CHADOW

Privacy Policy

Appendix No. 1

to Order No. 1/pd-X64 dated December 10, 2025

This Policy is a local regulatory act of Limited Liability Company "X64" (OOO "X64"), INN 7720910084, KPP 772001001, OGRN 1237700714888, location: Room 6, 21 Perovskaya St., Moscow, Russian Federation, 111141 (registered address: Room 6, 21 Perovskaya St., Moscow, Russian Federation, 111141), adopted with due regard to the requirements of Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data" (hereinafter referred to as the Personal Data Law).

The Policy enters into force upon its approval and remains in effect until it is repealed by the relevant order or until a new Policy is introduced.

Amendments to the Policy are made by the relevant order. Amendments enter into force upon the signing of such order.

The administrator of the website https://chadow.x64.ru/ is OOO "X64", INN 7720910084, KPP 772001001, OGRN 1237700714888, location: Room 6, 21 Perovskaya St., Moscow, Russian Federation, 111141 (registered address: Room 6, 21 Perovskaya St., Moscow, Russian Federation, 111141).

Key terms:

Personal data means any information relating directly or indirectly to an identified or identifiable individual (the Personal Data Subject).

Personal Data Subject (Subject) means a citizen disclosing his or her personal data to the Operator, or a Website user who has independently posted a set of data about himself or herself on the Website.

Operator (Personal Data Operator) means OOO "X64", INN 7720910084, KPP 772001001, OGRN 1237700714888, and organizations engaged on a contractual basis for automated processing in accordance with Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data", carrying out personal data processing.

Website means the website at the Internet address https://chadow.x64.ru/.

Other terms and definitions shall have the meanings assigned to them in the Personal Data Law.

1.  General Provisions

1.1. The Operator processes personal data of Personal Data Subjects in accordance with Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data", the requirements for personal data protection during processing in personal data information systems approved by Resolution of the Government of the Russian Federation No. 1119 dated November 1, 2012, other legislative and regulatory legal acts concerning personal data processing and protection, and agreements entered into between the Personal Data Operator and the Personal Data Subject.

1.2. By disclosing his or her personal data, the Personal Data Subject gives Consent to personal data processing.

1.3. When registering on the Website, the Personal Data Subject gives Consent to personal data processing (in the form of Appendix No. 3 to this Policy). Consent to personal data processing is a mandatory condition for registration and use of the Website functionality.

The Personal Data Operator does not process personal data of Website users who have not completed the registration procedure and have not given consent to personal data processing, except for anonymized technical information about connection of the user's device when using the Website.

1.4. This Policy establishes:

  • the purpose, procedure and conditions of personal data processing;
  • the categories of Subjects whose personal data are processed, the categories (lists) of personal data processed, methods and terms of their processing and storage, and the procedure for destruction of such data upon achievement of the processing purposes or upon occurrence of other lawful grounds;
  • the list of actions for personal data protection, and procedures aimed at detecting and preventing violations of the laws of the Russian Federation in the field of personal data and remedying the consequences of such violations.

1.5. This Policy regulates relations between the Operator and the Personal Data Subject arising in the course of performance by the Operator of its duties, as well as in other cases provided for by the laws of the Russian Federation. Matters not resolved by this Policy shall be governed by the current laws of the Russian Federation. This Policy, as well as any part thereof, may be amended by the Operator without special notice to the Personal Data Subject and without payment of any compensation in this regard.

1.6. Documents containing personal data of Subjects are confidential. The confidentiality regime for personal data is lifted if the personal data are anonymized.

1.7. Personal Data Subjects may send requests, proposals or questions concerning this Policy to the Personal Data Operator by email at director@x64.ru, by post to: OOO "X64", location: Room 6, 21 Perovskaya St., Moscow, Russian Federation, 111141 (registered address: Room 6, 21 Perovskaya St., Moscow, Russian Federation, 111141), or by phone at +7 (999) 202-25-69.

2.  Purposes of Personal Data Processing, Categories (Lists) of Personal Data Processed, and Categories of Personal Data Subjects Whose Personal Data Are Processed by the Operator

2.1. Under this Policy, personal data are processed for the purposes of applying and complying with labor legislation and legal services agreements, namely:

  • collection, analysis, storage and other actions, including transfer of personal data for potential employment purposes;
  • maintenance of HR and accounting records;
  • assistance to employees in obtaining education;
  • provision by the Operator of working conditions, guarantees and compensation established by law;
  • completion and submission of required reporting forms to authorized bodies;
  • ensuring employee safety and preservation of the Operator's property;
  • monitoring the quantity and quality of work performed;
  • registration, identification and provision of access to the Website information resources;
  • promotion of goods, works and services on the market, including by sending information about goods and services;
  • direct contact with potential consumers by means of communication;
  • conducting research on topics related to the Operator's activities for the purposes of developing new products and quality control, and conducting statistical and other research;
  • optimization, including advertising targeting;
  • detection and prevention of fraud and unlawful use of the Website;
  • preparation of responses to claims and requests;
  • performance of obligations under service agreements, warranty obligations and other obligations provided for by the laws of the Russian Federation.

2.2. In accordance with the purposes specified in clause 2.1 of the Policy, the Operator processes the following personal data:

2.2.1.  Contact data:

  • surname, first name, patronymic (if any);
  • telephone number (home and/or mobile);
  • email address.

2.2.2. Resume data:

  • surname, first name, patronymic (if any), as well as former surname, first name, patronymic (if any), date and place of change thereof (if changed);
  • gender;
  • date (day, month, year) and place of birth;
  • photographic image;
  • citizenship information;
  • type, series and number of identity document, name of issuing authority, date of issue;
  • insurance number of the individual personal account (SNILS);
  • taxpayer identification number (INN);
  • address and date of registration at the place of residence (place of stay), actual residence address;
  • contact telephone number, email address and/or information about other means of communication;
  • details of certificates of state registration of civil status acts and information contained therein;
  • information about marital status and family composition (degree of kinship, surnames, first names, patronymics (if any), dates (day, month, year) and places of birth);
  • information about education and/or qualification or possession of special knowledge (including name of educational and/or other organization, year of graduation, level of education, qualification, details of education or training document);
  • information about foreign language proficiency;
  • information about military duty, military registration and details of military registration documents (series, number, date of issue of the document, name of issuing authority);
  • information about employment history, as well as information about previous places of work, periods of work and length of service;
  • information contained in documents granting the right to stay and work in the territory of the Russian Federation (for foreign citizens staying in the Russian Federation);
  • information contained in a temporary residence permit, temporary residence permit for educational purposes (for foreign citizens temporarily residing in the Russian Federation), or residence permit (for foreign citizens permanently residing in the Russian Federation);
  • information about income and obligations under enforcement documents;
  • settlement account and bank card numbers;
  • health information (for certain categories).

2.2.3. Technical information automatically transmitted by the Website during use (including through the contextual advertising service referred to in clause 3.4 of this Policy):

  • source of visit to the Website;
  • search or advertising query information;
  • user device data (including resolution, version and other attributes characterizing the user device);
  • user clicks, page views, field completions, banner and video impressions and views;
  • data characterizing audience segments;
  • session parameters;
  • visit time data;
  • Website user identifier;
  • data from cookies.

2.2.4. The composition of personal data processed in respect of Personal Data Subjects may be specified in separate Consents to personal data processing posted on the Website.

2.3. The Personal Data Operator does not verify the accuracy of personal data provided by the Personal Data Subject. However, in cases provided for by agreements, the Personal Data Subject must provide confirmation of the authenticity of the information provided by him or her.

2.4. The Operator does not process biometric personal data or other special categories of personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, or intimate life, except in cases provided for by the laws of the Russian Federation.

2.5. The Operator does not carry out cross-border transfer of personal data.

2.6. The categories of Personal Data Subjects whose personal data are processed by the Operator in accordance with the Policy include:

  • candidates for employment with the Operator;
  • employees of the Operator;
  • former employees of the Operator;
  • family members of employees of the Operator, in cases where information about them is provided by the employee under the law;
  • contractors and their representatives;
  • other persons whose personal data the Operator is required to process in accordance with the laws of the Russian Federation (including clients, customers, users of services provided by the Operator, and Website users).

3.  Rights and Obligations of the Operator

3.1. The Operator has the right to perform actions involving processing of personal data of Personal Data Subjects, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (provision, access), anonymization, blocking, deletion, and any other actions with personal data provided for by the current laws of the Russian Federation.

3.2. The Operator stores personal data of Personal Data Subjects in accordance with the current laws of the Russian Federation.

3.3. The Operator has the right to transfer personal data of Personal Data Subjects to bodies of inquiry and investigation and other authorized bodies on grounds provided for by the current laws of the Russian Federation.

3.4. To improve the Website operation, the Operator has the right to use contextual advertising and statistics services that receive access to information about the Personal Data Subject's visit to the Website and actions on it.

Contextual advertising service:

Yandex.Metrica, OOO "YANDEX" (Russia), address: 16 Lev Tolstoy St., Moscow, Russia, 119021 (Yandex Services User Agreement is available at: https://yandex.ru/legal/rules; Privacy Policy is available at: https://yandex.ru/legal/confidential);

3.5. The Operator must obtain all personal data of the Personal Data Subject directly from him or her. If personal data of the Personal Data Subject can be obtained only from a third party, the Personal Data Subject must be notified of this in advance and his or her written consent (power of attorney) must be obtained. The Operator must inform the Personal Data Subject of the purposes, expected sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the Personal Data Subject's refusal to give written consent to obtain them.

3.6. The Operator has no right to obtain and process information about the Personal Data Subject that, under the laws of the Russian Federation in the field of personal data, falls within special categories of personal data, except in cases provided for by the Labor Code of the Russian Federation and other federal laws.

3.7. The Operator has no right to obtain and process personal data of the Personal Data Subject concerning his or her membership in public associations or trade union activity, except in cases provided for by the Labor Code of the Russian Federation or other federal laws.

3.8. When making decisions affecting the interests of the Personal Data Subject, the Operator has no right to rely on the Personal Data Subject's personal data obtained exclusively as a result of automated processing or electronic receipt.

3.9. The Operator must ensure protection of the Personal Data Subject's personal data against unlawful use or loss at its own expense in the manner established by the Labor Code of the Russian Federation or other federal laws.

3.10. The Operator must perform other obligations provided for by the Labor Code of the Russian Federation or other federal laws.

4. Rights and Obligations of the Personal Data Subject

4.1. The Personal Data Subject has the right to require the Operator to clarify, block or destroy his or her personal data, including where the personal data are incomplete;

4.2. The Personal Data Subject has the right to free and gratuitous access to his or her personal data, including the right to obtain copies of any record containing the Personal Data Subject's personal data, except in cases provided for by the laws of the Russian Federation;

4.3. The Personal Data Subject has the right, upon request, to receive from the Operator information concerning processing of his or her personal data. In accordance with Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data", the request must contain the number of the main identity document of the Personal Data Subject or his or her representative, information about the date of issue of that document and the issuing authority, information confirming the Personal Data Subject's participation in relations with the Personal Data Operator (agreement number, date of agreement, conventional verbal designation and/or other information), or information otherwise confirming the fact of processing of his or her personal data by the Personal Data Operator, and the signature of the Personal Data Subject or his or her representative;

4.4. The Personal Data Subject has the right to require the Operator to clarify, block or destroy his or her personal data in accordance with clause 4.6.1 of this Policy if the personal data are incomplete, including the right to independently delete information about himself or herself posted on the Website upon achievement of the processing purposes and in other cases at his or her discretion. It should be taken into account that full or partial deletion of posted information may make it impossible to use part of the Website functionality;

4.5. The Personal Data Subject has the right to independently make additions and changes to the personal data provided by him or her, including those posted on the Website.

4.6. The Personal Data Subject has the right at any time to require termination of transfer (distribution, provision, access) of personal data permitted for distribution.

4.6.1. The request shall be made in writing, unless otherwise established by this Policy. It must include the surname, first name, patronymic (if any), contact information (telephone number, email address or postal address) of the Personal Data Subject, as well as the list of personal data whose processing is to be terminated.

4.7. The Personal Data Subject has the right to independently make additions and changes to personal information posted on the Website.

4.8. The Personal Data Subject has other rights provided for by the Labor Code of the Russian Federation or other federal laws.

4.9. The Personal Data Subject must transfer to the Operator or its representative a set of accurate documented personal data required for the purposes of personal data processing in accordance with this Policy.

4.10. The Personal Data Subject must promptly, within a period not exceeding 5 (five) days, notify the Operator of changes to his or her personal data.

5.  Procedure and Conditions for Personal Data Processing

5.1. Before starting personal data processing, the Operator must notify Roskomnadzor of its intention to process personal data.

5.2. The legal basis for personal data processing is the Labor Code of the Russian Federation, Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data", Law of the Russian Federation No. 1032-1 dated April 19, 1991 "On Employment in the Russian Federation", Federal Law No. 402-FZ dated December 6, 2011 "On Accounting", Resolution of the Government of the Russian Federation No. 719 dated November 27, 2006 "On Approval of the Regulation on Military Registration", and other regulatory legal acts.

5.3. Personal data processing is carried out in compliance with the principles and conditions provided for by legislation in the field of personal data and this Policy.

5.4. Personal data processing by the Operator may be carried out in the following ways:

  • non-automated processing of personal data;
  • automated processing of personal data with or without transfer of the received information over information and telecommunications networks;
  • mixed processing of personal data.

5.5. Personal data processing by the Operator is carried out with the consent of the Personal Data Subject to processing of his or her personal data (in the form of Appendix No. 2 and Appendix No. 3 to this Policy), unless otherwise provided for by legislation in the field of personal data.

5.6. Processing of personal data permitted by the Personal Data Subject for distribution is carried out in compliance with the prohibitions and conditions provided for by Article 10.1 of the Personal Data Law.

5.7. Personal data processing is carried out by performing any action (operation) or set of actions (operations), with or without the use of automation tools, with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion and destruction of personal data.

5.8. The actions specified in clause 5.7 of this Policy are carried out by the Operator by means of:

  • obtaining originals of documents or their copies;
  • copying originals of documents;
  • entering information into record forms on paper and electronic media;
  • creating documents containing personal data on paper and electronic media;
  • entering personal data into personal data information systems;
  • other actions not prohibited by the laws of the Russian Federation.

5.9. The Operator uses the following information systems:

  • Bitrix24;
  • 1C:Enterprise software system;

The Operator has the right to use other systems in accordance with the laws of the Russian Federation.

6.  Terms of Personal Data Processing and Storage

6.1. Personal data processing by the Operator is terminated in the following cases:

  • upon identification of unlawful personal data processing. The processing shall be terminated within 3 (three) business days from the date such fact is identified;
  • upon achievement of the purposes of processing (subject to certain exceptions provided for by the laws of the Russian Federation);
  • upon expiry of the storage period for documents containing the Subject's personal data;
  • upon expiry of the consent period or upon withdrawal by the Personal Data Subject of consent to processing of his or her personal data, if under the Personal Data Law such processing is permitted only with consent.

6.2. Personal data are stored in a form enabling identification of the Personal Data Subject for no longer than required by the purposes of their processing. Exceptions are cases where the personal data storage period is established by a federal law or an agreement to which the Personal Data Subject is a party, beneficiary or guarantor.

6.3. Personal data on paper media are stored by the Operator during the storage periods for documents for which such periods are provided by archive legislation in the Russian Federation (Federal Law No. 125-FZ dated October 22, 2004 "On Archival Affairs in the Russian Federation"; List of standard administrative archive documents generated in the course of activities of state bodies, local self-government bodies and organizations, with storage periods specified, approved by Order of Rosarchive No. 236 dated December 20, 2019).

6.4. The storage period for personal data processed in personal data information systems corresponds to the storage period for personal data on paper media.

7.  Procedure for Blocking and Destroying Personal Data

7.1. The Operator blocks personal data in the manner and on the conditions provided for by legislation in the field of personal data.

Upon achievement of the purposes of personal data processing or if the need to achieve such purposes ceases to exist, personal data are destroyed or anonymized. An exception may be provided for by federal law.

7.2. Personal data are destroyed upon achievement of the processing purpose, unless otherwise provided for by an agreement to which the Personal Data Subject is a party, beneficiary or guarantor, another agreement between the Subject and the Operator, or unless the Operator has the right to process personal data without the Personal Data Subject's consent on grounds provided for by federal laws.

7.3. Upon reaching the maximum storage periods for documents containing personal data, the personal data are destroyed within 30 (thirty) days.

7.4. Personal data are destroyed (if their retention is not required for personal data processing purposes) within 30 (thirty) days from the date of receipt of the Personal Data Subject's withdrawal of consent to their processing. Personal data are also destroyed within that period if the Operator has no right to process them without the Personal Data Subject's consent on grounds provided for by federal laws.

7.5. Personal data whose processing has been terminated due to unlawfulness, and whose lawful processing cannot be ensured, are destroyed within 10 (ten) business days from the date the fact of unlawful processing is identified.

7.6. Illegally obtained personal data or personal data that are not necessary for the processing purpose are destroyed within 7 (seven) business days from the day the Personal Data Subject or his or her representative submits supporting information.

7.7. Selection of physical media (documents, hard drives, flash drives, etc.) and/or information in information systems containing personal data subject to destruction is carried out independently by the Operator.

7.8. Destruction of personal data is carried out independently by the Operator.

7.8.1. The Operator prepares a list indicating documents, other physical media and/or information in information systems containing personal data subject to destruction.

7.8.2. Personal data on paper media are destroyed using a shredder. Personal data on electronic media are destroyed by mechanically disrupting the integrity of the medium so that personal data cannot be read or restored, and by deleting data from electronic media using methods and tools for guaranteed deletion of residual information.

7.8.3. The Operator confirms destruction of personal data in accordance with the Requirements for Confirmation of Personal Data Destruction approved by Order of Roskomnadzor No. 179 dated October 28, 2022, namely:

  • by an act of personal data destruction, if the data are processed without using automation tools;
  • by an act of personal data destruction with an extract from the event log of the personal data information system attached thereto, if the data are processed using automation tools or both with and without such tools.

The act may be prepared on paper or in electronic form signed with electronic signatures. The form of the act is approved by this Policy (Appendix No. 4).

7.8.4. After preparing the act of personal data destruction and the extract from the event log of the personal data information system, the Operator stores them for 3 (three) years from the moment of personal data destruction.

7.8.5. Destruction of personal data not specified in this Policy is confirmed by an act (in the form of Appendix No. 4), which is prepared immediately after destruction of such data.

8.  Personal Data Protection. Procedures Aimed at Preventing and Detecting Violations of Legislation and Remedying the Consequences of Such Violations

8.1. The Personal Data Operator takes all necessary organizational and technical measures to protect personal data of Personal Data Subjects against unlawful or accidental access, blocking, destruction, modification, dissemination of personal information, and other unlawful actions with it. The Operator conducts internal audits of data collection, storage and processing processes and security measures, including appropriate encryption and measures to ensure physical data security to prevent unauthorized access to systems storing personal information, at least once a year.

8.2. The Personal Data Operator ensures recording, systematization, accumulation, storage, clarification (updating, modification) and retrieval of personal data of Personal Data Subjects using databases located in the territory of the Russian Federation.

8.3. Due to the absence of processing of biometric personal data by the personal data operator, the fourth level of personal data security is applied for security purposes (clause 13 of the Requirements approved by Resolution of the Government of the Russian Federation No. 1119 dated November 1, 2012):

  1. a security regime has been organized for the premises where the information system is located, preventing uncontrolled entry into or presence in such premises by persons who do not have access rights to them;
  2. the security of personal data media is ensured;
  3. this Policy defines the list of persons authorized to access personal data processed in the information system, where such access is necessary for performance of their official (employment) duties;
  4. information security tools that have passed conformity assessment procedures under the laws of the Russian Federation in the field of information security are used where application of such tools is necessary to neutralize current threats.

8.4. The Personal Data Operator has implemented the following measures to ensure personal data security:

  • a person responsible for organizing personal data processing and persons responsible for ensuring personal data security have been appointed: General Director of OOO "X64" M.V. Pyanin;
  • documents regulating personal data processing have been issued, as well as documents establishing procedures aimed at preventing and detecting violations of the laws of the Russian Federation and remedying the consequences of such violations;
  • personal data security threats have been identified and personal data protection requirements have been implemented based on the personal data security level;
  • information security tools that have passed the prescribed conformity assessment procedure are applied;
  • the effectiveness of measures taken to ensure personal data security has been assessed;
  • appropriate measures have been taken to protect against unauthorized access to personal data;
  • backup copies are made of databases containing personal data to enable restoration if they are modified or destroyed as a result of unauthorized access;
  • periodic internal inspections of the condition of the personal data protection system are carried out;
  • the harm that may be caused to the Personal Data Subject(s) in the event of violation of personal data protection legislation has been assessed, as has the correlation between such harm and the measures taken;
  • employees processing personal data have acknowledged in writing the personal data protection requirements, provisions of Russian Federation personal data legislation, and local acts on personal data processing;
  • without the written consent of the Personal Data Subject, the Operator does not disclose personal data to third parties or disseminate personal data, unless otherwise provided for by federal law;
  • the Operator does not disclose or disseminate personal data of Personal Data Subjects by telephone.

8.5. Persons whose positions involve personal data processing are admitted to such processing after signing a non-disclosure undertaking.

8.6. Physical media containing personal data are stored in specially designated cabinets. The Operator's premises where they are located are equipped with locking devices. Keys to the premises are issued with the Operator's written permission.

8.7. Access to personal information contained in the Operator's information systems is provided using individual passwords.

8.8. The Operator uses certified antivirus software with regularly updated databases.

8.9. The Operator processing personal data periodically, at least once a year, undergoes training on legal requirements in the field of personal data.

8.10. The Operator conducts internal investigations in the following situations:

  • in the event of unlawful or accidental transfer (provision, distribution, access) of personal data resulting in violation of the rights of Personal Data Subjects;
  • in other cases provided for by legislation in the field of personal data.

8.11. Security measures:

  • installation and configuration of information security tools;
  • use of protection against malicious software;
  • data backup and recovery;
  • ensuring security of information systems when operating on the Internet.

9.  Investigation of Facts of Unlawful or Accidental Transfer (Provision, Distribution, Access) of Personal Data Resulting in Violation of the Rights of the Personal Data Subject(s)

9.1. Identification by the Operator of the fact of unlawful or accidental transfer (provision, distribution, access) of personal data resulting in violation of the rights of the Personal Data Subject(s).

9.2. Within 24 hours from the moment the fact of unlawful or accidental transfer (provision, distribution, access) of personal data resulting in violation of the rights of the Personal Data Subject(s) is identified, the Operator must notify Roskomnadzor and provide the following information:

  • about the incident that occurred;
  • about its presumed causes;
  • about harm caused to the rights of the Personal Data Subject(s);
  • about measures taken to remedy the consequences of the relevant incident;
  • information about the person authorized by the Operator to interact with Roskomnadzor on matters related to the identified incident (clause 3.1 of Article 21 of Federal Law No. 152-FZ).

Notice of the fact of unlawful or accidental transfer (provision, distribution, access) of personal data may be submitted through the Personal Data Portal, through the service in the "Incidents (Leaks)" section on the page "Notice of the fact of unlawful or accidental transfer (provision, distribution, access) of personal data resulting in violation of the rights of the Personal Data Subject(s)".

9.3. Conducting an internal investigation of the fact of unlawful or accidental transfer (provision, distribution, access) of personal data resulting in violation of the rights of the Personal Data Subject(s).

During the internal investigation:

  • determine the causes of the fact of unlawful or accidental transfer (provision, distribution, access) of personal data;
  • determine the harm caused to the rights of the Personal Data Subject(s);
  • determine the information system in which unauthorized access occurred;
  • determine the persons whose actions caused the incident;
  • determine the sufficiency of the Operator's personal data protection measures in personal data processing;
  • determine measures to remedy the consequences of the fact of unlawful or accidental transfer (provision, distribution, access) of personal data.

9.4. Within 72 hours, inform Roskomnadzor of the results of the internal investigation of the incident and provide information about the perpetrators, if any, with final information on the results of the internal investigation, including:

  • the reasons that caused unlawful dissemination of personal data;
  • the harm caused to the rights of the Personal Data Subject(s);
  • the information system to which unauthorized access was gained;
  • the persons whose actions caused the incident (full name and position of the Operator's employee, or full name, name, IP address and presumed location of an external perpetrator if this information could be established);
  • additional measures taken based on the results of the internal investigation (to eliminate access, prevent similar incidents in the future, and other measures);
  • the Operator's decision, with its details, to conduct the internal inspection.

9.5. If necessary, report the breach to the State System for Detection, Prevention and Mitigation of Consequences of Computer Attacks on Information Resources of the Russian Federation (GosSOPKA) (Articles 5, 12 and 19 of Federal Law No. 187-FZ dated July 26, 2017 "On the Security of Critical Information Infrastructure of the Russian Federation"). The system operator is the National Coordination Center for Computer Incidents (NCCCI).

The notification procedure is determined by the FSB of Russia (Order of the FSB of Russia No. 367 dated July 24, 2018 "On Approval of the List of Information Submitted to the State System for Detection, Prevention and Mitigation of Consequences of Computer Attacks on Information Resources of the Russian Federation and the Procedure for Submitting Information to the State System for Detection, Prevention and Mitigation of Consequences of Computer Attacks on Information Resources of the Russian Federation").

For a Personal Data Operator that is not a critical information infrastructure entity, it is sufficient to submit information about the computer incident within 24 hours from its detection by postal, facsimile or electronic communication to the addresses (telephone numbers) of the NCCCI indicated on its official website in the "Report an Incident" section.

10.  Specific Provisions for Operators Engaging Third Parties for Personal Data Processing

10.1. The Operator has the right to entrust personal data processing to another person in the manner established by clause 3 of Article 6 of Federal Law No. 152-FZ.

10.2. The Operator's instruction for personal data processing must specify, among other things, requirements for that person concerning protection of the personal data being processed, including a requirement to notify the Operator of cases where facts are established of unlawful or accidental transfer (provision, distribution, access) of personal data resulting in violation of the rights of the Personal Data Subject(s).

10.3. All notifications of facts of unlawful or accidental transfer (provision, distribution, access) of personal data resulting in violation of the rights of the Personal Data Subject(s) must be submitted to Roskomnadzor by the Personal Data Operator (clause 3.1 of Article 21 of Federal Law No. 152-FZ).

10.4. Pursuant to clause 5 of Article 6 of Federal Law No. 152-FZ, if the Operator entrusts personal data processing to another person, the Operator is liable to the Personal Data Subject for the actions of that person.

11.  Liability for Violation of Rules Governing Personal Data Processing

11.1. Persons guilty of violating provisions of the laws of the Russian Federation in the field of personal data during personal data processing shall be subject to disciplinary and material liability in the manner established by the Labor Code of the Russian Federation and other federal laws. They shall also be subject to administrative, civil or criminal liability in the manner established by federal laws.

11.2. Moral harm caused to the Personal Data Subject as a result of violation of his or her rights, violation of personal data processing rules, or failure to comply with requirements for personal data protection established by the Personal Data Law shall be compensated in accordance with the laws of the Russian Federation. Compensation for moral harm shall be made regardless of compensation for property damage and losses incurred by the Personal Data Subject.