are relevant to the purposes of their processing are subject to processing. 2.3. The Operator processes personal data for the following purposes:

• ensuring compliance with the Constitution of the Russian Federation, federal laws, and other regulatory legal acts of the Russian Federation;
• exercising the rights and legitimate interests of the Company within the types of activities provided for by the Company’s Charter and other local regulations;
• enforcement of court judgments and acts of other bodies and officials subject to enforcement under the legislation of the Russian Federation;
• regulating labor relations with the Operator’s employees;
• personnel recordkeeping; assisting employees with employment, education, and career advancement; professional development; ensuring employees’ personal safety; monitoring the quantity and quality of work performed; ensuring the safekeeping of property;
• attracting and selecting candidates for employment with the Operator;
• performing the functions, powers, and duties imposed on the Company by the legislation of the Russian Federation, including by providing personal data to public authorities, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund, as well as other state bodies;
• compliance with tax legislation in connection with the calculation and payment of personal income tax, as well as the unified social tax, and with pension legislation when forming and providing individualized data on each income recipient, taken into account in calculating insurance contributions for mandatory pension insurance/provision;
• conclusion, performance, and termination of civil-law contracts with individuals, legal entities, individual entrepreneurs, individuals applying a special tax regime (self-employed), and other persons in cases provided for by the legislation of the Russian Federation;
• completion and submission to executive authorities and other authorized organizations of the required reporting forms;
• maintaining accounting records (bookkeeping);
• implementing access control and intra-facility security procedures at the Company;
• implementing access control and intra-facility security procedures at facilities where the Company performs its contractual obligations to counterparties (including the Federal Protective Service of the Russian Federation, the Ministry of Internal Affairs of the Russian Federation, etc.);
• referring employees to medical organizations for mandatory periodic medical examinations;
• conducting sports, wellness, and celebratory events. 2.4. The processing of employees’ personal data may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts.

3.1. The legal grounds for processing personal data are the body of regulatory legal acts pursuant to and in accordance with which the Operator processes personal data, including:

• the Constitution of the Russian Federation;
• the Civil Code of the Russian Federation;
• the Labor Code of the Russian Federation;
• the Tax Code of the Russian Federation;
• Federal Law No. 14-FZ dated February 8, 1998 “On Limited Liability Companies”;
• Federal Law No. 402-FZ dated December 6, 2011 “On Accounting”;
• Federal Law No. 167-FZ dated December 15, 2001 “On Mandatory Pension Insurance in the Russian Federation”;
• other regulatory legal acts governing relations related to the Operator’s activities.

3.2. The legal grounds for processing personal data also include:

• the Company’s Charter;
• contracts concluded between the Operator and personal data subjects;
• the consent of personal data subjects to the processing of their personal data.

4.1. The content and scope of the personal data processed must correspond to the stated purposes of processing specified in Section 2 of this Policy. The personal data processed must not be excessive in relation to the stated purposes of their processing. 4.2. The Operator may process personal data in accordance with Clause 4.3 of this Policy, special categories of personal data—information on health status, and biometric personal data—photographic and video images, clothing/shoe size/height/weight. 4.3. For each category of personal data subjects, the Operator may process the following personal data: 4.3.1. Candidates for employment with the Operator: last name, first name, patronymic (including previous last names, first names and/or patronymics, if changed); sex; citizenship; age; date and place of birth; identity document details (series, number, date of issue, issuing authority, subdivision code); registered address of residence and actual place of residence; phone number (home and/or mobile); personal email address; information on education, qualifications, professional training, advanced training; knowledge of foreign languages; employment information (length of service, places of work, dates of hire and termination, positions, average monthly income, number of subordinates, main job duties, military service, elected positions, public or municipal service, etc.); information on the availability of a driver’s license and driving experience; information on criminal records and facts of criminal prosecution or termination thereof on exonerating grounds; information contained in credit reports and the primary section of the credit history; information indicated in migration documents (for foreign citizens); military obligation status and military registration details; information on hiring, transfer, dismissal and other events related to employment, income information; information on business and other personal qualities of an evaluative nature; photographic image; information on health status; other personal data communicated by candidates in resumes and cover letters. 4.3.2. Employees and former employees of the Operator: last name, first name, patronymic (including previous last names, first names and/or patronymics (if any), if changed); citizenship; sex; age; date and place of birth; identity document details (series, number, date of issue, issuing authority, subdivision code); registered address of residence and actual place of residence; phone number (home and/or mobile); taxpayer identification number (INN); insurance number of the individual personal account (SNILS) in the state pension system; personal email address; bank account and card details for salary payment; data from documents on education, qualifications, professional training; information on advanced training; knowledge of foreign languages; employment information (); information indicated in migration documents (for foreign citizens); military obligation status and military registration details; photographic and video images; other personal data provided in accordance with the requirements of the labor legislation of the Russian Federation. 4.3.5. Representatives (employees) of the Operator’s clients and counterparties (legal entities), customers, contractors: last name, first name, patronymic; passport details; phone number (mobile); position held; other personal data provided by representatives (employees) of clients and counterparties that are necessary for concluding and performing contracts. 4.3.6. Visitors to the Company’s office premises: last name, first name, patronymic; corporate (legal) name of the organization represented by the personal data subject; date and time period of the visit; passport details; phone number (mobile); driver’s license details. 4.4. The Operator processes biometric and special categories of personal data in accordance with the legislation of the Russian Federation.

5.1. The processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.
5.2. The processing of personal data is carried out with the consent of personal data subjects to the processing of their personal data, as well as without such consent in cases provided for by the legislation of the Russian Federation.
5.3. The Operator carries out both automated and non-automated processing of personal data.
5.4. Employees of the Operator whose job duties include the processing of personal data are permitted to process personal data.
5.5. Personal data are processed by:

• obtaining personal data in oral and written form directly from personal data subjects;
• obtaining personal data from publicly available sources;
• entering personal data into the Operator’s logs, registers, and information systems;
• using other methods of processing personal data.

5.6. Disclosure to third parties and dissemination of personal data without the consent of the personal data subject are not permitted, unless otherwise provided for by federal law. Consent to the processing of personal data permitted by the personal data subject for dissemination shall be executed separately from other consents of the personal data subject to the processing of their personal data. The requirements for the content of consent to the processing of personal data permitted by the personal data subject for dissemination are approved by Order of Roskomnadzor dated 24.02.2021 No. 18.
5.7. The transfer of personal data to bodies of inquiry and preliminary investigation, to the Federal Tax Service, the Pension Fund of the Russian Federation, the Social Insurance Fund, and other authorized executive authorities and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.
5.8. The Operator takes the necessary legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, dissemination, and other unauthorized actions, including:

• identifying threats to the security of personal data during their processing;
• adopting local regulations and other documents governing relations in the field of processing and protecting personal data;
• appointing persons responsible for ensuring the security of personal data in the Operator’s structural units and information systems;
• creating the necessary conditions for working with personal data;
• organizing the operation of information systems in which personal data are processed;
• storing personal data under conditions that ensure their preservation and preclude unlawful access to them.

5.9. The Operator stores personal data in a form that allows the identification of the personal data subject no longer than required by the purposes of processing personal data, unless a retention period for personal data is established by federal law or by a contract.
5.10. When collecting personal data, including via the information and telecommunications network Internet, the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except in cases specified by the Personal Data Law.

6.1. Confirmation of the fact of processing of personal data by the Operator, the legal grounds and purposes of processing personal data, as well as other information specified in part 7 of Article 14 of the Personal Data Law, shall be provided by the Operator to the personal data subject or their representative upon application or upon receipt of a request from the personal data subject or their representative. The information provided shall not include personal data relating to other personal data subjects, except where there are lawful grounds for disclosing such personal data. The request must contain:

• the number of the principal identity document of the personal data subject or their representative, information on the date of issue of said document, and the issuing authority;
• information confirming the personal data subject’s participation in relations with the Operator (contract number, date of conclusion of the contract, conventional verbal designation and/or other information), or information otherwise confirming the fact of the Operator’s processing of personal data;
• the signature of the personal data subject or their representative. The request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation. If the application (request) of the personal data subject does not contain all the necessary information in accordance with the requirements of the Personal Data Law, or the subject does not have access rights to the requested information, a reasoned refusal shall be sent to them. The personal data subject’s right of access to their personal data may be restricted in accordance with part 8 of Article 14 of the Personal Data Law, including where access by the personal data subject to their personal data would violate the rights and legitimate interests of third parties.

6.2. If inaccurate personal data are identified upon application by the personal data subject or their representative, or at their request, or at the request of Roskomnadzor, the Operator shall block the personal data relating to that personal data subject from the moment of such application or receipt of the relevant request for the period of verification, provided that blocking the personal data does not violate the rights and legitimate interests of the personal data subject or third parties. If the fact of inaccuracy of personal data is confirmed, the Operator, on the basis of information provided by the personal data subject or their representative, or by Roskomnadzor, or other necessary documents, shall update (correct) the personal data and lift the blocking of the personal data.
6.3. If unlawful processing of personal data is identified upon application (request) by the personal data subject or their representative, or by Roskomnadzor, the Operator shall block the unlawfully processed personal data relating to that personal data subject from the moment of such application or receipt of the request.
6.4. Upon achievement of the purposes of processing personal data, and also in the event that the personal data subject withdraws their consent to processing, the personal data shall be destroyed, if:

• otherwise provided for by a contract to which the personal data subject is a party, beneficiary, or surety;
• the Operator is not entitled to carry out processing without the consent of the personal data subject on the grounds provided for by the Personal Data Law or other federal laws;
• otherwise provided for by another agreement between the Operator and the personal data subject.