Privacy Policy

The section was last updated on 26 December 2024¹

The Policy was developed in accordance with Federal Law No. 152-FZ “On Personal Data” dated 27 July 2006 (hereinafter “152-FZ” or “Personal Data Legislation”) for the purposes of exercising the rights of personal data subjects and is aimed at ensuring the protection of human rights and freedoms when processing personal data at the Company.

The “Company” and the pronoun “we” shall mean “Kept in Russia.” “Kept in Russia” shall mean JSC “Kept,” “Kept Tax and Advisory” LLC, “Kept Digital Products” LLC, “Kept Verification” LLC, companies incorporated under the laws of the Russian Federation and acting as independent operators processing your personal data.

In a number of cases, Kept in Russia processes this information together with Kept in Belarus² in accordance with the provisions of this Policy, taking into account the specifics stipulated by applicable policies and laws, as we hereby inform you below.

We believe it is our duty to ensure the necessary protection and appropriate use of personal data received from you directly or through third parties authorized by you.

The Policy discloses what we do with your personal data, how much personal data are processed by the Company and using our information resources:

• Official website of the Company
• Kept information resource
• Kept Hotline
• Kept Risk RADAR
• kept-tech.ru
• Construction (sitesurveyor.ru)
• Kept Central
• https://kept.vcv.ru/
• EvaTeam
  

If you are a client/counterparty (representative of a client/counterparty), your data shall be processed by one of the legal entities depending on the service we offer, as well as to eliminate conflicts of interest and comply with the requirements of audit independence.

If you are a relative of an employee, your data shall be processed by the legal entity in which your relative is employed.

If you are a job applicant, or an employee, or a dismissed employee, your data are processed by one of Kept in Russia companies, depending on where you have applied or are employed and, respectively, which company you have left.

If you are a visitor to our websites, your data shall be processed by website owners (Official website of the Company; Kept information resource; Kept Hotline; Kept Risk RADAR; kept-tech.ru; kept-tech.ru; Construction (sitesurveyor.ru); Kept Central; https://kept.vcv.ru/; EvaTeam).

The operators JSC “Kept,” “Kept Tax and Advisory” LLC, “Kept Digital Products” LLC, “Kept Verification” LLC, have concluded the relevant agency contracts for processing your personal data, each legal entity takes all necessary measures to protect personal data in accordance with the requirements of the Personal Data Legislation.

Contents

1. Personal data processing principles
2. Legal grounds for personal data processing
3. Information on the purposes and methods of personal data processing, categories of personal data subjects, as well as the volume of personal data and legal grounds for personal data processing
4. Transfer to third parties
5. Cross-border transfer of personal data
6. Storage and deletion of personal data
7. Your rights
8. Rights and obligations of the Company
9. Personal data protection
10. Audit and monitoring of personal data processing and security
11. Contacts
12. Terms and definitions

1. Personal data processing principles

When processing your personal data, the Company is governed by the principles of legality and fairness of their processing, ensuring the accuracy, sufficiency and, where necessary, relevance of personal data. The Company ensures proper protection of processed personal data and keeps them for no longer than the processing purposes require.

You can study this section in more detail below or return to the table of contents to review other sections of the Policy.

Return to sections

1. Legality and fairness: when processing personal data, we ensure a legal basis in accordance with the personal data legislation, and do not abuse the possibilities provided to us (Clause 1 of Article 5, 152-FZ).

Compliance with the principle of personal data processing at the Company:

2. Processing of personal data for specific, predetermined and legitimate purposes: personal data processing incompatible with the purposes of personal data collection is prohibited (Clauses 2, 3, 4 of Article 5, 152-FZ).

Compliance with the principle of personal data processing at the Company:

• We have determined in advance the purposes of personal data processing that do not contradict the requirements of the personal data legislation.
• We do not process personal data for purposes incompatible with those for which we have collected your personal data.

3. Sufficiency of personal data: processing of personal data exceeding the amount sufficient to achieve a specific purpose is prohibited (Clause 5 of Article 5, 152-FZ).

Compliance with the principle of personal data processing at the Company:

• The content and volume of personal data processed by us correspond to the stated processing purposes and are sufficient to achieve these purposes. Redundancy of personal data is prohibited.

4. Accuracy and relevance of personal data: necessary measures are taken to clarify incomplete or inaccurate personal data (Clause 6 of Article 5, 152-FZ).

Compliance with the principle of personal data processing at the Company:

• We ensure the accuracy, sufficiency and relevance of personal data in relation to the purposes of their processing.
• We receive personal data only from reliable sources: from you or from third parties that have confirmed the legitimacy of providing your personal data.
• We maintain a Register of Personal Data Processing Processes, which contains information on the purposes, legal grounds, categories of subjects and the amount of personal data processed.
• We take the necessary measures to delete or clarify incomplete and/or inaccurate personal data. You can send us a request to update your personal data.

5. Storage of personal data: storage of personal data is possible no longer than required by the purposes of personal data processing (Clause 7 of Article 5, 152-FZ).

Compliance with the principle of personal data processing at the Company:

• We store personal data in a form that allows us to identify the subject of personal data, but no longer than the purposes of personal data processing require.
• We destroy personal data at your request, when processing purposes are achieved, or if these purposes are no longer relevant.

6. Protection of personal data: the necessary technical and organizational measures are taken to ensure the protection of personal data during their processing (Articles 18.1, 19, 152-FZ).

Compliance with the principle of personal data processing at the Company:

• The Company shall ensure proper protection of the personal data processed using appropriate technical or organizational measures, including protection against unauthorized or illegal processing and accidental loss, destruction or damage to personal data. A more detailed description of the measures is given in Section 9 of this Policy.

Вернуться к разделам

2. Legal grounds for personal data processing

In order to comply with the requirements of applicable laws and the principle of legality when processing your personal data, we shall be governed by the processing terms and conditions stipulated by Clause 1 of Article 6 of 152-FZ.

You can study this section in more detail below or return to the table of contents to review other sections of the Policy.

Return to sections

Conclusion and performance of a contract: the processing of your personal data is necessary to conclude a contract (including an employment contract) and/or perform our obligations thereunder.

Statutory duty: we are obligated to process your personal data in order to perform the statutory duty, for example, to keep records for tax purposes or to provide information to a government body or a law enforcement agency.

Your consent: in certain cases, we shall request your consent to the processing of certain personal data, and your personal data shall be processed only if your consent is obtained.

Personal data are processed for statistical or other research purposes: we may need your data for statistical or research purposes, before using them we depersonalize your personal data.

Return to sections

3. Information on the purposes and methods of personal data processing, categories of personal data subjects, as well as the volume of personal data and legal grounds for personal data processing

We process your personal data only when it is required to achieve a predetermined purpose, is required by law or professional standards.

We process personal data if you provide it to us directly or through third parties authorized by you. But in some cases we may already have personal data (for example, if you are a former employee of the Company or you already have business relations with the Company), but they are not processed for longer than the purposes or laws require.

You can study this section in more detail below or return to the table of contents to review other sections of the Policy.

Return to sections

In the course of our activity, we process personal data of the following categories of subjects.

Client/counterparty. Client/counterparty data are processed for the purposes and in the scope specified below.

• Organizing and holding marketing and other events, including publications in the press and other mass media, as well as business and entertainment events: surname, first name, patronymic; year of birth; month of birth; date of birth; place of birth; gender; e-mail address; address of residence; registration address; phone number; profession; position; information on employment history (including length of service, data on current employment, with an indication of the name and settlement account of the organization).
  
  Legal basis: consent to personal data processing.
• Organizing the issue of passes to the company's buildings: surname, first name, patronymic; details of the identification document.
  
  Legal basis: consent to personal data processing.
• Performing obligations stipulated by the contract with a counterparty/client: surname, first name, patronymic; e-mail address; address of residence; registration address; phone number; citizenship; profession; position, questionnaire and biographical data, reference letters; information on employment.
  
  Legal basis: contract.
• Counterparty due diligence: surname, first name, patronymic; e-mail address; address of residence; registration address; phone number; citizenship; profession; position; questionnaire and biographical data, reference letters; information on crossing the border of the Russian Federation (for foreign citizens); information on the work permit and migration card (for foreign citizens); information on migration registration; information on employment.
  
  Legal basis: contract, consent to personal data processing.
• Subscription to mailings: surname, first name, patronymic; name of the organization; position; corporate e-mail address; phone number.
  
  Legal basis: consent to personal data processing.
• Completing feedback forms: name; city; name of the organization; position; phone number; country; e-mail address.
  
  Legal basis: consent to personal data processing.

Whistleblowers. Whistleblowers’ data are processed for the purposes and in the scope specified below.

• Incident reporting: surname, first name, patronymic; e-mail address; phone number; place of work.
  
  Legal basis: consent to personal data processing.

Website visitors. Website visitors’ data are processed for the purposes and in the scope specified below.

• Organizing and holding marketing and other events, including publications in the press and other mass media, as well as business and entertainment events: surname, first name, patronymic; year of birth; month of birth; date of birth; place of birth; gender; e-mail address; address of residence; registration address; phone number; profession; position; information on employment history (including length of service, data on current employment, with an indication of the name and settlement account of the organization); face image data obtained using photo and video devices to identify the personal data subject; information on the command of foreign languages; questionnaire and biographical data, reference letters; information on awards and titles; information on membership in the self-regulatory organizations of auditors, appraisers and others; information on the previous position and period of work; name of the organization and position held.
  
  Legal basis: consent to personal data processing.
• Organizing and performing research, questionnaire surveys, surveys, including on employment issues: surname, first name, patronymic; year of birth; month of birth; date of birth; place of birth; gender; e-mail address; address of residence; registration address; phone number; profession; position; information on employment history (including length of service, data on current employment, with an indication of the name and settlement account of the organization).
  
  Legal basis: consent to personal data processing.
• Collection of analytical information: on our websites (kept.ru; mustread.kept.ru; hotline.kept.ru; Kept Risk RADAR ; assets.kept.ru; kept-tech.ru; kept-tech.ru; Construction (sitesurveyor.ru); Kept Central; https://kept.vcv.ru/; EvaTeam) – cookies technologies are used. During a website visit, a cookie banner appears using which you can give your consent to the cookies processing by first reviewing the procedure for the cookies processing set forth in the Cookies Policy. The IP address is also processed on our websites. The IP address is the number assigned to your computer each time you access the Internet. IP addresses of visitors to our websites shall be considered for the purposes of information security and system diagnostics. This information shall also be used in aggregated form to analyze trends in the use of websites and their effectiveness, for example, to determine the number of unique online visitors to our websites and collect information on their geographical location, and not to identify individual online visitors. The company may also collect and use information about the geographic location of your computer or mobile device.
  
  Legal basis: consent to processing cookies.
• Subscription to mailings: surname, first name, patronymic; name of the organization; position; corporate e-mail address; phone number.
  
  Legal basis: consent to personal data processing.
• Completing feedback forms: name; city; name of the organization; position; phone number; country; e-mail address.

Employees. If you are an employee, the information on the purposes, amount of personal data processing and their storage periods is provided in the Company’s internal regulations.

Employees’ relatives. The data of employees’ relatives are processed for the purposes and in the scope specified below.

• Organizing the entry and stay in the Russian Federation: surname, first name, patronymic; year of birth; month of birth; date of birth; place of birth; marital status; gender; e-mail address; address of residence; registration address; phone number; citizenship; details of the identification document; position; face image data; information on the composition and members of the family; information on crossing the border of the Russian Federation; visa details; degree of kinship.
  
  Legal basis: consent to personal data processing.
• Obtaining accreditation, visa support for employees and their family members, obtaining business visas, migration registration and deregistration, customs processing of personal freight, obtaining medical certificates (if this is stipulated by migration legislation), documents, obtaining work permits and notifications on hiring: surname, first name, patronymic; year of birth; month of birth; date of birth; place of birth; marital status; gender; e-mail address; address of residence; registration address; phone number; citizenship; details of the identification document; position; information on the composition and members of the family; information on crossing the border of the Russian Federation; information on migration registration; visa details; degree of kinship; face image.
  
  Legal basis: consent to personal data processing.
• Organizing mandatory and voluntary medical insurance (including family members)/life insurance: surname, first name, patronymic; year of birth; month of birth; date of birth; place of birth; marital status; gender; SNILS (Personal Insurance Account Number); Tax Identification Number (TIN); citizenship; details of the identification document; position; information on the composition and members of the family; information on migration registration; visa details; degree of kinship.
  
  Legal basis: consent to personal data processing.
• Organizing courier, transport (including air, railway) services (including family members): surname, first name, patronymic; position; information on the composition and members of the family; degree of kinship.
  
  Legal basis: consent to personal data processing.
• Travel arrangements, including foreign travel: surname, first name, patronymic; year of birth; month of birth; date of birth; place of birth; marital status; gender; e-mail address; address of residence; registration address; phone number; citizenship; details of the identification document; position; face image; information on the composition and members of the family; information on crossing the border of the Russian Federation; visa details; degree of kinship.
  
  Legal basis: consent to personal data processing.

Applicants. Applicants’ data are processed for the purposes and in the scope specified below.

• Selection of candidates for vacant positions and replenishment of the talent pool: surname, first name, patronymic; year of birth; month of birth; date of birth; place of birth; gender; e-mail address; address of residence; phone number; citizenship; profession; position; information on employment history (including length of service, data on current employment, with an indication of the name and settlement account of the organization); information on education); marital status; registration address; details of the identification document; position.
  
  Legal basis: consent to personal data processing.
• Obtaining accreditation, visa support for employees and their family members, obtaining business visas, migration registration and deregistration, customs processing of personal freight, obtaining medical certificates (if this is stipulated by migration legislation), documents, obtaining work permits and notifications on hiring:: surname, first name, patronymic; year of birth; month of birth; date of birth; place of birth; marital status; gender; e-mail address; address of residence; registration address; phone number; citizenship; details of the identification document; position; information on the state of health; face image, information on the composition and members of the family; information on crossing the border of the Russian Federation; information on migration registration, visa details; degree of kinship; face image.
  
  Legal basis: consent to personal data processing.
• Organizing the issue of passes to the company's buildings: surname, first name, patronymic; details of the identification document.
  
  Legal basis: consent to personal data processing.

Dismissed employees. The data of dismissed employees are processed for the purposes and in the scope specified below.

• Maintaining contact with former employees of the company: surname, first name, patronymic; year of birth; month of birth; date of birth; place of birth; gender; e-mail address; address of residence; registration address; phone number; information on employment history (including length of service, data on current employment, with an indication of the name and settlement account of the organization); information on the previous place of work (position; period of work).
  
  Legal basis: consent to personal data processing.

Information on the specifics and methods of personal data processing at the Company is provided below.

Children’s personal data processing. The Company is fully aware of the importance of safeguarding the privacy of children, especially in electronic communication. Our websites are not intended for children under 13 years of age. In accordance with our policy, we never specifically collect and store data on persons under 13 years of age, except for the collection and storage of such data as part of the provision of professional services.

Processing of biometric personal data and special categories of personal data. We may process special categories of personal data, as well as biometric personal data, in accordance with the laws of the Russian Federation on personal data processing only based on written consent of personal data subjects or other grounds stipulated by the laws of the Russian Federation.

Methods of personal data processing. The Company processes your personal data using automation tools and without such tools (on paper).

Placement of personal data in public sources. The Company does not publish a subject’s personal data in public sources without his/her prior consent.

Decision-making based on exclusively automated processing. The Company prohibits the adoption of decisions on the basis of exclusively automated processing of personal data where such decisions give rise to legal consequences in respect of the personal data subject or otherwise affect his/her rights and legitimate interests, except for cases stipulated by federal laws, or with the written consent of the personal data subject.

Return to sections

4. Transfer to third parties

We transfer your personal data to third parties only if necessary for the purposes of our professional activity, the processing of your requests, the performance of contractual obligations and/or if required or permitted by law. For more details on these third parties follow the link.

The Company undertakes not to transfer the personal data provided by you to third parties for their subsequent use by these parties for direct marketing purposes.

Return to sections

5. Cross-border transfer of personal data

When necessary for the sale of services, we may transfer personal data to foreign parties. The issues of adequate protection of the rights of personal data subjects and ensuring the security of their personal data during cross-border transfer are among the highest priorities for the Company, and such issues shall be addressed in accordance with applicable laws.

You can study this section in more detail below or return to the table of contents to review other sections of the Policy.

Return to sections

Prior to the commencement of the cross-border transfer of personal data, the Company submits a notice of its intention to perform the cross-border transfer of personal data to the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor).

After sending a notice of intention to perform cross-border transfer of personal data and before Roskomnadzor takes a decision on the possibility of personal data transfer, the Company:

• may perform the cross-border transfer of personal data to the territory of states that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and are included in the list of foreign states that ensure adequate protection of the rights of personal data subjects.
• shall not perform the cross-border transfer of personal data to the territory of foreign states that are not parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and are not included in the list of foreign states that ensure adequate protection of the rights of personal data subjects until the expiration of ten business days from the date of sending the notification.

If Roskomnadzor makes a decision to prohibit or restrict the cross-border transfer of personal data, the Company shall ensure the destruction by a foreign party of the personal data previously transferred to it.

Return to sections

6. Storage and deletion of personal data

The period of such data storage shall depend on the specific events and circumstances under which the data were collected.

We store personal data only for the period of time that we need it:

• to fulfill requests and/or contractual obligations (during the effective term of the contract, as well as during the limitation period); 
• to comply with the requirements of laws, regulatory bodies, internal administrative activities;
• until personal data processing purposes are achieved or until consent is withdrawn (if personal data are processed based on consent to personal data processing).

Return to sections

7. Your rights

When processing personal data, the Company guarantees compliance with the provisions of Federal Law No. 152-FZ.

Right to receive information related to personal data processing: you can request information on the processing of your personal data, and we shall provide it to you in a structured and accessible format (Clause 7 of Article 14, 152-FZ).

Right to correct personal data: if you believe that any personal data that we keep about you are inaccurate or incomplete, you may request that we correct or supplement the data (Clause 7 of Article 14, 152-FZ).

Right to delete personal data: you may request that we delete some or all of your personal data from our systems (Clause 7 of Article 14, 152-FZ).

Right to block personal data: if the data are incomplete, outdated, inaccurate, illegally obtained or do not correspond to the purpose of processing, you can ask us to limit or stop processing your personal data ((Clause 1 of Article 21, 152-FZ).

Right to establish prohibitions on distribution: you may prohibit the transfer or processing of personal data by an unlimited number of persons (Clause 9 of Article 10.1, 152-FZ). Information on the prohibitions is available on the Company's website.

Right to stop the transfer: you may prohibit the distribution, provision or access to personal data permitted for distribution (Article 10.1, 152-FZ).

Right to stop processing for the purposes of political solicitation and promotion of goods, work and services: you may ask us to stop processing your personal data aimed at promoting goods, work and services on the market through direct contacts with a potential consumer, as well as at political solicitation (Clause 2 of Article 15, 152-FZ).

Right to revoke consent to personal data processing: if we process your personal data based on the consent you gave us when we received your personal data, you have the right to revoke your consent at any time (Clause 5 of Article 21, 152-FZ). You can withdraw your consent by contacting the Company at the address dataprivacy@kept.ru and indicating the purpose for which your contact details were provided to us.

Right to file a complaint: if you believe that the Company violates the requirements of applicable personal data legislation, you can file a complaint with the supervisory authority (Article 17, 152-FZ ).

You may exercise your right by making a personal visit to the Company or by contacting the Personal Data Privacy Officer at dataprivacy@kept.ru. For our part, we will make every reasonable and feasible effort to fulfill your request, provided that it does not contradict applicable law.

We shall confirm the receipt of your email within 10 business days and take steps to resolve your problem. We shall make amendments within 7 working days if your personal data are incomplete, inaccurate or outdated; we shall provide you with information regarding the processing of your personal data within business days.

Return to sections

8. Rights and obligations of the Company

The Personal Data Legislation of the Russian Federation imposes certain obligations on the Company and grants rights.

For example, the Company has the right to entrust the processing of personal data to another party, but is obligated to take the necessary legal, organizational and technical measures to protect the personal data when transferring it to a third party.

When processing personal data, the Company has the following rights and obligations.

You can study this section in more detail below or return to the table of contents to review other sections of the Policy.

Return to sections

The Company may:

• process personal data of a personal data subject in accordance with the stated purpose;
• demand that the personal data subject provides reliable personal data necessary for the performance of the contract, provision of services, identification of the personal data subject, and in other cases stipulated by the Personal Data Legislation;
• restrict the access of the personal data subject to his/her personal data if personal data are processed in accordance with the law on anti-money laundering and combating the financing of terrorism, the access of the personal data subject to his/her personal data violates the rights and legitimate interests of third parties, as well as in other cases stipulated by the laws of the Russian Federation;
• process personal data that are subject to publication or mandatory disclosure in accordance with Russian laws;
• entrust the processing of personal data to another party with the consent of the personal data subject;
• process publicly available personal data of individuals subject to legal grounds.

The Company undertakes to:

• post the Personal Data Processing Policy on the Company’s website;
• notify Roskomnadzor in the event of the fact of unlawful or accidental transfer (provision, distribution, access) of personal data, which led to a violation of the rights of personal data subjects;
• take the necessary legal, organizational and technical measures to protect personal data;
• ensure compliance with the rights of a personal data subject stipulated in section 7 of this Policy;
• refrain from disclosing or distributing personal data without the consent of a personal data subject, unless otherwise is stipulated by Russian laws;
• when collecting personal data, ensure the recording, systematization, accumulation, storage, revision (update, amendment), retrieval of personal data of Russian citizens using databases located in the Russian Federation;
• explain to a personal data subject the legal consequences of the refusal to provide personal data or give consent to their processing;
• send to Roskomnadzor all necessary information on changes in the purposes and methods of personal data processing, as well as in the event of a request from Roskomnadzor.

9. Personal data protection

The Company recognizes the importance of and need for the personal data protection and encourages continuous improvement of the system for protecting personal data processed as part of the Company's core business.

The Company has adopted and implements measures to protect personal data from loss, unauthorized use, modification or deletion. For our part, we do everything possible to ensure that access to your personal data is provided only to those persons who need it to perform their duties, and who, in turn, are required to maintain their confidentiality.

You can study this section in more detail below or return to the table of contents to review other sections of the Policy.

Return to sections

To protect your personal data, we have taken the following measures:

• appointed a Personal Data Privacy Officer;
• issued documents defining the Company’s personal data processing policy and in-house personal data processing regulations;
• took legal, organizational and technical measures to ensure the security of personal data, in particular: adopted procedures, regulations detailing the procedure for processing personal data at the Company; assessed threats to the security of personal data, in accordance with which necessary technical measures were taken (access control, anti-virus protection, protection of network resources, backup, etc.);
• perform internal control over the compliance of personal data processing with legislation, personal data protection requirements, the Company’s Personal Data Processing Policy, and the Company’s internal regulations;
• assess the damage that may be caused to personal data subjects in the event of a violation of legal requirements, and take security measures in accordance with the identified damage;
• familiarized the Company's employees directly involved in personal data processing with the provisions of the Personal Data Legislation of the Russian Federation;
• arrange for the acceptance and processing of applications and requests from personal data subjects or their representatives, and exercise control over the acceptance and processing of such applications and requests;
• take other measures to ensure the security of personal data.

In case of personal data leakage, the Company shall take all measures prescribed by applicable legislation in the area of personal data processing and security.

Return to sections

10. Audit and monitoring of personal data processing and security

The procedure and frequency of the audit of personal data processing processes and monitoring of the functioning of implemented personal data protection procedures at the Company shall be determined by the Personal Data Privacy Officer based on the need for such activity.

The Personal Data Privacy Officer monitors compliance with applicable legislation on personal data processing and security, ensures the awareness of employees involved in personal data processing processes.

Return to sections

11. Contacts

The Company considers it its duty to protect the integrity of your personal data.

If you have any questions or comments regarding our work with your personal data, please contact the Personal Data Privacy Officer at dataprivacy@kept.ru. You can also use this address to report any issues related to our compliance with this Policy.

Return to sections

12. Terms and definitions

The following terms and definitions are used in the Policy:

Automated processing of personal data shall mean processing of personal data using computer equipment.

Security of personal data shall mean the state of protection of personal data from illegal actions that is characterized by the ability of users, technical means and information systems to ensure the confidentiality, integrity and accessibility of personal data during their processing, regardless of the form of their presentation.

Blocking of personal data shall mean temporary suspension of processing of personal data (except in cases where processing is necessary to clarify personal data).

Whistleblower shall mean a person who submits an incident report using the Hotline service.

Personal data information system shall mean a set of personal data contained in databases, and information technologies and technical means that ensure their processing.

Incident shall mean a circumstance related to a wrongful act/omission of the Company or its representatives, about which the Whistleblower can report to the Company:

• fraud and misconduct;
• theft;
• violations of antimonopoly laws;
• conflicts of interest;
• corruption and bribery;
• discrimination and harassment;
• unsafe work environment;
• violations of the Company’s internal policies;
• other violations of applicable laws.

The Hotline Service is not an emergency service, 112 service. Reporting of such circumstances shall not be deemed an Incident for the purpose of this Policy.

The Company shall mean: JSC “Kept” (34A Leningradsky Prospekt, Moscow, 125040), “Kept Tax and Advisory” LLC (134A Leningradsky Prospekt, Moscow, 125040), “Kept Digital Products” LLC (34A Leningradsky Prospekt, Moscow, 125040), “Kept Verification” LLC (34A Leningradsky Prospekt, Moscow, 125040).

Confidentiality of personal data shall mean a mandatory requirement for the Company or another party that has gained access to personal data to prevent their disclosure to third parties or dissemination in the absence of the consent of the personal data subject or other legal grounds.

Processing of personal data shall mean any action (operation) or series of actions (operations) with personal data performed with or without automation means including collection, recording, classification, accumulation, storage, revisions (updates, amendments), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Personal data operator shall mean a person who, independently or together with other parties, organizes and/or performs personal data processing and determines the purposes of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data.

Personal data shall mean any information related to a directly or indirectly identified or identifiable natural person (personal data subject).

Provision of personal data shall mean actions aimed at disclosing personal data to a certain person or a certain group of persons.

Distribution of personal data shall mean actions aimed at disclosing personal data to an indefinite number of persons.

Personal data subjects shall mean employees of the Company and other categories of personal data subjects specified in the in-house regulatory documents of each Company whose personal data are processed by the Company.

Incident report shall mean information provided to the Company by the Whistleblower who becomes aware of inappropriate conduct of the Company or its representatives.

Special categories of personal data shall mean personal data concerning race, nationality, political views, religious or philosophical beliefs, health status, intimate life.

Cross-border transfer of personal data shall mean the transfer of personal data into the territory of a foreign state to a government body of a foreign state, a foreign individual or a foreign legal entity.

Destruction of personal data shall mean actions that make it impossible to restore the content of personal data in the personal data information system and/or as a result of which physical media of personal data are destroyed.

Return to sections

¹The Company may periodically amend this Policy to reflect the current procedure for processing personal data. Each time amendments are made, the date of the new version shall be indicated at the top of this page. To find out exactly how the Company protects your personal information, we recommend that you regularly review this Policy to find and study new provisions.

²Kept in Belarus shall mean Kept LLC (49 Platonova Street, premises 26-7, Minsk, Republic of Belarus, 220012), Kept Advisory LLC (49 Platonova Street, premises 26-4, Minsk, Republic of Belarus, 220012), companies incorporated under the laws of the Republic of Belarus. The companies listed above are separate and independent legal entities and should be considered separately for the purposes of this Policy.