# LLC CDEK-DS PRIVACY POLICY Privacy Policy

# WITH RESPECT TO THE PROCESSING OF PERSONAL DATA AND ITS PROTECTION

## I GENERAL PROVISIONS

This Policy has been developed and applied in LLC CDEK-DS on the basis of Articles 23, 24 of the Constitution of the Russian Federation, Federal Law No. 149-FZ dated July 27, 2006 On Information, Information Technologies and Information Protection, Federal Law dated July 27, 2006 No. 152-FZ On Personal Data, Federal Law of December 19, 2005 No. 160-FZOn Ratification of the Council of Europe Convention for the Protection of Individuals with Automated Processing of Personal Data, Resolution of the Government of the Russian Federation of November 01, 2012. No. 1119 On approval of requirements for the protection of personal data when processing in personal data information systems, Resolution of the Government of the Russian Federation No. 687 of September 15, 2008 On Approval of the Regulation on Peculiarities of Processing Personal Data Performed Without Using Automation Tools, Order of the Federal Service for technical and export control of February 18, 2013. No. 21 On approval of the composition and content of organizational measures to ensure the security of personal data when processing them in personal data information
systems and other regulatory and non-regulatory legal acts governing personal data processing issues.
This Policy defines the actions of LLC CDEK-DS in relation to the processing of personal data of individuals who have transferred their personal data for processing, the procedure and conditions for processing personal data, ensuring the security of personal data using or without using automation tools, establishes procedures aimed at preventing violations of the laws of the Russian Federation , elimination of the
consequences of violations related to the processing of personal data. The policy is designed to ensure the protection of the rights and freedoms of Personal Data Subjects in the processing of their personal data, as well as in order to establish the responsibility of LLC CDEK-DS employees who have access to personal data of Personal Data Subjects for non-compliance with the requirements and standards governing the processing of personal data.
The effect of this Policy does not apply to relations arising from the processing of personal data of the LLC CDEK-DS employees, applicants for the Company's vacant posts, since such relations are settled by a separate local act; relations that are not
covered by the Federal Law On Personal Data (paragraph 2 of Article 1 of the Federal Law).
This Policy applies in particular, but not limited to, when navigating on the site www.selltorussia.com, as well as using the services offered on www.selltorussia.com, including without performing registration on www.selltorussia.com .

1.1. Concepts used in this Policy
Personal data- any information relating to directly or indirectly definite or determined individual (Personal Data Subject), which is confidential information of limited access, not constituting a state secret;
The subject of personal datais an individual, carrier of personal data, whose personal data is transferred to the Company for processing.
Personal data operator- LLC CDEK-DS (PSRN 1135476184040, TIN 5406768160, 630007, Novosibirsk, Krivoshchekovskaya St., 15, korp.5), a state body, municipal body, legal or natural person, independently or together with other persons organizing and (or) processing personal data, as well as defining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
Personal data processing- any action (operation) or a set of actions (operations) performed with the use of automation tools or without the use of such tools with personal data, including the collection, recording, systematization, accumulation, storage, refinement (update, change), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
Automated processing of personal data- processing of personal data using computer equipment;
Dissemination of personal data- actions aimed at disclosing personal data to an indefinite circle of persons;
Provision of personal data- actions aimed at disclosing personal data to a specific person or a certain circle of persons;
Blocking of personal data- the temporary termination of the processing of personal data (unless it is necessary to process personal data);
Destruction of personal data- actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which the material carriers of personal data are destroyed;
Anonymization of personal datais an action in which it becomes impossible without using additional information to determine the identity of personal data to a specific Personal Data Subject;
Use of personal data- actions with personal data performed by the Operator in order to make decisions or perform other actions that generate legal consequences in relation to the Personal Data Subject or other persons or otherwise affect the rights and freedoms of the Personal Data Subject or other persons.
Personal Data Information System- a set of personal data contained in databases and information technologies and technical means ensuring their processing;
Cross-border transfer of personal data- the transfer of personal data to the territory of a foreign state to the authority of a foreign state, a foreign individual or a foreign legal entity.
Confidentiality of personal datais a requirement for the Operator or another person who has obtained access to personal data not to allow their distribution without the personal data subject<strike>s consent or legal basis.
Site - a set of information, texts, graphic elements, design, images, photos and video materials, other intellectual property, as well as computer software tools that provide for the public viewing of information and data united by a common purpose, through technical means used for communication between computers and the Internet. The site is located on the Internet at: https://www.cdek.ru .
User- an individual who has access to the Site and uses it, regardless of the fact of registration on the Site.

1.2. Abbreviations used in this Policy
IS - information system
Company LLC CDEK-DS
Policy this Policy in relation to the processing of personal data and their protection in LLC CDEK-DS
PD Personal data
RF Russian Federation
Subject Personal Data Subject
Federal Law Russian Federal Law dated July 27, 2006 No. 153-FZ</strike> On Personal Data

1.3. Principles of PD processing
1.3.1.The processing of PD on a legal and fair basis;
1.3.2.Limitations of PD processing to the achievement of specific, predetermined and legitimate goals. The inadmissibility of processing PD, incompatible with the purposes of collecting PD.
1.3.3.Inadmissibility of combining databases created for incompatible purposes of databases containing PD;
1.3.4.Compliance of the content and volume of PD with the purposes of their processing;
1.3.5.The inadmissibility of the treatment of PD excess in relation to the stated objectives of their processing;
1.3.6.Ensuring the accuracy, sufficiency, and, where necessary, the relevance of the PD in relation to the purposes of processing;
1.3.7.Taking the necessary measures or ensuring the adoption of measures to remove or clarify incomplete or inaccurate PD;
1.3.8.PD storage in the form that allows to determine the PD Subject is not longer than the purpose of PD processing requires;
1.3.9.Destruction of personal data on the achievement of the objectives of their processing or in case of loss of the need to achieve these goals, unless otherwise provided by federal law.

1.4. PD processing conditions
1.4.1.Processing of PD is carried out with the consent of the Subject to the processing of its PD;
1.4.2.Processing PD is necessary to achieve the goals stipulated by the international treaty of the Russian Federation or the law, for the implementation and fulfillment of the functions, powers and duties assigned by the legislation of the Russian Federation to the Operator;
1.4.3.The processing of the PD is necessary for the execution of the contract, the party to which either the beneficiary or the guarantor for which is the PD Subject, including if the Operator realizes its right to assign rights (claims) under such an agreement, as well as to conclude an agreement initiated by the Subject PD or the contract on which the Subject of the PD will be a beneficiary or guarantor;
1.4.4.PD processing is necessary for use of the Site by the User;
1.4.5.Processing PD is necessary for the administration of justice, the execution of ajudicial act, an act of another body or official, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;
1.4.6.The processing of the PD is necessary to protect the life, health or other vital interests of the PD Subject if the consent of the PD Subject is not possible;
1.4.7.Processing PD is necessary for the exercise of the rights and legitimate interests of the Operator or third parties or to achieve socially significant goals, provided that this does not violate the rights and freedoms of the PD Entity.
1.4.8.The processing of PD is carried out, the access of an unlimited number of persons to which is provided by the PD Subject or at his request (hereinafter referred to as the PD made publicly available by the Subject);
1.4.9.PD is processed and are subject to publication or mandatory disclosure in accordance with federal law.
1.4.10.The operator does not carry out actions aimed at disclosing the PD to an indefinite circle of persons, that is, it does not distribute the PD.
1.4.11.PD processing is carried out for statistical or other research purposes, with the exception of the purposes specified in Article 15 of the Federal Law, subject to the mandatory depersonalization of PD.
1.4.12.The operator has the right to entrust the processing of PD to another person with the consent of the PD Subject. The transfer is necessary as part of the use of the Site or to provide services to the Subject of the PD, while ensuring the confidentiality of the PD. Persons engaged in the processing of personal data on behalf of the Company undertake to comply with the principles and rules of processing personal data as provided for by Federal Law No. 152-FZ On Personal Data. For each person, a list of actions (operations) with PD that will be performed by the organization engaged in processing PD, processing objectives is established, the duty of such persons is established to maintain confidentiality and ensure the safety of PD during their processing, and also indicates the requirements for the protection of PD being processed.

## II PURPOSES OF PD

2.1.The company is guided by specific, predetermined objectives for processing PD, in accordance with which the PD was provided by the Entity, in particular:
2.1.1.Ensuring the protection of the rights and freedoms of the Subject in the processing
of his PD;
2.1.2.accounting and reporting;
2.1.3.providing the User with the opportunity to interact with the Site, in particular, sending notifications, requests and information related to the provision of services, as well as processing requests and requests from the User;
2.1.4.providing courier services to Customers under the agreement for the provision of courier services;
2.1.5.Conducting the Company's statutory activities in terms of entering into, recording and executing contracts with counterparties (Customers, Contractors, Executors, etc.);
2.1.6.conducting surveys and studies aimed at identifying customer satisfaction / dissatisfaction with the services of the Company, improving the quality of services;
2.1.7.statistical and other studies based on anonymized data.

## III LEGAL BASIS OF PD TREATMENT

3.1.Civil Code of the Russian Federation (Chapter 39 of the Civil Code of the Russian Federation);
3.2.Tax Code of the Russian Federation;
3.3.Federal Law of 15.12.2001 N 167-FZ On Compulsory Pension Insurance in the Russian Federation;
3.4.Charter of the Company;
3.5.The contract for the provision of courier services concluded between the Company and the Subject of PD;
3.6.Consent of the Subject to the processing of PD.

## IV CATEGORIES OF PD SUBJECTS AND LIST OF PD

4.1.Individual - Site User.
Name;
E-mail address;
Address (city, street, house number, apartment number);
Phone number;
Information about the browser used;
Location;
IP address;
Requested web pages;
Source of access to the Sitehttps://www.selltorussia.com

4.2.Individual Client, whose PD have become known to the Operator in connection with the conclusion and execution of the service agreement:
Full Name;
identity document details;
Address (country, city, street, house number, apartment number);
E-mail address;
phone number (home, mobile);

4.3. A physical person whose PD was received from the Client within the framework of a contract for the provision of courier services, the specified PD is not subject to the Operator<strike>s actions and obtaining consent for their processing is the responsibility of the respective Client, which is stipulated in the contract; Full Name; identity document details; Address (country, city, street, house number, apartment number; phone number (home, mobile);

4.4. An individual whose PD was received from a counterparty under a civil law contract, the specified PD is not the object of the Operators actions and obtaining consent for their processing is the responsibility of the respective contractor / performer; Full Name; data of the identity document (in the provision of power of attorney); E-mail address.

## V COOKIES

5.1.The site owner LLC CDEK-DS uses an automatic cookie data collection system on the site. Cookies are a set of information transmitted by the server to the browser and to the device of the User, such as the user's IP addresses and other information related to the traffic of user data or the user's preferences when navigating the Site. Permission to use cookies is necessary to use the Site and its services, including ordering services.The data are processed in an aggregate and anonymous form and do not contain information about personal data, but at the same time they allow linking the user with his personal information provided by the User on the Site. The specified data is collected by the Site in the process of navigation through the Cookie directly and automatically as part of the implementation of operational functions.

5.2.Most browsers have the ability to delete cookies after each session. Instructions for performing such a deletion operation are contained in the Settings section of the Users browser or in the reference information, and the User can access it if he wishes to delete the cookie.

5.3.If the procedure for deleting cookies was launched in whole or in part, the Website Owner cannot guarantee that the Websites web pages and / or the provision of certain services on the website will function properly.

## VI BASIC RIGHTS AND OBLIGATIONS OF THE SUBJECT OF PD AND COMPANY IN THE FIELD OF PROTECTION OF PD

6.1.The Subject has the right to:
6.1.1.to receive information concerning the processing of its PD, in particular:
- confirmation of the processing of PD by the Company;
- the legal basis and purpose of processing PD;
- methods of processing PD used by the Company;
- name and location of the Company, information about persons (except for employees of the Company) who have access to the PD or with whom the PD may be disclosed on the basis of an agreement with the Company or on the basis of federal law;
- processed PD related to the relevant PD Subject, the source of their receipt, unless a different procedure for granting is provided for by federal law;
- processing time of PD and their storage period;
- the procedure for the Subject of the PD to exercise their rights;
- name or surname, name, patronymic and address of the person performing the processing of personal data on behalf of the Company, if processing is entrusted to or will be entrusted to such person;
- other information provided for by federal law.
6.1.2.require the Company to clarify its PD, block them or destroy it if the PD is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as take measures provided by law to protect their rights.
6.1.3.to require the Company to notify all persons to whom previously incorrect or incomplete PD was notified of all exceptions, corrections and additions made to them;
6.1.4.withdraw your consent to the treatment of PD;
6.1.5.for free free access to their PD through a personal appeal or by sending a request (the request form is given in Appendix No. 1). Information on PD shall be provided in an accessible form at the location of the Company during working hours within thirty days from the date of receipt of the request (excluding PD, relating to other PD Subjects);
6.1.6.to appeal against the actions or inaction of the Company to the authorized body for the protection of the rights of the Subjects of the PD or in court.
6.1.7.other rights provided by applicable law.

6.2.The Subject of the PD is obliged to:
6.2.1.transfer to the Company authentic PD. The Company has the right to check the accuracy of the PD provided in the manner not contradicting the legislation of the Russian Federation, however, the Company proceeds from the fact that the PD Subject provides reliable and sufficient PD for the purposes of PD processing, and keeps this information up to date.
6.2.2.promptly inform the Company about the change in their PD.

6.3.The subject of the PD decides on the provision of his PD and agrees to their processing freely, by his own will and in his interest.

6.4.Operator Responsibilities:
6.4.1.ensure the confidentiality of the PD. The operator and other persons who have obtained access to the PD are obliged not to disclose to third parties and not to distribute the PD without the consent of the PD Subject, unless otherwise provided by
law;
6.4.2.When collecting PD, provide information on the processing of PD;
6.4.3.in case of refSouth Koreal to provide the DPT, the Subject is explained the consequences of such refSouth Koreal;
6.4.4.publish or otherwise provide unrestricted access to the document defining its policy regarding the processing of PD, information about the implemented requirements for the protection of PD;
6.4.5.take necessary legal, organizational and technical measures or ensure their adoption to protect IDPs from unlawful or accidental access to them, destruction, modification, blocking, copying, provision, distribution of PD, as well as from other illegal actions against PD;
6.4.6.provide answers to requests and requests from PD subjects, their representatives and the authorized body for the protection of the rights of personal data subjects.

# VII PROCEDURE FOR TREATMENT OF PD

7.1.The operator processes the PD of the Subjects by performing any action (operation) or set of actions (operations) performed using automation means or without using such means, including the following: - collection;
- record;
- systematization;
- accumulation;
- storage;
- clarification (update, change);
- extraction;
- use;
- transfer (provision);
- depersonalization;
- blocking;
- deletion;
- destruction.

7.2.The operator receives PD:
- by personal transfer by the Subject of PD when entering data on the Site;
- by personal transfer by the Subject in a civil law relationship;- from third parties (Customers, contractors);
- from publicly available sources.

7.3.The operator receives and starts processing the PD of the Subject from the moment of receiving his consent.
Consent to the processing of a PD may be given by the PD Subject in any form allowing
to confirm the fact of receiving consent, unless otherwise established by federal law: in
written, oral or other form provided for by the current legislation, including through the
PD Subject performing of concrete actions.
In particular, the consent to the processing of the PD is considered to be provided by
the Subject in case of performing by the Subject the following actions:
putting a special sign - </strike>checkboxes or web tags in a special field on the Site (e.g. when requesting any materials, when contacting in the Feedback form, when registering in the Personal Account, when making an Application for services) and clicking the corresponding button is considered unambiguously, as granting consent for the processing of PD in the volume, for the purposes and in the manner provided in the text proposed before putting a special sign (the text of the Consent is Appendix No. 2 to this Policy). The consent is deemed received from the moment of putting a special mark and is valid until the Subject of the PD submits a corresponding statement on the termination of the processing of the PD at the location of the Operator or by e-mail:
<pretenzia@cdek.ru>
If the Subject does not agree with the processing of his PD, such processing is not
carried out.

7.4.The receipt by the Operator of PD from other persons, as well as the transfer of instructions for processing PD, is carried out on the basis of an agreement containing conditions on the procedure for processing and maintaining the confidentiality of received PD.

7.5.When processing PD, the Executive Body of the Company has the right to approve methods of processing, documenting, storing and protecting PD on the basis of modern information technologies.

7.6.The operator prior to the processing of PD appoints the person responsible for organizing the processing of PD in a position not lower than the head of the structural unit, hereinafter referred to as the OPD Supervisor, who receives instructions directly
from the executive body of the Operator and reports to him.

7.7.The list of persons allowed to process PD is determined by a directive of the Executive Body and internal local regulatory acts of the Company. These persons should be familiarized before starting work:
- with the provisions of the legislation of the Russian Federation on PD, including the requirements for the procedure for the protection of PD;
- with documents defining the actions of the Operator in relation to the processing of PD, including this Policy, annexes and amendments thereto;
- with local acts on the processing of PD.
Operator's employees are entitled to receive only those PD that they need to perform specific duties. Operator's staff engaged in the processing of PD should be informed of the fact of such processing, of the features and rules of such processing established by the regulatory legal acts and internal documents of the Operator. An employee of the Company who has the right to process PD is provided with a unique login and passwordto access the corresponding IP in the prescribed manner.

7.8.The assessment of the harm that may be caused to the Subjects in the event that the Operator violates the requirements of the Federal Law is determined in accordance with Art. st. 15, 151, 152, 1101 of the Civil Code of the Russian Federation.

7.9.If the Operator entrusts the processing of PD to third parties who are not its employees, on the basis of concluded contracts (or other grounds), by virtue of which they must have access to the PD of the Site users, the Operator provides the relevant data only after signing with the persons processing the PD on behalf of the Operator, the relevant agreement, in which the list of actions (operations) with PD to be performed by the person who processes them and the purposes of processing should be defined The duty of such a person is established to respect the confidentiality of the PD and to ensure the safety of the PD during their processing, and the requirements for the protection of the PD to be processed should be specified in accordance with art. 19 of the Federal Law "On Personal Data".

7.10.PD cannot be used for the purpose of causing property and moral harm to Subjects, or difficulties in the implementation of the rights and freedoms of citizens of the Russian Federation.

7.11.In order to provide its own information support, the Company may create publicly accessible sources of PD of the Subjects, including reference books and address books. Publicly available sources of PD with the written consent of the Subject may include his surname, first name, patronymic, date and place of birth, position, contact telephone numbers, e-mail address and other PD reported by the Subject. Information on the Subject must be at any time excluded from publicly available sources of PD at the request of the Subject or by a decision of the court or other authorized state bodies.

7.12.Processing and storage of PD are carried out no longer than the purpose of processing PD requires, if there are no legal grounds for further processing, for example, if the federal law or the consent of the Subject does not establish an appropriate retention period in the contract with the PD Subject. PD to be processed shall be destroyed or depersonalized upon the achievement of processing objectives or in case of loss of the need to achieve these objectives.

7.13.Storage PD, processing purposes of which are different, is carried out separately within the information system or, if stored on tangible media, within the business structure of the relevant division of the Operator.

7.14.An employee of the Operator who has access to the PD in connection with the performance of his job duties ensures the storage of information containing the PD of the Subjects, precluding access to them by third parties. In the absence of an employee at his workplace should not be documents containing PD. When taking leave, a business trip and other cases of a long absence of an employee at the workplace, he is obliged to transfer documents and other carriers containing personal data to a person who will be entrusted with the local act of the Operator in the performance of his job duties. In the event that such a person is not appointed, documents and other carriers containing the PD of the Subjects are transferred to another employee who has access to the PD at the direction of the head of the relevant structural unit of the Operator.
When an employee with access to a PD is dismissed, documents and other carriers containing PD are transferred to another employee who has access to the PD at thedirection of the head of the structural unit and with notice to the person responsible for processing the PD.

7.15.PD processing is terminated, destruction / depersonalization of PD is performed in connection with:
7.15.1.achievement of the purpose of processing PD, loss of the need to achieve the objectives of processing PD - within thirty days, unless otherwise provided by the contract;
- the expiration of the term of the consent of the Subject of PD - within thirty days;
- detection of unlawful processing of PD - within three days from the date of detection;
- the impossibility of ensuring the legality of the processing of personal data - within ten days;
- withdrawal of the consent of the Subject of PD if the preservation of PD no longer required for the treatment of PD - within 30 days.
7.16.The PD subject may at any time withdraw his consent to the treatment of PD, provided that such a procedure does not violate the requirements of the legislation of the Russian Federation. In case of withdrawal by the Subject of consent to the processing of PD, the Operator is entitled to continue processing of PD without the consent of the Subject only if there are grounds specified in the Federal Law. To withdraw consent to the processing of PD, the PD subject must submit a corresponding written application at the location of the Operator or send an e-mail to:
<pretenzia@cdek.ru>
In case of withdrawal by the Subject of consent to the processing of its PD, the Operator stops processing them or ensures that such processing stops (if the processing is carried out by another person acting on instructions of the Operator) and in case the retention of the PD is no longer required for the purposes of their processing, destroys the PD or provides their destruction (if processing is carried out by another person acting on behalf of the Operator) within a period not exceeding 30 (Thirty) days from the date of receipt of the withdrawal, unless otherwise provided by the contract, where the PD Subject is a party, beneficiary, or guarantor, another agreement between the Operator and the Subject, or if the Operator does not have the right to process the PD without the consent of the Subject on the grounds provided for by the Federal Law or other federal laws.

## VIII MAINTENANCE OF SECURITY

8.1.When processing PD, the Operator applies legal, organizational and technical measures and ensures that they are taken to protect PD from unauthorized or accidental access to them, destruction, modification, blocking, copying, submission, distribution of PD, as well as from other illegal actions in accordance with the requirements of ensuring the safety of PD when they are processed in the PD information systems, the requirements for the tangible media of the PD and the technologies for storing such data outside the PD information systems established by the Rule stvom RF.

8.2.Measures for the protection of personal data are determined by the Regulations, Orders, Instructions and other local acts of the Company.

8.3.The Company takes the measures necessary and sufficient to ensure the fulfillment of the obligations stipulated by the laws of the Russian Federation and the regulatorylegal acts adopted in accordance with them. The Company independently determines the composition and list of measures necessary and sufficient to ensure the fulfillment of obligations provided for by the Federal Law On Personal Data and the regulatory legal acts adopted in accordance with it, unless otherwise provided by this law or other federal laws. Ensuring the safety of PD is achieved in particular:
- the appointment of a responsible person for organizing the processing of PD;
- the definition of threats to the safety of PD when they are processed in the information systems of PD;
- the use of organizational and technical measures to ensure the safety of the PD;
- assessment of the effectiveness of measures taken to ensure the safety of the PD;
- detection of facts of unauthorized access to PD and taking the necessary measures;
- restoration of PD, modified or destroyed due to unauthorized access to them;
- the establishment of rules for access to PD processed in information systems PD;
- control over the measures taken to ensure the safety of the PD and the level of security of the information systems of the PD;
- assessment of the harm that may be caused to the Subjects of the PD in the event of a violation of the Federal Law, the ratio of the specified harm and the measures taken by the Company aimed at ensuring the fulfillment of the duties stipulated by the Federal Law;
- the publication by the Company of local acts on the processing of PD, as well as local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, eliminating the consequences of such violations;
- familiarization of the Company's employees who directly process the PD with the provisions of the legislation of the Russian Federation, this Policy and other local acts on the processing of PD, and (or) training (instruction) of these employees.

## IX REQUESTS, APPEALS AND ORDER OF THEIR PROCESSING BY THE OPERATOR

9.1.The operator is obliged to provide free of charge to the Subject or his representative the opportunity to get acquainted with the PD related to this Subject. Within a period not exceeding seven working days from the date of submission by the Subject or his representative of information confirming that the PD are incomplete, inaccurate or irrelevant, the Operator is obliged to make the necessary changes to them. Within a period not exceeding seven working days from the date of submission by the Subject or his representative of information confirming that such PD are illegally obtained or are not necessary for the stated purpose of processing, the Operator is obliged to destroy such PD. The operator is obliged to notify the Subject or his representative about the changes made and the measures taken and take reasonable measures to notify third parties to whom the PD of this Subject have been transferred.

9.2.The operator is obliged to inform the authorized body for the protection of the rights of personal data subjects at the request of this body the necessary information within thirty days from the date of receipt of such a request.

9.3.If unauthorized processing of PD is detected when the Subject or his representative is contacted or at the request of the Subject or his representative or the authorized body to protect the rights of personal data subjects, the Operator is obliged to block unlawfully processed PD related to this Subject, or ensure their blocking (if the PD isprocessed by another person acting on behalf of the Operator) from the time of such a request or receipt of the specified request for the period of verification. If inaccurate PD is detected when the Subject or his representative addresses, either at their request or at the request of the authorized body to protect the rights of personal data subjects, the Operator is obliged to block the PD related to this Subject or ensure blocking it (if the PD is processed by another person acting on behalf of the Operator) from the moment of such a request or receipt of the specified request for the inspection period, if blocking the PD does not violate the rights and legitimate interests of the Subject or third parties.

9.4.In case of confirmation of the fact of inaccuracy of the PD, the Operator on the basis of information provided by the Subject or his representative or the authorized body for protection of the rights of personal data subjects, or other necessary documents is obliged to clarify the PD or ensure their clarification (if the PD is processed by another person acting on behalf of the Operator) within seven working days from the date of submission of such information and remove the blocking of PD.

9.5.In case of unlawful processing of PD, carried out by the Operator or a person acting on behalf of the Operator, the Operator shall, within three working days from the date of this identification, be obliged to stop the illegal processing of the PD or ensure the termination of the illegal processing of the PD by the person acting on behalf of the Operator. If it is impossible to ensure the legality of the processing of PD, the Operator shall, within a period not exceeding ten working days from the date of unlawful processing of PD, identify such PD or ensure their destruction. The Operator is obliged to notify the Subject or his representative about the elimination of the violations or the destruction of the PD, and if the appeal of the Subject or his representative or the request of the authorized body to protect the rights of personal data subjects were also sent by the authorized body to protect the rights of personal data subjects, the Operator is obliged to notify the specified body.

## X CONTROL, RESPONSIBILITY FOR VIOLATION OR DEFAULT OF POLICIES

10.1.The control over the execution of this Policy is imposed on the OPD Supervisor.

10.2.Persons violating or not fulfilling the requirements of the Policy are brought to disciplinary, administrative, civil or criminal liability in accordance with the legislation of the Russian Federation.

10.3.Heads of structural units of the Operator are personally responsible for the performance of duties by their subordinates.

## XI OTHER PROVISIONS

11.1.This Policy and changes to it are approved by the sole executive body of the Company, are binding for all employees who have access to the PD of the Subjects, and enters into force from the date of its approval.

11.2.All employees of the Company admitted to work with PD should be familiarized with this Policy before starting work with PD.

11.3.Publication or otherwise providing unrestricted access to this Policy, other documents defining the policy of the Operator in relation to the processing of PD, to the information about the implemented requirements for the protection of personal data, the Operator performs, in particular but not limited to, by posting on an electronic site owned by the Operator.11.4.All issues related to the processing of PD that are not regulated by this Policy are resolved in accordance with the current legislation of the Russian Federation in the field of personal data, as well as other local acts adopted by the Company in the field of personal data.

# Appendix No. 1 to the Policy regarding the processing and protection of Personal Data Request Form on the access of the Personal Data Subject to their personal data

To the head of
LLC "CDEK-DS"
PSRN 1135476184040, TIN 5406768160,
630007, Novosibirsk,
ul. Krivoshchekovskaya, 15, block 5
Request on the access of the Personal Data Subject to their personal data
I, \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_(full
name)\_\_\_\_\_\_\_(main document proving the identity of the Personal Data Subject or his
representative)\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_(main document number)issued \_\_ \_\_\_\_\_\_\_\_\_\_\_\_
\_\_\_\_\_ year(issue date)\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_(issuer
of main document),
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_(information confirming
the participation of the Personal Data Subject in the relationship with the Operator
(contract number, date of conclusion of the contract, conditional verbal designation and /
or other information) or information otherwise confirming that the Operator has
processed personal data)
Please provide me with the following information (documents) for compiling my personal
data:
1.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_;
2.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_;
3. \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_.
"\_\_" \_\_\_\_\_\_\_\_\_\_\_ 20\_\_.
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ / \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ /
Signature Print full name

Appendix No. 1 to the Policy regarding the processing and protection of Personal Data
Request Form on the access of the Personal Data Subject to their personal data
To the head of
LLC "CDEK-DS"
PSRN 1135476184040, TIN 5406768160,
630007, Novosibirsk,
ul. Krivoshchekovskaya, 15, block 5
Consent
on the processing of personal data
I hereby freely, by my own will and in my interest, informed and agree that in
accordance with Federal Law No. 152-FZ of July 27, 2006 "On Personal Data", the
information I have provided, including information on:
Please provide me with the following information (documents) for compiling my personal
data:
- Full Name- E-mail address
- The address (city, street, house number, apartment number) is required for pick-up /
delivery of departure
- Phone number
Information about the browser used;
Location;
IP address;
Cookie data;
Requested web pages;
Source of access to the Site https://selltorussia.com
... (other statistics collected by the site) will be added to the archive of the Operator for
the processing of personal data. I grant the right to process this data in order to
organize the process of providing the information I requested about the services of the
Operator, receiving feedback from the Operator, ordering services, registering the
Personal Account, except when expressly stated otherwise. My PD will be used when I
request a Callback, provide feedback, my registration and (or) authorization
onhttps://www.selltorussia.comfor the purposes established by Section II of the Policy
regarding the processing and protection of Personal Data, namely, in order to: -
providing the User with the opportunity to interact with the Site, in particular, sending
notifications, requests and information related to the provision of services, as well as
processing requests and requests from the User; - the provision of courier services to
customers under the agreement for the provision of courier services; -conducting
surveys and studies aimed at identifying customer satisfaction / dissatisfaction with the
Company's services, improving the quality of services; - conducting statistical and other
studies based on anonymous data. - informing me about promotions, special offers,
new services of LLC CDEK-DS;
In connection with the above objectives, I understand that my personal data may be
communicated to third parties, and I give my consent to this.
In the case of the provision of data from third parties, including contact information, I
confirm that the Personal Data Subject has been notified of the processing of his
personal data by the Operator for the processing of personal data.
I am hereby informed that I have the right to require clarification of my personal data, its
blocking or destruction in case personal data is incomplete, outdated, inaccurate or not
necessary for the stated purpose of processing. data by sending a statement at the
location of the Operator or send an e-mail to the e-mail address: pretenzia@cdek.ru.
I give my consent to the use of the provided personal data for sending commercial
information by the Operator for the processing of personal data and third parties to the
specified phone number and email address.
I give the right to send me information about the services, offers and promotions of the
Operator and / or its Partners, including through electronic and mobile communications.
I am aware and agree that the provided personal data may be incorporated by the
Operator into publicly accessible sources of personal data created by the Company for
the purposes of its own information support (clause 6.11. Policies).
I am hereby informed that I can at any time refuse to receive commercial information by
sending my application at the location of the Operator or by sending an e-mail to:
<pretenzia@cdek.ru>
from South Korea