Policy regarding processing of personal data

1. General provisions

1.1. This Policy regarding processing of personal data (hereinafter Policy) is developed and implemented between the limited liability company ExpoForum International (acronym – EF-International LLC), registered as of 4 April 2012 with the Saint-Petersburg inter-district inspectorate of the Federal Tax Service No 5 PSRN 1127847173068, TIN/CPP 7811518396/782001001, with its registered office in Peterburgskoye shosse, 64/1, Lit A, set. Shushary, Saint-Petersburg, 196140) (hereinafter Operator) in accordance with Federal Act No 152 of 27 July 2006 «On personal data», Federal Act No 38 of 13 March 2006 «On advertising» and other legal acts of the Russian Federation on personal data protection.

1.2. This policy applies to all personal data that could be obtained by Operator from individuals following their registration as visitors or participants of held at International exhibition and convention center EXPOFORUM, located at: Peterburgskoye shosse, 64/1, Lit A, set. Shushary, Saint-Petersburg, and at LENEXPO Exhibition complex located at: Bolshoy pr. v. O.103, Saint-Petersburg exhibitions and other events, organized by EF-International LLC (OPERATOR), through official Operator’s websites expoforum-center.ru, lenexpo.ru, expoforum.ru, gas-forum.ru, importnet.ru, cbc-spb.com, as well as exhibition’s websites, including second-level domain expoforum.ru in its website domain name, as well as all other sites whose domain names are owned by EF-International LLC (hereinafter Websites), which can be explicitly traced back to specific individuals and his or her personal data.

This Policy does not extend to relations:
– involved in processing personal data by Operator’s employees, since these relations are regulated by a local separate legal act of EF-International LLC;
– not covered under the Federal Act No 152 of 27 July 2006 On personal data.

1.3. This Policy defines Operator’s way of conduct regarding processing of obtained personal data; terms and conditions of individuals personal data processing, whose personal data was submitted to the Operator for processing (hereinafter Personal data subject, Subject) with or without automation facilities; sets forth procedures aimed at prevention of violations of laws of the Russian Federation and resolving consequences of such violations, referring to personal data processing.

1.4. The Policy is developed to ensure protection for rights and freedoms of Subjects during the processing of personal data, to inform Personal data subjects and individuals involved in processing of personal data on compliance with the principles of legality, justice, non-redundancy, processed data content and scope adequacy with the stated purposes of processing, as well as to establish responsibility of Operator’s officers with an access to Subjects’ personal data for non-compliance with standards and requirements, regulating the processing of personal data.

1.5. Operator processes the following personal data:
– last, first and middle name;
– official status;
– telephone number;
– e-mail address;
– details of services provided and being provided to Personal data subject, including history of Subject’s orders;
– calls history of Personal data subject, including documents submitted by Subject during his calls to Operator;
– marketing information, related, directly or indirectly to those being surveyed — Personal data subjects.

1.6. Following the use of Websites’ services Operator also processes non-personal data, automatically transferred during the Site surfing via installed computer software:
– information on the browser in use (or other program, through which site is accessed);
– IP-address;
– cookies data.

The Operator processes such data with Yandex.Metrica and Google Analytics web-services. Upon receipt of personal data not listed in this section, such data shall be immediately destroyed. The procedure for the use of these cookies shall be set forth in Appendix 2 to this Policy.

1.7. Operator processes Subject’s personal data by maintaining databases in automated, mechanical and manual fashion for the purposes of:

1.7.1. processing applications, requests or other actions of Subject, regarding his registration as visitor or participant of exhibition or any other event, including cancellation messages, replacement and postponement of event: reporting in relation to exhibition/ event, for which a Subject is registered as such, etc.;

1.7.2. in case of Subject’s expressed content – to promote goods, works and services of Operator in the market, to notice on exhibitions and other events to be held, promotions and marketing campaigns of Operator;

1.7.3. for different other purposes, so long as those activities do not run counter to the applicable legislation, Operator’s business and the consent to personal data processing given by Personal data subject;

1.7.4. data, pursuant to Clause 1.6. of this Policy, will be processed for analyzing Website, tracking and understanding its use by Website visitors, improvement of Website operation, dealing with technical problems of Website, expanding its services, identification of exhibitions and other events’ popularity, and efficiency of advertising campaigns, providing security and fraud prevention, providing efficient client service.

1.8. Operator processes personal data by undertaking any activity (operation) or a set of activities (operations), including:
– collection;
– record;
– systematization;
– accumulation;
– storage;
– specification (updating, change);
– extraction;
– use;
– transfer (distribution, provision, access);
– depersonalization;
– blocking;
– removal;
– destruction.

2. Collection, use and disclosure of personal data

2.1. Operator obtains and starts processing personal data upon receipt of Subject’s consent.
Consent to the processing of personal data may be conveyed in any form by Subject to confirm the receipt of consent, unless otherwise provided by federal law: orally, in writing or in some other way, as stipulated by existing legislation, including evidenced by course of Subject conduct. In the absence of Subject consent for processing personal data the processing shall not be entitled to such processing.

2.2. Subjects’ personal data is provided to Operator:
– personally by Subject when filling in registration forms electronically via Operator’s Sites
– personally by Subject following the calls to Operator;
– by any other means, consistent with the legislation of the Russian Federation and in accordance with requirements under international personal data protection laws.

2.3. Personal data processing consent is considered to be provided by Subject undertaking any of the acts or series of following acts:
– filling out documents in hard copies at the Operator’s office;
– registration on Operator’s Websites;
– provision of respective notation of personal data processing consent on Sites to an extent of, for the purposes and in accordance with the form, provided for consideration and completing prior to obtaining consent;
– provision of personal data orally when contacting Operator during registration as visitor or participant of exhibition or any other event.

2.4. Consent is considered to be duly provided and remains in force until submission of a relevant notice by Subject on termination of personal data processing at the location of Operator.

2.5. Such consent may be withdrawn by Subject at any time so long as this procedure does not contradict the existing legislation of the Russian Federation.
To withdraw personal data processing consent Subject shall send notice in writing to the postal address: Peterburgskoye shosse, 64/1, Lit A, set. Shushary, Saint-Petersburg, 196140 or via e-mail: reply@expoforum.ru.

If Subject withdraws his personal data processing consent Operator shall terminate the processing or provide termination (if the processing is conducted by a third party, acting on behalf of Operator) and if a storage of personal data is no longer required for processing shall destruct the data or provide its destruction (if the processing is conducted by a third party, acting on behalf of Operator) within a maximum of 30 (thirty) days since the receipt of the withdrawal notice, unless otherwise provided by Contract with the Subject being a party, beneficiary of that Contract, by any other Agreements between Operator and Subject, or if Operator is not entitled to personal data processing without Subject’s consent on the grounds of Federal Act No 152 of 27 July 2006 «On personal data» and any other federal acts.

3. Rules and regulations for personal data processing

3.1. For the purposes of this Policy only those Operator’s employees whose labor duties are in line with processing of personal data shall be admitted to the processing. Operator requires its employees to comply with the rules of confidentiality and provide personal data security while processing.

3.2. In accordance with this Policy Operator is entitled to processing personally or by engaging third parties for the purposes of this Policy.

3.3. In case of transfer processing execution to a third party the amount of personal data and processing methods shall be minimum necessary to fulfil obligations towards Operator. With regard to personal data processing by third parties they shall be obliged to ensure confidentiality and security of personal data during processing.

3.4. During processing Operator uses automatic personal data processing (by means of computer technologies) and manual (paper-based).
Decision-making, giving rise to legal consequences in respect to Personal data subject, or in any other way affecting their rights and legitimate interest, shall not be executed solely on the basis of automatic personal data processing by Operator.

3.5. Subject’s personal data is kept confidential, except for when it is voluntarily submitted for general access of public. In the instant case Subject agrees that a certain part of his personal data is made public.

3.6. The Operator terminates the processing of personal data in the following cases:

– achievement of the processing goals or the maximum storage period – within 30 days;

– no further need for the achievement of the processing goals – within 30 days;

– provision by the Subject or his/her legal representative of information confirming that his/her personal data have been illegally obtained or are not necessary for the declared processing purpose – within 7 days;

– impossibility to ensure the legality of the processing of personal data – within 10 days;

– withdrawal by the Subject of his/her personal data processing consent – within 30 days.

3.7. In accordance with Article 21, Part 5 of Federal Law dated July 27, 2006 No. 152-FZ “On Personal Data”, the Operator shall terminate the processing of personal data of the Subject and shall not destroy them in the following cases, unless otherwise provided for by the contract, the party and the beneficiary or the guarantor to which is the Subject, or the Operator is entitled to process personal data without the Subject’s consent on the grounds provided for by federal laws, the periods for the processing of personal data of the Subject established by federal laws of the Russian Federation and other regulations have not expired.

4. On implemented requirements to personal data protection

4.1. Operator activities providing personal data protection is integrally related with protection of received information confidentiality.

4.2. Operator requires other persons who have obtained access to personal data not to disclose personal data to third parties and not to disseminate personal data without Personal data subject’s consent unless otherwise stated by federal law.

4.3. All developments by Operator shall ensure personal data confidentiality, as well as any other information, revealed to Operator, unless otherwise stated by legislation of the Russian Federation.

4.4. During processing Operator shall take all necessary and relevant legal, organizational and technical measures to ensure personal data protection against illegal or accidental access, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as against all other illegal actions in this regard. Operator shall ensure all personal dada organizational and technical protection activities to be performed on a legal basis, including in compliance with the Russian Federation legislative requirements to personal data processing.

4.5. Operator takes necessary and relevant legal, organizational and technical measures to protect personal data, including:
– definition of personal data security threat during their processing in personal data information systems;
– application of organizational and technical measures aimed at providing personal data protection during their processing in personal data information systems, necessary to fulfil requirements to personal data protection at a level set by the Government of the Russian Federation;
– enforcement of data security remedies which have duly undergone compliance verification procedures;
– assessment of efficiency of actions taken to protect personal data prior to personal data information system startup;
– record of hardware personal data storage medium;
– detection of personal data unauthorized access and taking necessary measures to address identified facts;
– personal data recovery after being modified or destructed during unauthorized access to them;
– undertaking actions aimed at countering unauthorized personal data access, and(or) their dissemination to parties with no proper rights for access to this information;
– timely detection of unauthorized personal data access and taking relevant measures;
– prevention of impacts on technical means of personal data processing, which are likely to compromise them;
– establishment of access rules regarding personal data, processed in personal data information system, as well as ensuring registration and record of all actions with personal data in personal data information system;
– control over measures taken to ensure personal data security and protection level of personal data information system.

Set of security measures aimed at protecting personal data by Operator in the framework of personal data protection system, given the threats to security of current concern and applied information technologies, include:
– identification and authorization of access subjects and objects;
– subjects’ access to objects management;
– software environment restrictions;
– protection of hardware data medium, storing or (and) processing personal data;
– logging security events;
– antivirus protection;
– intrusion detection (prevention);
– ensuring information system and personal data integrity;
– virtualization security;
– protection of technical tools;
– protection of information system, its tools, datacom and telecom communications;
– recognition and response to incidents (one event or a group of events), likely to lead to failure or malfunctions of information system and (or) personal data security threats;
– information system and personal data information system’ configuration management.

4.6. To ensure personal data protection level relevant to the requirements of Federal Act No 152 of 27 July 2006 «On personal data» and Federal Act No 149 of 27 July 2006 «On information, information technologies and protection of information» Operator shall not reveal information on specific techniques and measures to provide personal data information security.

4.7. Operator will not disclose personal data obtained from Subject. Provision of personal data by Operator to agents and third parties, acting under agreements with Operator to perform obligations towards Subject, constitutes no violation. Dissemination of information in accordance with requirements of the Russian Federation applicable legislation constitutes no violations.

5. Consent to Receive Advertising Information by Public Networks

5.1. Registering as a visitor or participant of exhibition or any other event, applying for newsletter, subscribing for marketing information:
– by filing out a specific document in a hard copy at the location of Operator;
-on Operator’s Sites (by Personal data subject ticking off on the relevant web-page)
Subject provides consent to personal data processing and receipt of newsletter, including commercial, marketing information (advertising), specified by Clause 1.7.2. from Operator and third parties, assigned by Operator, over telecommunication networks (via provided telephone number or e-mail address).

5.2. Giving its consent, pursuant to Clause 5.1. of the Policy, Personal data subject confirms acting of the own free will and for the own advantage, and that the specified personal data are true and credible.

6. Final provisions

6.1. This Policy is approved by Order of EF-International LLC General Director and shall enter into force commencing the day of signing the Order.

6.2. Amendments and alterations hereto shall be approved by Order of EF-International LLC General Director.

6.3. Current edition of the Policy is made publicly available through Internet addresses: expoforum-center.ru, lenexpo.ru, expoforum.ru, gas-forum.ru, importnet.ru, cbc-spb.com, as well as on exhibition’s websites, including those having second-level domain expoforum.ru in its website domain name, as well as all other sites whose domain names are owned by EF-International LLC (hereinafter Websites), which can be explicitly traced back to specific individuals and his or her personal data, and on official websites of exhibitions and other events, organized by EF-International LLC.