Privacy policy

1. GENERAL POLICY
The policy of personal data processing (hereinafter referred to as the «Policy») is developed in
accordance with the Federal Law of 27.07.2006. No. 152-FZ «On Personal Data» (hereinafter
referred to as «152-FZ»). This Policy defines the procedure for processing of personal data of
persons (hereinafter referred to as the «User») collected during the use of Operator web-services
(hereinafter referred to as the «Service»), measures to ensure the security of personal data and
the procedure for storing personal data by the Limited Liability Company i20 (hereinafter
referred to as the «Operator») for the purpose of protecting the rights and liberties of a person
while processing his personal data, including the protection of privacy rights, personal and
family secrets.
1.1. The following main terms are used in the Policy:
Automated processing of personal data - personal data processing by means of computer
technologies;
Personal data information system- a combination of personal data contained in databases, and
information technologies and hardware used for data processing;
Personal data processing - any action (operation) or a combination of actions (operations)
performed both automatically or manually with personal data, including collection, recording,
systematization, accumulation, storage, specification (updating, changing), extraction, use,
transfer (distribution, provision, access), depersonalization, blocking and destruction of personal
data;
Dissemination of personal data - an action related to disclosing personal data to a definite
range of persons by prior consent, in cases provided for by federal law.
Depersonalization of personal data - an action, as a result of which it is impossible to
determine without the use of additional information the identity of the individual who is a subject
of personal data;
Blocking of personal data - the temporary cessation of personal data processing (except for the
cases when the processing is necessary for personal data specification);
Destruction of personal data - actions, as a result of which it becomes impossible to restore the
content of personal data in the respective database and/or as a result of which the tangible
medium of personal data is destroyed.
Provision of personal data - actions related to making personal data available to a definite
person or a definite range of persons.
Service - a software system with a specific interface for a computer, providing the publication
for public view of information and data united by a common purpose, through the technical
means used for communication between computers on the Internet. Services in this Agreement
are understood as the web-service under the name «Drupalgeddon».
Operator - an organization, independently or jointly with other persons organizing the
processing of personal data, as well as determining the purposes of processing personal data
subject to processing, actions (operations) performed with personal data. The Operator is the
Limited Liability Company i20 located at the address: 20-109, Kostycheva street, Novosibirsk,
Russia.
User — a user of the Internet and, in particular, of the Service, who has his own personal page
(profile/account).

2. PRINCIPLES AND TERMS OF THE PERSONAL DATA PROCESSING
2.1. Principles of personal data processing
The processing of personal data by the Operator is carried out on the basis of the following
principles:
– legal and equitable basis;
– restrictions on the processing of personal data by the achievement of specific, pre-
determined and legal purposes;
– preventing the processing of personal data incompatible with the purposes of personal
data collection;
– preventing the unification of databases containing personal data, processing of which is
carried out for purposes incompatible with each other;
– processing of only those personal data that meet the purposes of their processing;
– compliance of character and scope of processed personal data with the declared purposes
of such data processing;
– preventing the processing of personal data that is excessive in relation to the declared
purposes of data processing;
– ensuring the accuracy, adequacy and relevance of personal data in relation to the purposes
of data processing;
– destruction or depersonalization of personal data upon achieving the purposes of their
processing as well as when such purposes cease to be relevant if the Operator can not
eliminate the admitted violations of personal data, unless otherwise provided for by
federal law.
2.2. Terms of the processing of personal data
The processing of personal data is carried out by the Operator under the following terms:
- the processing of the personal data of the Users of the Service is carried out in accordance
with the Civil Code of the Russian Federation, the Constitution of the Russian Federation, the
current legislation of the Russian Federation in the field of personal data protection.
- the processing of personal data by the Service is carried out in compliance with the
principles and terms provided for by the legislation of the Russian Federation.
The processing of personal data is allowed in the following cases:
- the processing of personal data is necessary for the use of the Service, to which the User is a
party;
- the processing of personal data is necessary to protect the life, health or other vital interests of
the User of the Service, if the obtaining of consent is impossible;
- the processing of personal data is necessary for the implementation of the rights and legal
interests of the Operator or third parties or for the achievement of socially significant purposes,
provided that the rights and liberties of the User of the Service are not violated thereby;
- the processing of personal data is carried out for statistical or other research purposes, except
for the processing of personal data in order to promote goods, works, services on the market by
making direct contacts with potential consumers by means of communications, as well as for
political agitation, subject to mandatory depersonalization of personal data.
2.3. Purposes of the processing of personal data
2.3.1. The processing of the personal data of the User of the Service is carried out solely in order
to provide the User with the opportunity to interact with the Service.
2.3.2. Information constituting personal data on the Service is any information related to a
certain person or a subject to such information to a person (a subject of personal data).

3. RIGHTS OF A PERSONAL DATA SUBJECT
3.1. The subject of personal data decides to provide his personal data and consent to the
processing thereof freely, of his own will and in his own interest. Consent to the processing of
personal data may be given by the subject of personal data or his representative in any form
which provides evidence of its receipt, unless otherwise provided for by federal law. Obligation
to provide evidence of the consent of the personal data subject to processing of his personal data
or evidence of the grounds specified in 152-FZ is assigned to the Operator.
3.2. Rights of personal data subjects (Users)
3.2.1. The User has the right to receive information about the Operator, the place of his location,
the presence of the Operator's personal data relating to his personal data (the User's data), as well
as to acquaint himself with such personal data, except for the cases provided for by part 8 of
Article 14 of 152-FZ.
3.2.2. The User has the right to receive from the Operator, upon a personal request or upon
receipt of a written request from the User by the Operator, the following information regarding
the processing of his personal data and including:
– confirmation of the fact of processing of personal data by the Operator, as well as the
purpose of such processing;
– legal grounds and purposes for the processing of personal data;
– purposes and methods of processing personal data used by the Operator;
– name and location of the Operator, information on persons (except for the operator's
employees) who have access to personal data or who can disclose personal data on the
basis of a contract with the Operator or on the basis of 152-FZ;
– processed personal data relating to the relevant personal data subject, the source of their
receipt, unless another procedure for providing such data is provided for by 152-FZ;
– the terms of processing of personal data, including the terms of their storage;
– the procedure for the subject of personal data to exercise the rights provided for by 152-
FZ;
– information on the carried out or expected transboundary transfer of personal data;
– surname, first name, patronymic and address of the person carrying out the processing of
personal data on behalf of the Operator, if the processing is entrusted or will be entrusted
to such person;
– other information provided for by 152-FZ or other federal laws;
– to require changes, clarification, destruction of his personal information;
– to appeal against wrongful acts or omissions regarding the processing of personal data
and to demand appropriate compensation in court;
– to supplement personal data of an evaluation nature with a statement expressing his own
point of view;identify representatives to protect their personal data;
– to require the Operator to notify all changes or exceptions made therein.
3.2.3. The User has the right to appeal against the actions or omissions of the Operator in the
authorized body for protecting the rights of subjects of personal data or in court proceedings if he
believes that the Operator carries out the processing of his personal data in violation of the
requirements of 152-FZ or otherwise violates his rights and liberties.
3.2.4. The User has the right to protect his rights and legal interests, including compensation for
damages and (or) compensation for moral harm in court.

4. OBLIGATIONS OF THE OPERATOR
4.1. Upon a personal request or upon receipt of a written request from the subject of personal
data or his representative, the Operator, provided that there are grounds, is obliged to provide
information within the period specified in 152-FZ — within 30 days from the date of application
or receipt of the request of the personal data subject or his representative. Such information
should be provided to the personal data subject in an accessible form and they should not contain
personal data relating to other personal data subjects, unless there are legal reasons for disclosing
such personal data.
4.2. All appeals of subjects of personal data or their representatives are registered in the Journal
of Registration of Citizens' Appeals (subjects of personal data) concerning the processing of
personal data.
4.3. In case of refusal to provide personal data to the subject or his representative when applying
for or when a personal data subject or his representative receives a request for information about
the availability of personal data on the relevant personal data subject, the Operator must give a
written response that contains a reference to the provision of part 8 of Article 14 152-FZ or other
federal law, which is the basis for such refusal, within a period not exceeding 30 days from the
date of the request of the personal data subject or his representative, or from the date of receipt of
the request of the personal data subject or his representative.
4.4. In case of receiving a request from the authorized body for protection of the rights of
subjects of personal data on providing information necessary for carrying out the activities of the
specified body, the Operator shall send such information to the authorized body within 30 days
from the date of the receipt of such request.
4.5. In case of revealing illegal processing of personal data when the subject of personal data or
his representative or an authorized body for protection of the rights of subjects of personal data is
contacted, the Operator shall block the illegally processed personal data relating to this personal
data subject from the time of such action or receipt of the request for the verification period.
4.6. In case of revealing illegal processing of personal data carried out by the Operator, it shall be
obliged to stop illegal processing of personal data within a period not exceeding 3 working days
from the date of this detection. On the elimination of violations, the Operator is obliged to notify
the subject of personal data or his representative, and, if the request of the personal data subject
or his representative or the request of the authorized body for protection of the rights of subjects
of personal data was sent by the authorized body for protection of the rights of subjects of
personal data, also such authorized body. In the event that the purpose of processing personal
data is achieved, the Operator must stop processing personal data and destroy personal data
within a period not exceeding 30 working days from the date of achieving the purpose of
processing personal data, unless otherwise provided by the contract to which the subject of
personal data is a party.
4.7. It is prohibited to make decisions on the basis of an exclusively automated processing of
personal data that generate legal consequences with respect to the subject of personal data or
otherwise affect his rights and legal interests.

5. SAFETY OF PERSONAL DATA.
MEASURES APPLIED TO PROTECTION OF PERSONAL INFORMATION
5.1. The safety of personal data processed by the Operator is provided by the implementation of
legal, organizational and technical measures necessary to ensure the requirements of federal
legislation in the field of personal data protection.
5.2. To prevent unauthorized access to personal data, the Operator applies the following
organizational and technical measures:
- appointment of employees responsible for organizing the processing and protection of personal
data;
- restriction of the composition of persons having access to personal data;
- familiarization of the subjects with the requirements of the federal legislation and regulatory
documents of the Operator for the processing and protection of personal data;
- organization of accounting, storage and circulation of information carriers;
- Identification of threats to the security of personal data during processing, the formation of
threat models based on them;
- development of a personal data protection system based on the threat model;
- checking the readiness and effectiveness of using information protection tools;
- delineation of users' access to information resources and software and hardware information
processing tools;
- registration and recording of actions of users of information systems of personal data;
- use of anti-virus and means of restoring the system of personal data protection;
- application of firewall, intrusion detection, security analysis and cryptographic protection of
information in necessary cases;
- the organization of an access regime to the territory of the Operator, the protection of premises
with technical means for processing personal data.

6. FINAL PROVISIONS
6.1. Other rights and obligations of the Operator as a personal data operator are determined by
the legislation of the Russian Federation in the field of personal data. Employees of the Operator
who are guilty of violating the rules governing the processing and protection of personal data
bear material, disciplinary, administrative, civil or criminal liability specified by federal laws.

Publication date: April 27, 2018