1. General provisions

1.1. Nafta-Oils’s Personal Data Processing Policy (hereinafter referred to as “Policy”) stipulates the basic principles, objectives, conditions and methods for personal data processing, lists of data subjects and personal data processed in Nafta-Oils, Nafta-Oils’s functions while processing personal data, rights of data subjects, as well as Nafta-Oils’s requirements to the personal data protection.

1.2. The Policy is developed based on the requirements of the Constitution of the Russian Federation, legislative and other statutory acts of the Russian Federation related to personal data.

1.3. The Policy provisions serve as the basis for developing corporate statutory acts, which stipulate processing personal data of Nafta-Oils’s employees and other data subjects.

1.4. The Policy provisions serve as the basis for developing corporate statutory acts by Nafta-Oils’s subsidiaries and entities stipulating personal data processing in the above mentioned entities.

2. Legislative and other statutory acts of Russian Federation stipulating Gazprom’s Personal Data Processing Policy

2.1. Nafta-Oils’s Personal Data Processing Policy is based on the following statutory acts:

• The Labor Code of the Russian Federation;
• The Federal Law No. 152-FZ ‘On Personal Data’, dated July 27, 2006;
• The Decree of the Russian President No. 188 ‘On Approving the List of Confidential Data’, dated March 6, 1997;
• The Russian Federation Government Resolution No. 687 ‘On Approving the Provision Regarding Properties of Personal Data Processing without Software’, dated September 15, 2008;
• The Russian Federation Government Resolution No. 512 ‘On Approving the Requirements to Biometric Personal Data Tangible Carrier and Such Data Storage Beyond Personal Data Information Systems’, dated July 6, 2008;
• The Russian Federation Government Regulation No. 1119 ‘On Approving the Requirements to the Personal Data Protection While Processing in Personal Data Information Systems’, dated November 1, 2012;
• The Order of FSTEC of Russia No. 55, FSB of Russia No. 86, the Ministry of Information Technologies and Communications of Russia No. 20 ‘On Approving the Procedure for Classifying Personal Data Information Systems’, dated February 13, 2008;
• The Order of FSTEC of Russia No. 21 ‘On Approving the List and Scope of Planning and Technical Activities for Protection of Personal Data While Processing via Personal Data Information Systems’, dated February 18, 2013;
• The Order of the Russian Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications No. 996 ‘On Approving the Requirements and Methods for Depersonalizing Personal Data’, dated September 5, 2013;
• other statutory acts of the Russian Federation and legal documents of authorized government bodies.

2.2. With a view to implement the Policy provisions, Nafta-Oil develops relevant corporate statutory acts and other documents, including:

• provision on personal data processing in Nafta-Oil;
• provision on the personal data protection while processing via personal data information systems in Nafta-Oil, its subsidiaries and entities;
• list of positions provided for structural units of Nafta-Oil’s administration, its branches and representative offices and subjects to personal data processing in case of substitution;
• procedures for personal data processing in the structural units of Nafta-Oil’s administration, its branches and representative offices;
• other corporate statutory acts and documents related to personal data processing in Nafta-Oil.

3. Basic terms and definitions used in corporate statutory acts of Nafta-Oil related to personal data processing

Personal data – any information related to directly or indirectly specified natural person (data subject).

Information – details (reports, data) regardless their presentation form.

Operator – state authority, municipal authority, legal or private person, who severally or jointly arranges and/or performs personal data processing, as well as defines the aims of personal data processing, the volume of personal data subject to processing and personal data handling.

Personal data processing – any action or a series of actions performed towards personal data with or without the software, including the personal data acquisition, recording, systematization, accumulation, storage, update and alteration, extraction, use, transfer (distribution, presentation, providing access), depersonalization, blocking, deleting and annihilation.

Automated personal data processing – personal data processing via PC software.

Personal data presentation – personal data disclosure to particular person or certain group of persons.

Personal data distribution – personal data disclosure to uncertain group of persons.

Trans-border transfer of personal data – personal data transfer to a foreign country, foreign government body and foreign natural or legal person.

Personal data blocking – temporary interruption of personal data processing (except where processing is required for personal data update or alteration).

Personal data annihilation – actions making it impossible to restore personal data volume in the personal data information system and/or resulting in the elimination of tangible personal data carriers.

Personal data depersonalization – actions making it impossible to identify personal data as related to a certain data subject without involving an additional information.

Personal data information system – a set of personal data included into personal data databases, as well as the software and tools used for their processing.

4. Principles and purposes for personal data processing

4.1. Nafta-Oil in its capacity as a personal data operator performs personal data processing for the employees of Nafta-Oil and other data subjects not employed by Gazprom.

4.2. Nafta-Oil performs data processing with due diligence to the protection of rights and freedoms of Nafta-Oil’s employees as well as other data subjects, including the protection of privacy right, personal and family secrets, based on the following principles:

• personal data processing in Nafta-Oil is performed on a legitimate equitable basis;
• personal data processing is limited to reaching specific predetermined legitimate aims;
• personal data processing incompatible with the purposes of personal data acquisition is not allowed;
• combining databases that contain personal data processed for the purposes incompatible with each other is not allowed;
• personal data meeting the purposes of their processing may only be processed;
• scope and amount of personal data comply with the stated purposes of processing. The personal data redundancy in relation to the stated purposes is not allowed;
• while processing personal data, accuracy, adequacy and actuality (if necessary) of personal data are provided in relation to the purposes of personal data processing. Gazprom makes all reasonable efforts to delete or adjust incomplete or inaccurate personal data;
• personal data are stored in the form that enables to define the data subject no longer than it’s required for the purposes of personal data processing, in case the personal data retention period is not set by a federal law or an agreement under which the data subject acts as a party, beneficiary or guarantor;
• personal data under processing are deleted or depersonalized once the purposes of processing are achieved or in case achieving these purposes is not required anymore, unless otherwise provided by a federal law.

4.3. Gazprom processes personal data for the purpose of:

• complying with the Constitution of the Russian Federation, legislative and other statutory acts of the Russian Federation and corporate statutory acts of Nafta-Oil;
• exercising functions, powers and requirements imposed upon Nafta-Oil by the Government of the Russian Federation, including the personal data presentation to the government bodies, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, Federal Mandatory Medical Insurance Fund of the Russian Federation, and other state bodies;
• regulating the employment relationships with Nafta-Oil’s employees (promotion of employment, training and career advancement, personal security, control over the scope and quality of the work done, safekeeping of property);
• providing Nafta-Oil’s employees and their families with additional guarantees and remunerations, including non-governmental pension coverage, voluntary health insurance, medical service and other kinds of social security;
• protecting lives, health or other vital interests of personal data subjects;
• developing, signing, executing and terminating agreements with counterparties;
• arranging access procedures and in-house schedule at Nafta-Oil’s facilities;
• developing reference materials for in-house information support of the activities of Nafta-Oil, its branches and representative offices, as well as Nafta-Oil’s subsidiaries and entities;
• executing court decisions, other bodies and authorities acts subject to execution in compliance with the Enforcement Law of the Russian Federation;
• exercising rights and legal interests of Nafta-Oil while carrying out activities stipulated by Nafta-Oil’s Articles of Association and other corporate statutory acts of Nafta-Oil or third parties or with a view to achieve socially desirable purposes;
• other legitimate purposes.

5. List of data subjects, which have their personal data processed at Nafta-Oil

5.1. Nafta-Oil provides processing personal data of the following data subjects:

• employees of the structural units of Nafta-Oil’s administration, its branches and representative offices;
• employees of Nafta-Oil’s subsidiaries and entities;
• other personal data subjects (with a view to achieve the processing purposes stated in Section 4 of the Policy).

6. List of personal data processed at Nafta-Oil

6.1. The list of personal data processed at Nafta-Oil is stipulated by the Law of the Russian Federation and corporate statutory acts considering the personal data processing purposes stated in Section 4 of the Policy).

6.2. Special personal data categories concerning race and national identity, political commitment, religious or philosophic views and private life are not subject to processing at Nafta-Oil.

7. Functions of Nafta-Oil in personal data processing

7.1. While processing personal data, Nafta-Oil:

• takes relevant measures to ensure compliance with the Law of the Russian Federation and corporate statutory acts related to personal data;
• establishes legal, planning and technical procedures to protect personal data against illegal or accidental access, annihilation, alteration, blocking, copying, presentation, distribution, as well as against other misconduct in relation to personal data;
• appoints a party responsible for the arrangement of personal data processing at Nafta-Oil;
• issues corporate statutory acts stipulating the policy and personal data processing and protection procedures at Nafta-Oil;
• familiarizes the employees of Nafta-Oil, its branches and representative offices directly involved in personal data processing with the provisions of the Law of the Russian Federation and corporate statutory acts of Nafta-Oil related to personal data, including the requirements to the personal data protection, as well as provides for certain employees training;
• publishes or otherwise provides unlimited access to this Policy;
• informs personal data subjects or their representatives in due course of the available data related to the relevant subjects, provides the representation of these personal data upon notification and/or request of the mentioned data subjects or their representatives, unless otherwise provided by the Law of the Russian Federation;
• terminates the processing and annihilates personal data as stipulated by the Law of the Russian Federation related to personal data;
• performs other activities stipulated by the Law of the Russian Federation related to personal data.

8. Conditions of personal data processing at Nafta-Oil

8.1. Personal data is processed at Nafta-Oil with consent of a data subject to have his/her personal data processed, unless otherwise is provided by the Law of the Russian Federation related to personal data.

8.2. Nafta-Oil shall not disclose or distribute personal data to third parties without consent of the data subject, unless otherwise is provided by the Law of the Russian Federation.

8.3. Nafta-Oil is entitled to entrust personal data processing to a third party with the data subject consent and upon an agreement with such a third party. An agreement shall provide for the list of personal data operations to be accomplished by a person in charge for the data processing, processing purposes, liabilities of such a person to keep personal data confidential and protected in course of processing, as well as requirements to the processed personal data protection as per Article 19 of the Federal Act On Personal Data.

8.4. For the purpose of in-house data support Nafta-Oil is entitled to develop reference documents, which provide (upon written consent of the relevant data subject) the subject name, family name, occupation, position, date of birth, address, subscriber number, e-mail address, other personal data presented by the relevant data person, unless otherwise is provided by the Law of the Russian Federation.

8.5. Access to personal data processed in Nafta-Oil is only allowed to Nafta-Oil’s employees covered by the list of positions for structural units of Nafta-Oil’s administration, its branches and representative offices, substitution of which is subject to personal data processing.

9. Actions with personal data and ways of its processing

9.1. Nafta-Oil provides for acquisition, logging, ranging, accumulation, storage, update and alteration, extraction, application, transfer (distribution, representation, and access), depersonalization, blocking, deletion and annihilation of personal data.

9.2. Personal data processing in Nafta-Oil is provided in the following ways:

• manual personal data processing;
• automated personal data processing with further transfer of received information via communication networks or otherwise;
• combined personal data processing.

10. Rights of personal data subjects

10.1. Data subjects are entitled for:

• completing information on their personal data under processing in Nafta-Oil;
• accessing to their personal data, including copies of any records which contain their personal data, unless otherwise is provided by the Federal Law, as well as access to related health care information at their option under the medical expert supervision;
• adjusting their personal data, as well as data blocking or annihilation in case of personal data are incomplete, outdated, inaccurate, illegally obtained or inessential for processing purpose declared;
• revoking the consent given for personal data processing;
• taking statutory actions to protect their rights;
• appealing against Nafta-Oil’s action or inaction infringing the requirements of the Law of the Russian Federation related to personal data to the body authorized for the protection of data subject rights or to the court;
• exercising other rights provided for by the Law of Russian Federation.

11. Actions taken by Nafta-Oil to ensure proper personal data processing

11.1. Actions, essential and sufficient to ensure proper personal data processing by Nafta-Oil in accordance with the Law of the Russian Federation related to personal data, are as following:

• appointing a person in charge for the arrangement of personal data processing in Nafta-Oil;
• adopting corporate statutory acts and other regulations related to personal data processing and protection;
• arranging the training for the employees of structural units of Nafta-Oil’s administration, its branches and representative offices, which occupy the positions covered by the list of positions for structural units of Nafta-Oil’s administration, its branches and representative offices, substitution of which is subject to personal data processing;
• carrying consents of data subjects to their personal data processing, unless otherwise is provided by the Law of the Russian Federation;
• isolating personal data processed manually from other data, including their storage at the separate personal data carriers and/or within separate sections;
• ensuring the separate storage of personal data processed for different purposes and comprising different personal data categories;
• prohibiting the personal data transfer via open communication channels, computation networks beyond control, Nafta-Oil’s Unified Internal System for Data Transfer and Internet without taking measures on the personal data protection set by Nafta-Oil(excluding public and/or depersonalized personal data);
• storing tangible personal data carriers that ensures the personal data safety and prevents unauthorized access to them;
• exercising in-house control over the compliance of personal data processing with the Federal Law ‘On Personal Data’ and relevant statutory acts, personal data protection requirements, the Policy and Nafta-Oil’s corporate statutory acts;
• other actions provided by the Law of the Russian Federation related to personal data.

11.2. Actions, providing the personal data protection while processing them by means of personal data information systems, shall correspond to Nafta-Oil’s corporate statutory acts, which stipulate the personal data protection measures while processing them by means of personal data information systems.

12. Control over compliance with Law of Russian Federation and Nafta-Oil’s corporate statutory acts related to personal data, including personal data protection requirements

12.1. Control over the adherence of structural units of Nafta-Oil’s administration, its branches and representative offices to the Law of the Russian Federation and corporate statutory acts of Nafta-Oil related to personal data, including the personal data protection requirements, is aimed at ensuring the compliance of personal data processing by structural units of Nafta-Oil’s administration, its branches and representative offices to the Law of the Russian Federation and corporate statutory acts of Nafta-Oil related to personal data, including the personal data protection requirements, as well as to measures aimed at prevention and identification of infringements of the Law of the Russian Federation related to personal data, identification of potential channels for the leakage of and the unauthorized access to personal data and the removal of consequences of such infringements.

12.2. In-house control over the adherence of structural units of Nafta-Oil’s administration, its branches and representative offices to the Law of the Russian Federation and corporate statutory acts of Nafta-Oil related to personal data, including the personal data protection requirements, is exercised by a person in charge for the arrangement of personal data processing in Nafta-Oil.

12.3. In-house control over the compliance of personal data processing to the Federal Law ‘On Personal Data’ and relevant statutory acts, the personal data protection requirements, the Policy and Nafta-Oil’s corporate statutory acts is exercised by the Corporate Protection Service of Nafta-Oil.

12.4. Personal liability for the adherence of a structural unit of Nafta-Oil’s administration, its branch and representative office to the Law of the Russian Federation and corporate statutory acts of Nafta-Oil related to personal data, as well as for ensuring the personal data confidentiality and safety within the mentioned divisions of Nafta-Oil is imposed upon their executives.