This Policy (hereinafter referred to as the Policy) defines the main principles, purposes, and conditions for the processing of personal data, lists the subjects and categories of personal data, the rights of personal data subjects, and the measures to ensure the security of personal data in Lad IT Group (hereinafter referred to as the Operator). The processing of personal data, the volume, and the content of the processed personal data are determined in accordance with the Constitution of the Russian Federation, Federal Law No. 152 On Personal Data dated July 27, 2006, and other federal laws and regulations. Lad IT Group perimeter includes the following legal entities acting as Operators of personal data processing: EASYBIM INFORMATION TECHNOLOGY NETWORK SERVICES Limited Liability Company. This Policy is publicly accessible and must be posted on the information boards of Lad IT Group offices and on the website lad-dev.com.

The following key terms are used in the Policy:

• Automated processing of personal data: Processing of personal data using computing technology;
• Blocking of personal data: Temporary cessation of personal data processing (except in cases where processing is necessary to clarify personal data);
• Information system of personal data: A set of personal data contained in databases and information technologies and technical means that ensure their processing;
• Depersonalization of personal data: Actions that make it impossible to determine the affiliation of personal data to a specific personal data subject without additional information;
• Processing of personal data: Any action (operation) or set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
• Operator: A state body, municipal body, legal entity, or individual that independently or jointly with others organizes and (or) carries out the processing of personal data, as well as determines the purposes of processing personal data, the composition of personal data to be processed, and the actions (operations) performed with personal data;
• Personal data: Any information relating directly or indirectly to an identified or identifiable individual (personal data subject);
• Provision of personal data: Actions aimed at disclosing personal data to a specific person or a specific circle of persons;
• Dissemination of personal data: Actions aimed at disclosing personal data to an indefinite circle of persons (transfer of personal data) or at familiarizing an indefinite circle of persons with personal data, including the publication of personal data in the media, placement in information and telecommunication networks, or providing access to personal data in any other way;
• Destruction of personal data: Actions resulting in the impossibility of restoring the content of personal data in the personal data information system and (or) resulting in the destruction of the physical carriers of personal data,

The Operator is obliged to publish or otherwise ensure unrestricted access to this Policy in accordance with Part 2, Article 18.1 of Federal Law No. 152.

In accordance with the provisions of Federal Law No. 152, the Operator independently determines the categories of personal data subjects, the purposes of personal data processing, and the categories of personal data being processed. The categories of personal data subjects, the purposes of personal data processing, and the categories of personal data being processed are listed in Appendix 1 to this Policy.

The processing of personal data is carried out by the Operator based on the following principles:

• Lawfulness and fairness;
• Limiting personal data processing to the achievement of specific, predetermined, and lawful purposes;
• Preventing the processing of personal data incompatible with the purposes of personal data collection;
• Preventing the combining of databases containing personal data processed for purposes incompatible with each other;
• Processing only personal data that meets the purposes of its processing;
• Ensuring that the content and volume of processed personal data correspond to the stated purposes of processing;
• Preventing the processing of personal data that is excessive in relation to the stated purposes of processing;
• Ensuring the accuracy, sufficiency, and relevance of personal data concerning the purposes of personal data processing;
• Destroying or depersonalizing personal data upon achieving the purposes of its processing or if the necessity to achieve these purposes is lost unless otherwise provided by federal law.

The processing of personal data is carried out with the consent of the personal data subject, unless otherwise provided by the legislation of the Russian Federation on personal data.
The personal data subject decides to provide their personal data and consents to their processing freely, by their will, and in their interest. Consent to the processing of personal data must be specific, informed, and conscious.
Consent to the processing of personal data may be given by the personal data subject or their representative in any form that allows confirming the fact of its receipt unless otherwise established by federal law. In the case of obtaining consent to the processing of personal data from a representative of the personal data subject, the authority of this representative to give consent on behalf of the personal data subject is verified by the Operator.
The processing of personal data by the Operator is carried out in the following ways:

• Non-automated processing of personal data;
• Automated processing of personal data.

In cases provided by Federal Law No. 152, the processing of personal data is carried out only with the written consent of the personal data subject. Consent in written form on paper is recognized as equivalent to the consent of the personal data subject containing their handwritten signature. Consent in written form of the personal data subject to the processing of their personal data is developed based on the standard form of written consent and includes, at a minimum, the following information:

• Last name, first name, patronymic, address of the personal data subject, the number of the primary identity document, information on the date of issuance of the specified document, and the issuing authority;
• Name or last name, first name, patronymic, and address of the operator receiving the consent of the personal data subject;
• The purpose of personal data processing;
• A list of personal data to be processed with the consent of the personal data subject;
• The name or last name, first name, patronymic, and address of the person carrying out the processing of personal data on behalf of the operator, if the processing is entrusted to such a person;
• A list of actions with personal data for which consent is given, and a general description of the methods used by the operator for processing personal data
• The period during which the consent of the personal data subject is valid, as well as the method of its withdrawal unless otherwise provided by federal law;
• The signature of the personal data subject.

If the personal data subject is incapacitated, consent to the processing of their personal data is given by the legal representative of the personal data subject. When processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, their relevance concerning the purposes of personal data processing must be ensured. The Operator must take the necessary measures or ensure their implementation to delete or clarify incomplete or inaccurate data.
Personal data is stored in a form that allows identifying the personal data subject for no longer than required by the purposes of personal data processing unless a longer period for storing personal data is established by federal law, a contract, where the personal data subject is a party, beneficiary, or guarantor. Consent to the processing of personal data may be withdrawn by the personal data subject. In case of withdrawal of consent to the processing of personal data, the Operator has the right to continue processing personal data without the consent of the personal data subject if there are grounds provided by Federal Law No. 152.
In case of withdrawal of consent to the processing of personal data, the Operator ceases processing or ensures the cessation of such processing (if the processing of personal data is carried out by another person acting on behalf of the Operator), and if the storage of personal data is no longer required for the purposes of processing, the personal data must be destroyed or their destruction ensured (if the processing of personal data is carried out by another person acting on behalf of the Operator). The destruction of personal data must be carried out within a period not exceeding 30 (thirty) days from the date of receipt of the withdrawal of consent to the processing of personal data unless otherwise provided by the contract, where the personal data subject is a party, beneficiary, or guarantor, or another agreement between the Operator and the personal data subject, or if the Operator is not entitled to process personal data without the consent of the personal data subject based on the grounds provided by the legislation of the Russian Federation.
In the case of withdrawal of consent to the processing of personal data, such processing may be continued without the consent of the personal data subject if there are grounds specified in paragraphs 2-11 of Part 1 of Article 6 and Part 2 of Article 11 of Federal Law No. 152.

The Operator does not process special categories of personal data concerning racial or ethnic origin, political views, religious or philosophical beliefs, health status, or intimate life, except in cases provided by the legislation of the Russian Federation.

Personal data subjects have the right to:

• Full information about their personal data processed by the Operator;
• Access to their personal data, including the right to receive a copy of any record containing their personal data, except in cases provided by federal law;
• Clarification of their personal data, blocking, or destruction if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing;
• Withdrawal of consent to the processing of personal data;
• Taking legal measures to protect their rights;
• Complaining about actions or inactions of the Operator, carried out in violation of the requirements of the legislation of the Russian Federation in the field of personal data, to the authorized body for the protection of the rights of personal data subjects or to the court;
• Exercising other rights provided by law.

The Operator and other persons who have access to personal data are obliged not to disclose personal data to third parties and not to disseminate personal data without the consent of the personal data subject unless otherwise provided by federal law.

The Operator performs the collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data.

The processing of personal data by the Operator is carried out for no longer than required by the purposes of personal data processing unless a longer period for processing personal data is established by federal law, a contract, where the personal data subject is a party, beneficiary, or guarantor. Personal data is subject to destruction or depersonalization upon achieving the purposes of processing or in case the necessity to achieve these purposes is lost, or in case the personal data subject withdraws consent to the processing of their personal data unless otherwise provided by federal law.

The security of personal data processed by the Operator is ensured by implementing legal, organizational, and technical measures necessary to meet the requirements of federal legislation in the field of personal data protection. To prevent unauthorized access to personal data, the Operator applies the following organizational and technical measures:

• Appointment of persons responsible for the organization of processing and protection of personal data;
• Limiting the number of persons with access to personal data;
• Familiarizing subjects with the requirements of federal legislation and the Operator’s regulatory documents on the processing and protection of personal data;
• Obtaining consent from personal data subjects for the processing of their personal data, except in cases provided by the legislation of the Russian Federation;
• Issuance of documents defining the Operator’s policy regarding the processing of personal data, local acts on personal data processing issues, as well as local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation and eliminating the consequences of such violations;
• Organization of access control on the Operator’s premises.

EASYBIM INFORMATION TECHNOLOGY NETWORK SERVICES LLC
Legal address: Office 121, Malak Khalfan, Bin Lahej & Sons Real Estate Bur Dubai Al Quoz First

Within the activities of Lad IT Group, personal data subjects and the purposes of personal data processing are determined independently. The full list of personal data subjects and the purposes of personal data processing are provided in Table 1:

To achieve the purposes of personal data processing listed in Table 1, the Operator processes the following categories of personal data:

• Last name, first name, patronymic (including previous last name, first name, patronymic in case of their change);
• Date, month, year of birth;
• Place of birth;
• Citizenship;
• Registration address (place of residence) / actual residence address;
• Military service status and information reflected in military registration documents;
• Contact phone number, email address, or other contact details;
• Information about marital status, family composition;
• Information about education, qualifications, or special knowledge, including information on postgraduate professional education (including the name and year of graduation from the educational institution, the name and details of the educational document, qualifications, specialty by the educational document), information on the availability of a scientific degree, on professional retraining and (or) advanced training;
• Information about the availability of state awards, other awards, and distinctions (by whom and when awarded);
• Information on foreign language proficiency, degree of proficiency;
• Information on work performed from the start of professional activity (including military service, part-time work, entrepreneurship, etc.);
• Bank account number for salary payment;
• Information on salary, including information on the amount of salary, other payments, and rewards for the current calendar year and two calendar years preceding the termination of previous employment;
• Type, series, number of the identity document, the name of the issuing authority, the date of issuance, including passport data confirming the identity of a citizen of the Russian Federation abroad (series, number, name of the issuing authority, date of issuance);
• Social security number (SNILS);
• Taxpayer Identification Number (TIN);
• and other personal data.