Personal data processing and protection policy

1. GENERAL PROVISIONS
This Personal Data Processing Policy (the “Policy”) has been developed in accordance with the requirements of Federal Law No. 152-FZ of July 27, 2006, On Personal Data (the “Personal Data Law”). The Policy establishes the procedure for processing personal data and the measures taken by Public Joint-Stock Company Khimprom (the “Operator”) to ensure the security and confidentiality of such data.
The Operator is registered at 101 Promyshlennaya Street, Novocheboksarsk, Chuvash Republic – Chuvashia, 429965, Russian Federation, Primary State Registration Number (OGRN) 1022100910226. The Operator processes personal data through its websites https://www.himprom.com/ and https://himprom.ru (collectively, the “Website”).
In processing personal data via the Website, the Operator acts as a data controller and complies with all applicable laws and regulations of the Russian Federation relating to information security and personal data protection, including the Personal Data Law.
This Policy also extends to the Operator’s official social media accounts, insofar as its provisions do not conflict with the internal rules and terms of use of the respective social media platforms.
1.1 The Operator considers the protection of the rights and freedoms of individuals in the processing of their personal data a fundamental objective and essential condition of its business activities. This includes safeguarding the right to privacy, as well as the security of personal and family life.
1.2.This Personal Data Processing Policy (the “Policy”) applies to all information that the Operator may obtain about visitors to the Website.

2. KEY TERMS AND DEFINITIONS USED IN THIS POLICY
2.1 Automated Processing of Personal Data means the processing of personal data using computer or other automated means.
2.2 Blocking of Personal Data means the temporary suspension of personal data processing (except where such processing is necessary to clarify the personal data).
2.3 Website refers to the collection of graphic and informational materials, as well as software programs and databases, made available on the Internet at the following web addresses: himprom.com and himprom.ru.
2.4 Personal Data Information System means a set of personal data contained in databases, along with the information technologies and technical tools used to process those data.
2.5 Confidentiality of Personal Data means a binding requirement imposed on the Operator or any other person having access to personal data, prohibiting the disclosure of such data without the consent of the personal data subject or without other lawful grounds.
2.6 Non-Automated Processing of Personal Data means any actions performed with personal data where the use, modification, dissemination, or destruction of the data involves direct human participation.
2.7 Processing of Personal Data means any action (operation) or set of actions (operations) performed with or without the use of automation tools involving personal data, including the collection, recording, organization, accumulation, storage, clarification (updating or modification), retrieval, use, transfer (distribution, provision, access), blocking, deletion, or destruction of personal data.
2.8 Operator means a state or municipal authority, legal entity, or individual that independently or jointly with others organizes and/or performs the processing of personal data and determines the purposes of personal data processing, the scope of personal data to be processed, and the actions (operations) performed with such data.
2.9 Personal Data means any information relating directly or indirectly to an identified or identifiable User of the Website.
2.10 Personal Data Authorized by the Subject for Dissemination means personal data to which the data subject has granted access to an unlimited number of persons by consenting to the processing of such personal data in accordance with the procedure established by the Personal Data Law (hereinafter referred to as “personal data authorized for dissemination”).
2.11 User means any visitor to the Website.
2.12 Provision of Personal Data means any action aimed at disclosing personal data to a specific person or a defined group of persons.
2.13 Dissemination of Personal Data means any action aimed at disclosing personal data to an indefinite number of persons (transfer of personal data) or otherwise making such data available to the public, including the publication of personal data in mass media, posting on information and telecommunication networks, or granting access to such data by any other means.
2.14 Cross-Border Transfer of Personal Data means the transfer of personal data to the territory of a foreign state, to the authority of a foreign state, or to a foreign individual or legal entity.
2.15 Destruction of Personal Data means any action resulting in the irreversible destruction of personal data, rendering it impossible to restore the content of such data in a personal data information system and/or resulting in the destruction of tangible media containing personal data.
2.16 Cookies are small data files stored on the User’s device, used to record certain actions performed on the Website by storing data that can later be updated and retrieved. These files do not harm the User’s device and are used to record the User’s preferences and personalize the Website experience. The procedures for processing cookies are described in detail in Section 8 of this Policy.

3.  PRIMARY RIGHTS AND OBLIGATIONS OF THE OPERATOR
3.1 The Operator has the right to:
(A) Receive from the personal data subject accurate information and/or documents containing personal data.
(B) Continue processing personal data without the consent of the personal data subject in cases where such processing is permitted under the Personal Data Law, even if the subject withdraws previously granted consent.
(C) Amend or update this Policy at its sole discretion.
(D) Independently determine the range and scope of measures necessary and sufficient to ensure compliance with the obligations established by the Personal Data Law and other regulatory legal acts adopted pursuant thereto, unless otherwise provided by the Personal Data Law or other federal laws.
3.2 The Operator shall:
(A) Provide the personal data subject, upon request, with information relating to the processing of his or her personal data.
(B) Organize the processing of personal data in accordance with the applicable laws of the Russian Federation.
(C) Respond to inquiries and requests from personal data subjects and their legal representatives in accordance with the provisions of the Personal Data Law.
(D) Provide the authorized body for the protection of personal data subjects’ rights, upon request, with the necessary information within 30 days from the date of receipt of such request.
(E) Publish or otherwise ensure unrestricted access to this Policy.
(F) Implement legal, organizational, and technical measures to protect personal data against unlawful or accidental access, destruction, modification, blocking, copying, provision, dissemination, or any other unauthorized actions involving personal data.
(G) Cease the transfer (distribution, provision, or access) of personal data, suspend processing, and destroy personal data in the manner and cases provided for by the Personal Data Law.
(H) Fulfill any other obligations established by the Personal Data Law.

4. PRIMARY RIGHTS AND OBLIGATIONS OF PERSONAL DATA SUBJECTS
4.1 Data subjects are entitled to:
(A) Obtain information regarding the processing of their personal data, except in cases provided for by federal laws. Such information shall be provided by the Operator to the data subject in an accessible form and must not include personal data relating to other data subjects, unless there are lawful grounds for the disclosure of such data. The scope of information and the procedure for obtaining it are established by the Personal Data Law.
(B) Request that the Operator clarify, block, or delete personal data if such data are incomplete, outdated, inaccurate, unlawfully obtained, or no longer necessary for the stated purpose of processing, as well as take other legal measures to protect their rights.
(C) Set a condition requiring prior consent for the processing of their personal data for purposes related to the promotion of goods, works, or services in the market.
(D) Withdraw their consent to the processing of personal data.
(E) Lodge a complaint with the authorized body responsible for the protection of personal data subjects’ rights or seek judicial protection against unlawful actions or omissions of the Operator in relation to the processing of personal data.
(F) Access their personal data and, in particular, obtain from the Operator the following information:
(i) The categories of personal data being processed;
(ii) The purposes of personal data processing;
(iii) Information about individuals who have access to personal data or to whom such access may be granted (except for the Operator’s employees);
(iv) A list of processed personal data and the sources from which such data were obtained;
(v) The duration of personal data processing, including retention periods;
(vi) Other information as required by the applicable laws of the Russian Federation.
(G) Exercise other rights as provided by the legislation of the Russian Federation.
4.2 Data subjects shall:
(A) Provide the Operator with accurate and truthful personal information about themselves.
(B) Notify the Operator of any clarifications, updates, or changes to their personal data.
4.3 Individuals who have provided the Operator with false information about themselves or disclosed information about another data subject without that person’s consent shall be held liable in accordance with the laws of the Russian Federation.

5. PROCESSED USER PERSONAL DATA
5.1 Last name, first name, and patronymic (middle name);
5.2 Email address;
5.3 Telephone number;
5.4 Job title;
5.5 Registered address;
5.6 Text of the inquiry or message;
5.7 Any other information contained in the files attached to the feedback form;
5.8 IP address;
5.9 Cookies;
5.10 Browser information;
5.11 Data on actions performed on the Website or within the system;
5.12 Type of device used;
5.13 Device operating system type;
5.14 Content of the inquiry or submission.
The Website also collects and processes visitor data through the use of cookies via web analytics services (such as Yandex Metrica) and security tools designed to protect against automated requests.
(A) Cookies collected by the Operator during the User’s interaction with the Website are processed to ensure the Website’s operability, enhance performance, and obtain analytical insights regarding Website usage.
(B) For this purpose, the Operator processes cookies collected from Website Users.
(C) The categories of processed cookies include:
(i) Data relating to the User’s location;
(ii) Information regarding the User’s device type and model;
(iii) Data on the User’s behavior and actions while using the Website;
(iv) Information on the User’s browser settings when accessing the Website;
(v) Data automatically collected by security services to verify User activity and protect the Website from malicious spam attacks;
(vi) Other information collected by analytical systems.
5.15 The categories of information listed above are collectively referred to in this Policy as personal data.
5.16 The Operator does not process special categories of personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, or intimate life.
5.17 The processing of personal data authorized by the data subject for dissemination, where such data fall within the special categories specified in Part 1, Article 10 of the Personal Data Law, is permitted only if the prohibitions and conditions set forth in Article 10.1 of the Personal Data Law are observed.
5.18 Processing of Personal Data Authorized for Dissemination
(A) The User’s consent to the processing of personal data authorized for dissemination shall be obtained separately from other consents granted for the processing of personal data. Such consent must comply with the requirements laid out in Article 10.1 of the Personal Data Law. The content and form of this consent are determined by the authorized body for the protection of personal data subjects’ rights.
(B) The User provides consent for the processing of personal data authorized for dissemination directly to the Operator.
(C) The transfer (distribution, provision, or access) of personal data authorized by the data subject for dissemination must be terminated at any time upon the data subject’s request. Such request shall include the data subject’s full name, contact details (telephone number, email address, or postal address), and a list of personal data the processing of which is to be terminated. The personal data specified in the request may thereafter be processed only by the Operator to whom the request was submitted.
(D) The consent for the processing of personal data authorized for dissemination shall cease to be valid upon the Operator’s receipt of the request specified in paragraph 5.18(C) of this Policy.

6. PRINCIPLES OF PERSONAL DATA PROCESSING
6.1 The processing of personal data shall be carried out on a lawful and fair basis.
6.2 The processing of personal data shall be limited to achieving specific, predetermined, and legitimate purposes. The processing of personal data that is incompatible with the purposes for which the data were collected is not permitted.
6.3 The combination of databases containing personal data that are processed for purposes incompatible with one another is prohibited.
6.4 Only personal data that are relevant to and necessary for the stated purposes of processing shall be processed.
6.5 The content and scope of processed personal data must correspond to the declared purposes of processing. The processing of excessive personal data in relation to the stated purposes of processing is not permitted.
6.6 When processing personal data, accuracy, adequacy, and, where necessary, the relevance of personal data must be ensured relative to the purposes of processing. The Operator shall take all necessary measures, or ensure that such measures are taken, to remove or clarify incomplete or inaccurate data.
6.7 Personal data shall be stored in a form that permits identification of the personal data subject for no longer than is required by the purposes of personal data processing, unless a longer data retention period is established by federal law or contract to which the personal data subject is a party, beneficiary, or guarantor. Processed personal data shall be destroyed or anonymized once the purposes of processing have been achieved or when the necessity of achieving such purposes no longer exists, unless otherwise provided by federal law.

7. PURPOSES OF PERSONAL DATA PROCESSING
7.1 Purposes оf processing the user’s personal data:
1. Purpose of Processing: To provide feedback regarding cooperation inquiries, as well as questions related to the Company’s products and services.
Categories and Types of Processed Personal Data:
– Full name;
– Email address;
– Telephone number;
– Job title;
– Any other information contained in files attached to the feedback form.
Categories of Data Subjects: Website Users.
Methods and Period of Processing and Storage: Methods of processing: Mixed (both automated and manual), including transfer within the internal network of the legal entity and over the Internet.
Retention period: Personal data shall be processed and stored until the purpose of processing has been achieved.
Legal Basis for Processing: Personal data are processed on the basis of the personal data subject’s consent to the processing of his or her personal data.
Disclosure to Third Parties: The transfer of personal data to third parties and/or the delegation of data processing to other parties is permitted.
Procedure for the Destruction of Personal Data upon Achievement of Processing Purposes or Other Legal Grounds: Upon achievement of the processing purposes, expiration of the processing period, or upon the data subject’s request, personal data shall be destroyed within thirty (30) days (unless a shorter period is required by law). If applicable law requires certain personal data to be retained for a longer period, or other lawful grounds exist for continued processing, such processing may continue even after the withdrawal of consent.
2.    Purpose of processing: To provide access to the Company’s websites.
Categories and Types of Processed Personal Data:
– IP address;
– Cookies;
– Browser information;
– Data on actions performed on the Website or within the system;
– Type of device used;
– Type of device operating system;
– Other information collected through analytics systems.
Categories of Data Subjects: Website Users.
Methods and Period of Processing and Storage: Methods of processing: Mixed (both automated and manual), including transfer within the internal network of the legal entity and over the Internet.
Retention period: Personal data shall be processed and stored until the purpose of processing has been achieved.
Legal Basis for Processing: Personal data are processed on the basis of the data subject’s consent to the processing of his or her personal data.
Disclosure to Third Parties: The transfer of personal data to third parties and/or the delegation of personal data processing to other parties is permitted.
Procedure for the Destruction of Personal Data upon Achievement of Processing Purposes or Other Legal Grounds: Upon achievement of the processing purposes, expiration of the processing period, or upon the data subject’s request, personal data shall be destroyed within thirty (30) days (unless a shorter period is required by law). If applicable law requires that certain personal data be retained for a longer period, or if other lawful grounds for continued processing exist, such processing may continue after the withdrawal of consent.
3.    Purpose of processing: Administration and technical maintenance of the Company’s website.
Categories and Types of Processed Personal Data:
– Full name;
– Email address;
– Password;
– IP address;
– Cookies;
– Browser information;
– Data on actions performed on the Website or within the system;
– Type of device used;
– Type of device operating system;
– Content of the inquiry or message;
– Other information collected by analytical systems.
Categories of Data Subjects: Website Users.
Methods and Period of Processing and Storage: Methods of processing: Mixed (both automated and manual), including transfer within the internal network of the legal entity and over the Internet.
Retention period: Personal data shall be processed and stored until the purpose of processing has been achieved.
Legal Basis for Processing: Personal data are processed on the basis of the personal data subject’s consent to the processing of his or her personal data.
Disclosure to Third Parties: The transfer of personal data to third parties and/or the delegation of personal data processing to other parties is permitted.
Procedure for the Destruction of Personal Data upon Achievement of Processing Purposes or Other Legal Grounds: Upon achievement of the purposes of processing, expiration of the processing period, or upon the data subject’s request, personal data shall be destroyed within thirty (30) days (unless a shorter period is required by law). If applicable law requires that certain personal data be retained for a longer period, or if other lawful grounds for continued processing exist, such processing may continue after the withdrawal of consent.
4.    Purpose of рrocessing: Organization of participation in the Company’s marketing events and advertising campaigns, including through cooperation with counterparties providing promotional services.
Categories and Types of Processed Personal Data:
– Full name;
– Telephone number;
– Email address;
– Job title;
– Organization;
– Any other information contained in files attached to the feedback form.
Categories of Data Subjects: Website Users.
Methods and Period of Processing and Storage: Methods of processing: Mixed (both automated and manual), including transfer within the internal network of the legal entity and over the Internet.
Retention period: Personal data shall be processed and stored until the purpose of processing has been achieved.
Legal Basis for Processing: Personal data are processed on the basis of the data subject’s consent to the processing of his or her personal data.
Disclosure to Third Parties: The transfer of personal data to third parties and/or the delegation of personal data processing to other parties is permitted.
Procedure for the Destruction of Personal Data upon Achievement of Processing Purposes or Other Legal Grounds: Upon achievement of the processing purposes, expiration of the processing period, or upon the data subject’s request, personal data shall be destroyed within thirty (30) days (unless a shorter period is required by law). If applicable law requires that certain personal data be retained for a longer period, or if other lawful grounds exist for continued processing, such processing may continue after the withdrawal of consent.

8. USE OF COOKIES
To improve the functionality of the Website and enhance user convenience, the Operator may use a special technology known as “cookies.” The Operator acknowledges that, to a certain extent, cookies may constitute personal data and that their use must comply with applicable data protection legislation.
8.1 Types of Cookies Used by the Operator and Their Purposes
8.1.1 Session Cookies: Temporary cookies stored in the browser’s cookie file until the User leaves the page. These cookies are not stored on the User’s hard drive. The information obtained through such cookies helps the Operator analyze traffic patterns, enabling the Operator to improve the Website’s content and facilitate its usability.
8.1.2 Persistent Cookies: Cookies that remain stored on the User’s hard drive and are recognized by the Website each time the User visits. Persistent cookies have a specific expiration date, after which they cease to function. These cookies allow the Website to retain information and settings for the User’s subsequent visits, thus improving browsing convenience and speed, for example, by eliminating the need to re-enter login information.
8.1.3 Technical Cookies: These cookies are essential for the proper operation of the Website and the correct functioning of various personalized features and services it offers. For example, such cookies may be used to maintain session functionality, monitor response time, confirm personal preferences, enable security features, and transmit data through social networks.
8.1.4 Personalization Cookies: These cookies allow Users to customize specific aspects of the Website, such as language preferences, regional settings, or browser type.
8.1.5 Analytical Cookies: The Operator uses analytical cookies to obtain data about browser settings and analyze User behavior on the Website for the purpose of improving Website performance.
In particular, the Operator uses the following analytical tools, which involve the use of analytical cookies: – Yandex.Metrica. Additional information is available at https://yandex.ru/support/metrika/.
8.1.6 Security Cookies: These cookies are used to protect the Website from automated requests, spam, and abuse.
In particular, the Operator uses the following tools involving the use of cookies to ensure the Website’s security: – Yandex SmartCaptcha. Additional information is available at https://yandex.cloud/ru/services/smartcaptcha.
8.2 Third-Party Cookies
Certain cookies used on the Website may originate from third parties. This occurs because some pages of the Website contain elements provided by third-party websites. Since these elements come from external sources, the Operator cannot control the configuration of such cookies. Users wishing to modify their cookie preferences should refer to the respective third-party websites for more information.
8.3 User Cookie Management Options
8.3.1 The Operator will request the User’s separate consent for the processing of cookies. If the User does not provide such consent, the Operator will process only technical cookies necessary for the Website’s proper functioning.
8.3.2 Below are links to additional information on how to change cookie settings in commonly used browsers:
– Chrome (RU): https://support.google.com/chrome/answer/95647?hl=ru
– Internet Explorer (RU): https://support.microsoft.com/ru-ru/help/17442/windows-internet-explorer-delete-manage-cookies
– Firefox (RU): https://support.mozilla.org/ru/kb/vklyuchenie-i-otklyuchenie-kukov-ispolzuemyh-veb-s
– Safari (RU): https://support.apple.com/ru-ru/guide/safari/manage-cookies-and-website-data-sfri11471/mac
– Yandex Browser (RU): https://browser.yandex.ru/help/personal-data-protection/cookies.html
8.3.3 The User may withdraw consent to the processing of cookies at any time and delete cookies stored on their device by adjusting the browser settings.
8.3.4 Users may manage the cookie installation process by using browser tools or plug-ins known as “tracking prevention tools,” which allow Users to select which cookies they permit to be stored on their devices.

9. LEGAL GROUNDS FOR PERSONAL DATA PROCESSING
9.1 The Operator processes personal data on the following legal grounds:
9.2 Processing of personal data is carried out with the data subject’s consent to the processing of his or her personal data.
9.3 Processing of personal data is necessary to achieve the purposes established by international treaties of the Russian Federation or by law, and to perform the functions, powers, and duties imposed on the Operator by the legislation of the Russian Federation.
9.4 Processing of personal data is necessary for the administration of justice or the execution of a judicial act, or an act of another body or official subject to enforcement in accordance with the legislation of the Russian Federation on enforcement proceedings.
9.5 Processing of personal data is necessary for the performance of a contract to which the personal data subject is a party, beneficiary, or guarantor, as well as for the conclusion of a contract initiated by the personal data subject or a contract under which the personal data subject will act as a beneficiary or guarantor.
9.6 Processing of personal data is necessary for the exercise of the Operator’s or third parties’ legitimate rights and interests, or for the accomplishment of socially significant objectives, provided that such processing does not infringe upon the rights and freedoms of the personal data subject.
9.7 Processing of personal data is carried out with respect to data to which the personal data subject has granted access to an unlimited number of persons or at the data subject’s request (hereinafter referred to as “personal data authorized for dissemination”).
9.8 Processing of personal data is carried out for information that is subject to publication or mandatory disclosure under federal law.
9.9 The personal data subject independently decides whether to provide his or her personal data and gives consent freely, voluntarily, and in his or her own interest.

10. PROCEDURES FOR COLLECTION, STORAGE, TRANSFER, AND OTHER FORMS OF PERSONAL DATA PROCESSING
The security of personal data processed by the Operator is ensured through the implementation of legal, organizational, and technical measures necessary to fully comply with the requirements of applicable data protection legislation.
10.1 The Operator ensures the security of personal data and takes all feasible measures to prevent unauthorized access to personal data, specifically by:
10.1.1 Appointing a person responsible for organizing personal data processing and a person responsible for ensuring the security of personal data within the information system;
10.1.2 Adopting internal regulations governing personal data processing;
10.1.3 Entering into agreements with persons processing personal data on behalf of the Operator, in accordance with the requirements of the Personal Data Law;
10.1.4 Assessing potential harm to Website Users in the event of a breach of Russian Federation data protection laws, and balancing such harm against the measures implemented to ensure personal data security;
10.1.5 Familiarizing employees directly involved in personal data processing with the provisions of Russian Federation personal data legislation, the Operator’s internal regulations on personal data processing, and/or conducting training for such employees;
10.1.6 Maintaining up-to-date records of all individuals with access to systems containing personal data, including the specific data processing procedures they are authorized to perform;
10.1.7 Providing unrestricted access to this Policy;
10.1.8 Protecting premises housing the information system processing personal data against unauthorized entry (including through door locks, access control systems, and, where legally permitted, video surveillance);
10.1.9 Securing information through specialized data protection tools (including software firewalls, modern data exchange methods, and secure remote access via public telecommunications networks);
10.1.10 Implementing appropriate access mechanisms, including usernames and secret passwords, to ensure that personal data are accessible only to authorized persons to the extent necessary for the performance of their duties;
10.1.11 Verifying and ensuring that all individuals with access to systems and/or folders containing personal data are aware of their responsibilities, relevant processing procedures, and liabilities;
10.1.12 Implementing reporting procedures, issue resolution mechanisms, and measures to maintain the security level established by this Policy;
10.1.13 Installing antivirus software to protect personal data;
10.1.14 Establishing role-based access controls for personal data processed within the Operator’s information system(s);
10.1.15 Implementing appropriate backup and data recovery procedures;
10.1.16 Conducting regular backups of personal data;
10.1.17 Limiting unsuccessful access attempts to the information system;
10.1.18 Blocking and deleting accounts of terminated employees who had access to personal data in the course of their duties;
10.1.19 Ensuring uninterrupted power supply for devices used to access the information system;
10.1.20 Regulating and monitoring the use of mobile devices within the information system;
10.1.21 Storing physical media containing personal data in fireproof metal cabinets and safes, in compliance with Russian Federation legislation;
10.1.22 For non-automated processing, segregating personal data from other information by recording it on separate physical media or in designated sections/fields of forms and documents that may contain personal data;
10.1.23 For non-automated processing, prohibiting the recording of personal data with mutually incompatible processing purposes on the same physical medium; personal data processed for incompatible purposes must be stored on separate physical media.
10.1.24 Informing employees engaged in non-automated processing of the specific features and rules governing such processing.
10.2 If a User identifies inaccuracies in his or her personal data, the User may update them independently by sending a notification to the Operator’s email address himprom@himprom.com with the subject line “Personal Data Update.”
Processing of Personal Data by Third Parties: Third parties process personal data in cases related to the exercise of the Operator’s legitimate rights and interests (including for the proper functioning of the Website), compliance with applicable law, or when the data subject has provided consent to the Operator for such transfer.
10.3 All information collected by third-party services, including payment systems, telecommunications providers, and other service providers, is stored and processed by such entities (operators) in accordance with their respective terms of use and privacy policies. Data subjects and/or Users are responsible for reviewing such documents independently and in a timely manner. The Operator bears no responsibility for the actions of third parties, including the service providers mentioned herein.
10.4 The Operator is not responsible for, and has no control over, the processing of Users’ personal data on third-party websites.
10.5 Prohibitions established by the data subject on the transfer (other than access provision), processing, or processing conditions (other than access provision) of personal data authorized for dissemination do not apply in cases of data processing carried out in the public interest as defined by Russian Federation legislation.
10.6 The Operator may disclose personal data in the following circumstances (as permitted or required by applicable law):
10.6.1 To comply with applicable law, court orders, or requests from competent state authorities;
10.6.2 In connection with an ongoing investigation;
10.6.3 For investigative purposes or to assist in preventing violations of applicable law or this Policy;
10.6.4 To protect the Operator’s rights, property, and the safety of its employees, program/beneficiaries and applicants for programs/contests (if applicable), their legal representatives, Website Users, or other persons;
10.6.5 In connection with the sale or other transfer of the Operator’s equity stake or assets to third parties;
10.6.6 In the event of the Operator’s restructuring;
10.6.7 In other cases as permitted by applicable law.
Retention Periods:
10.7 The processing period for personal data is determined by the achievement of the purposes for which the data were collected, unless otherwise specified by contract or applicable law.
10.8 Upon achievement of the processing purposes, the Operator shall destroy the personal data (and ensure destruction by any engaged third-party processors) within thirty (30) days.
10.9 A User may withdraw consent to personal data processing at any time by sending a notification to the Operator’s email address himprom@himprom.com with the subject line “Withdrawal of Consent to Personal Data Processing.”
10.10 The Operator stores personal data in a form permitting identification of the data subject no longer than required by the purposes of processing, unless a longer retention period is established by federal law or contract to which the data subject is a party, beneficiary, or guarantor.
10.11 In certain cases, the Operator may continue processing data after consent withdrawal if required to fulfill legal obligations or where such processing is necessary for the exercise of the Operator’s and/or third parties’ legitimate rights and interests.

11. ACTIONS PERFORMED BY THE OPERATOR WITH COLLECTED PERSONAL DATA
11.1 The Operator performs the following actions with personal data: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), blocking, deletion, and destruction of personal data.
11.2 The Operator conducts mixed processing of personal data, involving receipt and/or transmission of such data through information and telecommunication networks or without the use of such networks.
11.3 The Operator processes personal data both with and without the use of automation tools (mixed processing).
11.4 When collecting personal data, the Operator complies with the database localization requirement, ensuring that the recording, systematization, accumulation, storage, clarification (updating, modification), and extraction of personal data are performed using databases located within the territory of the Russian Federation.

12. CROSS-BORDER TRANSFER OF PERSONAL DATA
12.1 The Operator does not engage in cross-border transfers of personal data.
12.2 Should the Operator intend to conduct cross-border transfers of personal data in the future, it shall, prior to initiating such transfers, ensure that the foreign state to whose territory the personal data are to be transferred provides adequate protection of the rights of personal data subjects.

13. CONFIDENTIALITY OF PERSONAL DATA
13.1 The Operator and other persons having access to personal data are obligated not to disclose personal data to third parties or disseminate such data without the consent of the data subject, unless otherwise provided by federal law.
13.2 The Operator ensures the confidentiality of personal data during their processing.

14. FINAL PROVISIONS
14.1 Users may obtain clarification on any matters concerning the processing of their personal data by contacting the Operator via:
14.1.1 Email: himprom@himprom.com;
14.1.2 Mail: 429965, Chuvash Republic – Chuvashia, Novocheboksarsk, 101 Promyshlennaya Street, Russian Federation.
14.2 Any amendments to this Policy will be reflected in this document. The Policy remains in effect indefinitely until replaced by a new version.
14.3 The current version of the Policy is publicly available on the Internet at: https://www.himprom.com/privacy-policy.php or https://www.himprom.ru/en/privacy-policy.php.