1.1. This Policy (hereinafter referred to as the Policy) defines the general principles and procedure for the processing of personal data and measures to ensure their security at LLC "Sigma Lab" (hereinafter referred to as the Company).

1.2. The purpose of this Policy is to ensure the protection of human rights and freedoms when processing personal data, including the protection of the right to privacy, personal and family secrets, as well as compliance with the requirements of the legislation of the Russian Federation and international agreements of the Russian Federation in the field of personal data.

1.2. The purpose of this Policy is to ensure the protection of the rights and freedoms of individuals when processing their personal data, including the protection of the rights to privacy, personal and family secrets, and compliance with the requirements of the legislation of the Russian Federation and international treaties of the Russian Federation in the field of personal data.

• Federal Law No. 152-FZ of 27.07.2006 "On Personal Data";
• Resolution of the Government of the Russian Federation No. 1119 of 01.11.2012 "On Approval of Requirements for the Protection of Personal Data during Their Processing in Personal Data Information Systems";
• Order of the FSTEC of Russia No. 21 of 18.02.2013 "On Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data during Their Processing in Personal Data Information Systems";
• Order of Roskomnadzor No. 996 of 05.09.2013 "On Approval of Requirements and Methods for Anonymizing Personal Data";
• Recommendations for the preparation of a document defining the operator's policy regarding the processing of personal data, as established by Federal Law No. 152-FZ of July 27, 2006 "On Personal Data."

1.4. The following basic concepts are used in this Policy:

• personal data - any information relating directly or indirectly to a specific or identifiable individual (personal data subject);
• special categories of personal data — information related to race, nationality, political views, religious or philosophical beliefs, and health status;
• biometric personal data - information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity and which is used by the operator to identify the subject of personal data;
• personal data allowed by the personal data subject for distribution - personal data, access to which an unlimited number of persons is provided by the subject of personal data by giving consent to the processing of personal data allowed by the personal data subject for distribution in accordance with the procedure provided for by applicable law;
• publicly available personal data — personal data to which access is provided by an unlimited number of persons on the basis of legislation by the personal data subject or at his request, as well as data that is subject to mandatory disclosure or publication;
• personal data subject is an individual whose personal data is processed;
• operator is a state body, a municipal body, a legal entity or an individual that, independently or jointly with other persons, organizes and/or processes personal data, as well as determines the purposes of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data; in the Policy, an operator means the Company, unless otherwise specified;
• personal data processing - any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collecting, recording, systematizing, accumulating, storing, clarifying (updating, changing), extracting, using, transferring (distributing, providing, accessing), anonymizing, blocking, deleting, destroying personal data;
• automated processing of personal data - processing of personal data using computer technology;
• access to personal data — familiarizing certain persons (including employees) with the personal data of subjects processed by the Company, provided that this information is kept confidential;
• confidentiality of personal data - the obligation of persons who have access to personal data not to disclose it to third parties and not to disseminate personal data without the consent of the personal data subject, unless otherwise provided by law;
• anonymization of personal data - actions that make it impossible, without using additional information, to determine whether personal data belongs to a specific personal data subject;
• destruction of personal data - actions that make it impossible to restore the content of personal data in the personal data information system and/or as a result of which material carriers of personal data are destroyed;
• blocking personal data - temporary cessation of personal data processing (except when processing is necessary to clarify personal data);
• counterparty is a party to an agreement with the Company who is not an employee of the Company;
• provision of personal data - actions aimed at disclosing personal data to a specific person or a certain circle of persons;
• dissemination of personal data - actions aimed at disclosing personal data to an indefinite number of persons;
• cross-border transfer of personal data is the transfer of personal data to the territory of a foreign state to a foreign state authority, a foreign individual or a foreign legal entity;
• personal data information system - a set of personal data contained in databases and information technologies and technical means that ensure their processing;
• Personal Data Act - Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” with all amendments and additions.

2.1. The Company is an operator for personal data of the following categories of individuals:

• employees of the Company with whom the Company has or has concluded employment contracts, including former employees with whom employment contracts have been terminated (terminated) (hereinafter referred to as Employees);
• close relatives, spouses of the Company's employees and dependent persons of employees (hereinafter referred to as Family Members of Employees); representatives of the Company's members (hereinafter referred to as the Company's Representatives).
• applicants for vacancies in the Company (candidates for employment by the Company) who submitted their resumes or questionnaires containing personal data, in person or through specialized recruitment organizations (recruitment agencies), including through specialized websites on the Internet (hereinafter referred to as the Applicants);
• individual counterparties, representatives of counterparties — legal entities and individual entrepreneurs, including employees, owners, including beneficial owners, representatives acting under a power of attorney and other representatives of counterparties with whom the Company has contractual relations, with whom the Company intends to enter into contractual relations or who intend to enter into contractual relations with the Company (hereinafter referred to as the Counterparty Representatives);
• representatives of personal data subjects who are not employees of the Company and who apply to the Company on behalf of and on behalf of personal data subjects (hereinafter referred to as Representatives of personal data subjects);
• end users of the Company's products, whose personal data is subject to processing due to the need to provide a limited amount of personal data as part of compliance with the requirements for monitoring the safety of medical devices;
• visitors to the Company's protected premises who do not have the right to permanently enter such premises (hereinafter referred to as Visitors); registered or unregistered users of the JUFORA website owned by Sigma Lab LLC (hereinafter referred to as Site Users).

The Company is a person that processes personal data on behalf of other operators, which include (without limitation):

• authorities and state extra-budgetary funds to which employees' funds or funds are transferred to employees' accounts (Inspectorates of the Federal Tax Service, territorial branches of the Pension Fund of the Russian Federation, the Federal Mandatory Medical Insurance Fund, the Social Insurance Fund of the Russian Federation, etc.) );
• statistical authorities, municipal government units and other competent authorities, telecom operators to whom this information must be provided in accordance with the legislation of the Russian Federation.

To authorities and state extra-budgetary funds, telecom operators and other bodies specified in paragraph 2.2, personal data are provided (transferred) to the extent specified by law, by relevant authorities and state extra-budgetary funds within their powers. The consent of the subjects for such a transfer of personal data is not required.

The Company processes personal data in accordance with the following principles:

3.2. Restricting the processing of personal data to the achievement of specific, predetermined and legitimate goals. The purposes of processing personal data by the Company are:

• with respect to Employees — execution of concluded employment contracts, including assistance in training and promotion, ensuring the personal safety of employees, controlling the quantity and quality of work performed, ensuring the safety of property; calculating and paying salaries and other rewards, calculating and transferring taxes and insurance premiums; providing Employees with additional services at the employer's expense (ensuring business trips, organizing training for Employees, etc.), complying with the requirements of regulatory legal acts of the authorities state statistical accounting, maintaining personnel records, monitoring compliance with legislation and the Company's internal procedures;
• with respect to family members of employees — providing Employees with benefits and guarantees provided for by law for persons with (adopted) children and persons with family responsibilities; compliance with the requirements of the Labor Code of the Russian Federation to inform relatives about accidents; compliance with the requirements of regulatory legal acts of state statistical authorities;
• with respect to the Company's Representatives — processing information from representatives of the Company's members for the purposes of notifying, preparing and participating in meetings, voting and exercising other corporate rights;
• with respect to Representatives of personal data subjects, the Company performs actions on behalf of the Representatives of personal data subjects;
• with regard to Visitors, ensuring that persons who do not have permanent permits can enter the Company's protected premises, monitor their departure from protected premises, and provide parking opportunities on the Company's territory;
• in relation to Site Users — informing Site Users about the Company's activities and products manufactured and/or sold.

3.3. Processing only those personal data that meet the pre-announced purposes of their processing; compliance of the content and volume of personal data processed with the stated purposes of processing; preventing the processing of personal data that is incompatible with the purposes of collecting personal data, as well as the processing of redundant personal data in relation to the stated purposes.

3.4. Ensuring the accuracy, sufficiency and relevance of personal data in relation to the purposes of personal data processing. The Company takes all reasonable measures to maintain the relevance of the processed personal data.

3.5. The storage of personal data in a form that allows identifying the subject of personal data is not longer than required by the purposes of personal data processing, unless the period for storing personal data is established by law, an agreement to which the personal data subject is a party, as well as the consent of the personal data subject to data processing.

3.6. Destruction of personal data when the stated purposes of their processing are achieved or if there is no need to achieve these goals, if the Company is unable to eliminate violations of the legal procedure for processing personal data, withdraws consent to processing by the personal data subject, expires the personal data processing period established by the Company's local acts, and consent to the processing of personal data, unless otherwise provided by law or agreements with personal data subjects.

4.1. The Company may process personal data in the following cases:

• 4.1.1. If the personal data subject agrees to the processing of his personal data.
• 4.1.2. The processing of personal data is necessary to carry out and perform the functions, powers and duties assigned to the Company by law.
• 4.1.3. To conclude an agreement on the initiative of the personal data subject and execute an agreement to which the personal data subject is a party. Such agreements, without limitation, are employment contracts with Employees and user agreements on the Company's websites on the Internet. Until the conclusion of these agreements, the Company processes personal data at the stage of pre-contractual work when recruiting personnel, when the subject's consent to processing is confirmed by the Applicant's personally completed questionnaire or questionnaire (resume) sent by him to the Company or to a specialized recruitment organization, or posted by the Applicant on specialized websites on the Internet, or sent by the Applicant to the Company by e-mail.
• 4.1.4. The processing of personal data by the Company is necessary to exercise the rights and legitimate interests of the Company and/or third parties or to achieve socially significant goals, provided that this does not violate the rights and freedoms of personal data subjects.
• 4.1.5. Personal data is processed for statistical or other research purposes, subject to mandatory anonymization of personal data.
• 4.1.6. Processing of personal data, access to which an unlimited number of persons is provided by the subject of personal data or at his request.
• 4.1.7. Personal data is subject to publication or mandatory disclosure in accordance with the law.

4.2. The Company does not disclose or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by law, an agreement with the personal data subject, is not specified in the consent received from him to process personal data, or personal data is not made publicly available by the subject independently.

4.3. The Company does not process personal data related to special categories and relating to race and nationality, political views, religious or philosophical beliefs, intimate life, or the membership of personal data subjects in public associations or their trade union activities, with the exception of information about the state of health related to the issue of the Employee's ability to perform a job function and necessary for the purposes specified in pension legislation and social insurance legislation.

4.4. The Company may process personal data on criminal records only in cases and in accordance with the procedure established by law.

4.5. When collecting personal data, the Company ensures that personal data is recorded, systematized, accumulated, stored, clarified (updated, amended), and extracted using databases located on the Company's territory and in data centers in the Russian Federation.

4.6. The Company transfers the personal data of employees whose duties are related to the Company's foreign partners across borders. Cross-border transfer of personal data takes place in:
- foreign states that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automated Processing of Personal Data;
- foreign states that are not parties to the Council of Europe Convention for the Protection of Individuals with regard to Automated Processing of Personal Data, which ensure adequate protection of the rights of personal data subjects.
Cross-border transfer of personal data to foreign states that do not provide adequate protection of the rights of personal data subjects may be carried out if the personal data subject agrees in writing to the cross-border transfer of his personal data, as well as if an agreement to which the personal data subject or an authorized person appointed by the subject of personal data is executed.

4.7. Consent to the processing of personal data permitted by the personal data subject for distribution is issued separately from other consents of the personal data subject to the processing of his personal data.

5.1. The Company processes personal data using automation tools, without using such tools, as well as mixed processing of personal data.

Personal data confidentiality

6.1. Employees of the Company who have access to personal data must ensure the confidentiality of such data.

Confidentiality is not required for publicly available personal data and data that has been anonymized.

With the consent of the personal data subject, the Company has the right to entrust the processing of personal data to another person, unless otherwise provided by federal legislation, on the basis of an agreement concluded with this person, which provides as an essential condition for the obligation of the person processing personal data on behalf of the Company to comply with the principles and rules for processing personal data provided for by law.

The Company's instructions should define a list of actions (operations) with personal data that will be performed by a person processing personal data and the purposes of processing, must establish the obligation of such a person to maintain the confidentiality of personal data and ensure the security of personal data during their processing, and must specify the requirements for the protection of processed personal data in accordance with Article 19 of the Law on Personal Data.

If the Company entrusts the processing of personal data to another person, the Company is responsible to the personal data subject for the actions of this person. A person who processes personal data on behalf of the Company is responsible to the Company.

7.1. The personal data subject decides to provide his personal data to the Company and agrees to their processing freely, by his own will and in his own interest. Consent to the processing of personal data must be specific, substantive, informed and unambiguous and can be provided by the subject in any form that allows confirming its receipt, unless otherwise provided by law. If consent to the processing of personal data is obtained from a representative of the personal data subject, the authority of this representative to give consent on behalf of the personal data subject is verified by the Company.

If the Company receives personal data from a counterparty on the basis and for the purpose of concluding and/or executing an agreement concluded with it, the counterparty transferring personal data is responsible for the legality and accuracy of personal data, as well as for obtaining the consent of the Counterparty Representatives and the Company's Employees to transfer their personal data to the Company.

The Company undertakes to obtain the Employee's consent to process his personal data in writing due to the Employee's performance of his duties, which in one way or another involve the processing and/or transfer of his personal data by third parties, including:

• 7.3.1. Obtaining employees' personal data from third parties, including for the purpose of verifying such personal data, as well as in cases where such data cannot be obtained from the Employee himself.
• 7.3.2. Transfer of the Employee's personal data to any third party, including the transfer of the Employee's personal data when sent on business trips, for training and professional development, when booking hotels and tickets, when preparing publications, membership in various associations, for the purpose of participating in conferences, round tables, scientific events, when interacting with government agencies as part of professional, academic and/or scientific activities.
• 7.3.3. Transfer of the Employee's personal data to third parties for commercial purposes, including printing companies that produce employees' business cards at the employer's expense, organizers of business exhibitions and conferences, organizations engaged in providing business trips, booking tickets, etc.
• 7.3.4. Transfer of the Employee's personal data to organizations that provide consulting and comprehensive support for the Company's activities in the field of accounting, tax and personnel records, labor protection, material and technical support and other support for the Company's activities.
• 7.3.5. Transfer of the Employee's personal data to audit organizations in order to perform audit procedures.
• 7.3.6. Transfer of the Employee's personal data to notaries for issuing notarized powers of attorney on behalf of the Company and performing other notarial acts.
• 7.3.7. Transfer of the Employee's personal data to organizations that provide services and implement and/or maintain software products and databases designed to automate management and accounting in order to introduce and/or maintain software products and databases designed to automate management and accounting in the Company's activities.
• 7.3.8. Transfer of personal data to the landlord in order to ensure the access of Employees to secure leased premises.

In other cases, the Employee's express consent to the processing of his personal data is not required, since processing is necessary for the performance of an employment contract to which the Employee is a party.

The express consent of family members of the Company's employees is not required if their personal data is processed on the basis of legislation (for calculating alimony, processing social benefits, providing benefits and guarantees, etc.) and is carried out by the Company as an employer in accordance with the requirements of the Labor Code of the Russian Federation and state statistical authorities.

The express consent of Applicants to the processing of their personal data is not required, since such processing is necessary in order to conclude employment contracts at the initiative of Applicants-personal data subjects, except when it is necessary to obtain the Applicant's written consent for specific cases of personal data processing. The Applicant's personal data contained in his application form, resume, emails sent to the Company by the Applicant or specialized recruitment organizations, and other documents are destroyed after the decision is made to hire the Applicant or to refuse to hire.

The personal data of persons who have signed agreements with the Company and contained in the unified state registers of legal entities and individual entrepreneurs are open and publicly available, with the exception of information about the number, date of issue and the authority that issued the individual's identity document. The protection of their confidentiality and the consent of personal data subjects are not required for the processing of such data.

In all other cases, it is necessary to obtain the consent of personal data subjects who are Representatives of counterparties, with the exception of persons who have signed agreements with the Company, who have granted powers of attorney to act on behalf of and on behalf of the Company's counterparties and thereby committed conclusive actions confirming their consent to the processing of personal data specified in the text of the agreement (power of attorney).

The Visitor's consent to the processing of his personal data is given in the form of conclusive actions, namely, providing an identity document and disclosing the information requested from him when visiting the Company, and in some cases by filling out a special electronic form at the reception service.

The consent of Site Users to the processing of their personal data received by the Company when Visitors view the Company's website on the Internet is given by accepting the conditions regarding cookies and putting an appropriate mark (“tick”) in banners (pop-up windows) on the Company's websites.

The consent of subjects to provide their personal data is not required when the Company receives, within the framework of its established powers, reasoned requests from prosecutor's offices, law enforcement agencies, investigative and inquiry bodies, security agencies, state labor inspectors when exercising state supervision and control over compliance with labor legislation, and other bodies authorized to request information in accordance with the competence provided for by law.

A reasoned request should include an indication of the purpose of the request, a link to the legal grounds for the request, including confirming the powers of the body that sent the request, as well as a list of the information requested.

8.1. The personal data subject has the right to require the Company to clarify his personal data, block or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, as well as take measures provided for by the Personal Data Act to protect his rights.

8.2. The personal data subject has the right to receive information regarding the processing of his personal data, including:

• confirmation of the processing of personal data by the Company;
• legal grounds and purposes for the processing of personal data;
• how the Company processes personal data;
• the name and location of the Operator, information about persons (with the exception of the Company's employees) who have access to personal data or to whom personal data may be disclosed under an agreement with the Company or on the basis of federal laws;
• processed personal data relating to the relevant personal data subject, the source of their receipt, unless another procedure for submitting such data is provided for by federal law;
• the terms of processing personal data, including the terms of their storage;
• the procedure for the personal data subject to exercise the rights provided for by the Personal Data Act;
• information about the transfer of data carried out or intended to be carried out across borders;
• the procedure for the personal data subject to exercise the rights provided for by the Personal Data Act;
• the name or surname, first name, patronymic and address of the person processing personal data on behalf of the Company, if the processing is or will be assigned to such a person;
• other information provided for by federal laws of the Russian Federation.

8.3. The information specified in paragraph 8.2. of this Policy must be provided to the personal data subject in an accessible form and should not contain personal data related to other personal data subjects, except if there are legal grounds for disclosing such personal data.

8.4. The information specified in paragraph 8.2. of this Policy is provided to the personal data subject or his representative by the Company within 10 (ten) business days from the date the Company applies or receives a request from the personal data subject or his representative. This period may be extended, but by no more than 5 (five) working days if the Company sends a reasoned notice to the personal data subject, specifying the reasons for extending the deadline for providing the requested information. The request must contain the number of the main identity document of the personal data subject or his representative, information about the date of issue of this document and the authority that issued it, information confirming the personal data subject's participation in relations with the Company (contract number, date of conclusion of the agreement, word symbol and/or other information), or information otherwise confirming the processing of personal data by the Company, the signature of the personal data subject or his representative. The request may be sent in the form of an electronic document and signed electronically in accordance with the legislation of the Russian Federation. The Company provides the information specified in paragraph 8.2. of this Policy to the personal data subject or his representative in the form in which the relevant request or request was sent, unless otherwise specified in the request or request.

8.5. If the information specified in paragraph 8.2. of this Policy, as well as the personal data being processed, has been provided for review to the personal data subject at his request, the personal data subject has the right to contact the Company again or send him a second request in order to obtain the information specified in paragraph 8.2. of this Policy and to review such personal data no earlier than 30 (thirty) days after the initial request or sending the initial request, unless a shorter period is established by the federal government a law adopted in accordance with it by a regulatory legal act or an agreement to which the personal data subject is a party or beneficiary or guarantor.

8.6. The personal data subject has the right to contact the Company again or send him a second request in order to obtain the information specified in paragraph 8.2. of this Policy, as well as to familiarize himself with the processed personal data before the expiration of the period specified in paragraph 8.5. of this Policy, if such information and/or the personal data being processed were not provided to him for review in full following the consideration of the initial request. A repeated request, along with the information specified in paragraph 8.4. of this Policy, must contain a justification for sending a second request.

8.7. The Company has the right to refuse a personal data subject to a second request that does not meet the conditions provided for in paragraphs 8.5 and 8.6 of this Policy. Such a refusal must be motivated. The Operator is obliged to provide evidence of the validity of the refusal to comply with the repeated request.

8.8. The right of a personal data subject to access his personal data may be limited in cases established by federal laws.

8.9. If a personal data subject believes that the Company is processing his personal data in violation of the requirements of the Personal Data Act or otherwise violates his rights and freedoms, the personal data subject has the right to appeal against the Company's actions or omissions to the authorized body for the protection of the rights of personal data subjects or in court.

8.10. The personal data subject has the right to protect his rights and legitimate interests, including compensation for losses and/or compensation for non-pecuniary damage in court.

9.1. The Company is obliged to provide, free of charge, the personal data subject or his representative with the opportunity to review personal data related to this personal data subject. Within a period not exceeding 7 (seven) working days from the date the personal data subject or his representative provides information confirming that personal data is incomplete, inaccurate or irrelevant, the Company is obliged to make the necessary changes to them.

Within a period not exceeding 7 (seven) working days from the date of submission by the personal data subject or his representative of information confirming that such personal data is illegally obtained or is not necessary for the stated purpose of processing, the Company is obliged to destroy such personal data.

The Company is obliged to notify the personal data subject or his representative about the changes made and measures taken and take reasonable measures to notify third parties to whom this subject's personal data have been transferred.

9.2. If illegal processing of personal data is detected when a personal data subject or his representative applies or at the request of the personal data subject or his representative or an authorized body for the protection of the rights of personal data subjects, the Company is obliged to block illegally processed personal data related to this personal data subject or ensure that they are blocked (if personal data is processed by another person acting on behalf of the Company) from the moment of such request or receiving this request during the verification period.

If inaccurate personal data is detected when a personal data subject or his representative applies, or at their request or at the request of an authorized body for the protection of the rights of personal data subjects, the Company is obliged to block personal data related to this personal data subject or ensure that they are blocked (if personal data is processed by another person acting on behalf of the Company) from the moment of such request or receipt of this request for the verification period, if blocking personal data does not violate the rights and legitimate interests of the personal data subject or third parties.

9.3. If it is confirmed that personal data is inaccurate, the Company, on the basis of information provided by the personal data subject or his representative or the authorized body for the protection of the rights of personal data subjects, or other necessary documents, is obliged to clarify personal data or ensure their clarification (if personal data is processed by another person acting on behalf of the Company) within 7 (seven) business days from the date of submission of such information and remove the blocking of personal data.

9.4. If illegal processing of personal data by the Company or a person acting on behalf of the Company is detected, the Company is obliged, within a period not exceeding 3 (three) working days from the date of this discovery, to stop the illegal processing of personal data or ensure that the illegal processing of personal data by a person acting on behalf of the Company is stopped. If it is impossible to ensure the lawfulness of the processing of personal data, the Company is obliged to destroy such personal data or ensure its destruction within a period not exceeding 10 (ten) business days from the date of discovery of illegal processing of personal data. The Company is obliged to notify the personal data subject or his representative about the elimination of violations committed or the destruction of personal data, and if an appeal from the personal data subject or his representative or a request from an authorized body for the protection of the rights of personal data subjects was sent by the authorized body for the protection of the rights of personal data subjects, the specified body as well.

9.5. If an illegal or accidental transfer (provision, distribution, access) of personal data is established, which resulted in a violation of the rights of personal data subjects, the Company is obliged, from the moment such an incident is detected by the Company, the authorized body for the protection of the rights of personal data subjects or other interested party, to notify the authorized body for the protection of the rights of personal data subjects:
1) within 24 (twenty-four) hours about the incident that occurred, on the alleged causes that caused the violation of the rights of personal data subjects, and the alleged harm caused to the rights of personal data subjects, on measures taken to eliminate the consequences of the relevant incident, as well as provide information about the person authorized by the Company to interact with the authorized body for the protection of the rights of personal data subjects on issues related to the identified incident;
2) within 72 (seventy) two hours on the results of the internal investigation of the identified incident, as well as provide information about the persons whose actions caused the incident (if any).

9.6. If the goal of processing personal data is achieved, the Company is obliged to stop processing personal data or ensure its termination (if personal data is processed by another person acting on behalf of the Company) and destroy personal data or ensure its destruction (if personal data is processed by another person acting on behalf of the Company) within a period not exceeding 30 (thirty) days from the date of achieving the goal of processing personal data, unless otherwise provided by an agreement whose party, the beneficiary or guarantor of which is the personal data subject, another agreement between the Company and the personal data subject, or if the Company is not entitled to process personal data without the consent of the personal data subject on the grounds provided for by the Personal Data Act or other federal laws.

9.7. If the personal data subject withdraws consent to the processing of his personal data, the Company is obliged to stop processing them or ensure that such processing is stopped (if the personal data is processed by another person acting on behalf of the Company) and if the preservation of personal data is no longer required for the purposes of processing personal data, destroy personal data or ensure their destruction (if personal data is processed by another person acting on behalf of the Company) within a period not exceeding 30 (thirty) days from the date of receipt of this review, unless otherwise provided by an agreement to which the personal data subject is a party, beneficiary or guarantor, by another agreement between the Company and the personal data subject, or if the Company is not entitled to process personal data without the consent of the personal data subject on the grounds provided for by federal laws.

9.8. If a personal data subject requests the Company to stop processing personal data, the Company is obliged, within a period not exceeding 10 (ten) working days from the date of receipt of the relevant request, to stop processing them or ensure that such processing is stopped (if such processing is carried out by the person processing personal data), except as provided for by the Personal Data Act. This period may be extended, but by no more than 5 (five) working days if the Company sends a reasoned notice to the personal data subject, specifying the reasons for extending the deadline for providing the requested information.

9.9. If it is not possible to destroy personal data within the period specified in paragraphs 9.4, 9.6-9.8 of this Policy, the Company blocks such personal data or ensures its blocking (if the personal data is processed by another person acting on behalf of the Company) and ensures the destruction of personal data within a period of no more than 6 (six) months, unless another period is established by federal laws.

9.10. After the expiration of the regulatory storage period for documents containing the subject's personal data, or upon the occurrence of other legal grounds, the documents must be destroyed. For these purposes, the Company creates an expert commission and examines the value of documents. As a result of the examination, documents containing the subject's personal data and subject to destruction are destroyed by grinding in a shredder (when stored on paper) and erased from information media (when stored in information systems).

10.1. When processing personal data, the Company takes the necessary legal, organizational and technical measures or ensures that they are taken to protect personal data from unauthorized or accidental access to it, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions with respect to personal data, including:

• appointment of a person responsible for organizing the processing of personal data;
• adoption of local regulations and other documents in the field of personal data processing and protection;
• application of legal, organizational and technical measures to ensure the security of personal data in accordance with Article 19 of the Personal Data Act;
• obtaining the consent of personal data subjects to process their personal data, except as provided for by the legislation of the Russian Federation;
• carrying out internal control and/or auditing the compliance of personal data processing with the Personal Data Act and the regulatory legal acts adopted in accordance with it, requirements for the protection of personal data, this Policy, and the Company's local acts;
• assessment of harm in accordance with the requirements established by the authorized body for the protection of the rights of personal data subjects that may be caused to personal data subjects in the event of a violation of the Personal Data Act, the ratio of this harm to measures taken by the Company aimed at ensuring compliance with the obligations provided for by the Personal Data Act;
• familiarizing the Company's employees who directly process personal data with the provisions of the legislation of the Russian Federation on personal data, including personal data protection requirements, this Policy, and local acts on personal data processing;
• other measures provided for by the legislation of the Russian Federation and the Company's local regulations in the field of personal data.

Other duties and rights of the Company as a personal data operator and a person organizing their processing on behalf of other operators are determined by legislation in the field of personal data.

Officials and Employees of the Company who are guilty of violating the rules governing the processing and protection of personal data bear material, disciplinary, administrative, civil and criminal liability in accordance with the legislation of the Russian Federation.

The policy is reviewed as necessary.

For any questions from personal data subjects related to the Company's processing of such personal data, including, but not limited to, regarding the inaccuracy of personal data, the illegality of their processing, the withdrawal of consent and the access (clarification, deletion) of the personal data subject to their data, should be addressed to info@sigmalab.pro or by sending a request to the address: 121205, Moscow. Moscow, Skolkovo Innovation Center, Bolshoy Boulevard, 42, Building 1, et/of 3/785. The appeal should specify the full name of the subject and (if applicable) its legal representative and the essence of the appeal. Upon receipt of an appropriate request, persons responsible for compliance with the provisions of this Policy are obliged to register such an appeal and prepare a response within the time limits established by applicable law. The Company may request additional information from the personal data subject or his representative in accordance with this Policy and the Personal Data Act.