Scroll to main content.

Regulation on Personal Data Processing and Protection

APPROVED

by Order of the General Director

of OOO "EVRO FUDS" (LLC "EURO FOODS")

dated 16 February 2026 No. 12

REGULATION on the processing and protection of personal data in OOO "EVRO FUDS"

This is a courtesy translation. In the event of any discrepancy, the Russian version of this document shall prevail.

Khimki, Moscow Region

1. GENERAL PROVISIONS

1.1. This Regulation on the Processing and Protection of Personal Data (hereinafter referred to as the "Regulation") has been developed in accordance with the Constitution of the Russian Federation, the Labour Code of the Russian Federation, the Civil Code of the Russian Federation, Federal Law No. 149-FZ "On Information, Information Technologies and Information Protection" dated 27.07.2006, Federal Law No. 152-FZ "On Personal Data" dated 27.07.2006 (hereinafter referred to as the "Personal Data Law"), Decree of the Government of the Russian Federation No. 1119 "On the Approval of Requirements for the Protection of Personal Data during Their Processing in Personal Data Information Systems" dated 01.11.2012, as well as other regulatory legal acts governing relations in the field of personal data.

1.2. This Regulation is an internal regulatory act of OOO "EVRO FUDS" (hereinafter referred to as the "Company" or the "Operator") that establishes:

- the procedure and conditions for the processing of personal data of the Company's employees and other personal data subjects (customers, counterparties, website visitors);

- the rights and obligations of the Company in the processing of personal data;

- the rights of personal data subjects;

- the list of measures aimed at ensuring the security of personal data during their processing;

- the procedure for responding to incidents involving breaches of personal data security.

1.3. This Regulation applies to all employees of the Company (both those in an employment relationship and those not in an employment relationship, for example, job applicants), as well as to persons whose personal data are processed by the Company within the framework of contractual and other civil-law relations (customers, clients, suppliers, contractors, website visitors).

1.4. In all cases not governed by this Regulation, the Company shall be guided by the applicable legislation of the Russian Federation in the field of personal data.

This Regulation shall be effective to the extent that it does not contradict the legislation of the Russian Federation. In the event of changes to the legislation of the Russian Federation, the provisions of the Regulation shall apply in accordance with the new rules until the Regulation is brought into compliance with them.

2. KEY TERMS AND COMPOSITION OF PERSONAL DATA

2.1. For the purposes of this Regulation, the following key terms are used:

Personal data (PD)- any information relating to a directly or indirectly identified or identifiable natural person (personal data subject);

Operator- OOO "EVRO FUDS", which, independently or jointly with other persons, organises and carries out the processing of personal data;

Processing of personal data- any action (operation) or set of actions (operations) performed with personal data, with or without the use of automation tools, including collection, recording, systematisation, accumulation, storage, updating (renewal, modification), retrieval, use, transfer (dissemination, provision, access), depersonalisation, blocking, deletion and destruction;

Personal data information system (PDIS)- the totality of personal data contained in databases and the information technologies and technical means ensuring their processing;

Cross-border transfer — the transfer of personal data to the territory of a foreign state, to an authority of a foreign state, to a foreign natural person or to a foreign legal entity;

Depersonalisation of personal data — actions as a result of which it becomes impossible, without the use of additional information, to determine that personal data belong to a specific personal data subject.

2.2. The Operator shall approve, by a separate administrative act, the List of personal data information systems processed within the Company, indicating their categorisation and level of protection.

2.3. Composition of the personal data of employees and job applicants:

- surname, first name, patronymic;

- date and place of birth;

- passport details (series, number, issuing authority and date of issue);

- registered address and actual residential address;

- information on education, qualifications and professional training;

- information on employment history (length of service, previous places of work, military registration);

- contact telephone numbers, e-mail address;

- information on marital status and children;

- information on income and tax deductions;

- other data provided by the employee in accordance with the requirements of labour legislation.

2.4. Composition of the personal data of counterparties (natural persons and representatives of legal entities):

- surname, first name, patronymic;

- passport details (for concluding contracts with self-employed persons/natural persons);

- INN, SNILS (for accounting reporting purposes);

- position;

- contact telephone numbers, e-mail addresses;

- bank details of the natural person.

2.5. Composition of the personal data of customers and website visitors (including persons submitting reviews):

- surname, first name, patronymic (if available);

- contact telephone number;

- e-mail address;

- content of the enquiry (text of the review, question, complaint or suggestion);

- other data specified by the subject in the enquiry.

2.6. The processing of biometric personal data (photographs used for identification, for example, for access control purposes) shall be carried out only with the separate written consent of the subject, except in cases provided for by the legislation of the Russian Federation. Photographs used in employees' personal files (for internal record-keeping) do not constitute biometric data, provided that they are not used for identification in an automated mode.

3. PURPOSES OF THE COLLECTION AND PROCESSING OF PERSONAL DATA

3.1. The processing of employees' personal data is carried out exclusively for the purposes of:

- ensuring compliance with laws and other regulatory legal acts;

- assisting employees in employment, training and career advancement;

- ensuring the personal safety of employees;

- monitoring the quantity and quality of work performed;

- ensuring the safekeeping of property;

- maintaining personnel and accounting records;

- calculating and paying taxes and insurance contributions;

- completing and submitting the required reports to supervisory authorities.

3.2. The processing of the personal data of counterparties (including representatives of legal entities) is carried out for the purposes of:

- concluding and performing civil-law contracts;

- maintaining accounting records;

- complying with the requirements of tax legislation (issuing invoices and acts, making payments);

- communicating with the counterparty in the course of the performance of obligations.

3.3. The processing of the personal data of customers and website visitors is carried out for the purposes of:

- providing feedback to the consumer (responding to a review, question, complaint or claim);

- providing consultations on the Company's products and services;

- improving the quality of the Company's products and service (feedback analysis);

- conducting statistical and marketing research (in depersonalised form);

- providing information about goods, services and promotions (subject to separate consent to receive advertising mailings).

4. LEGAL GROUNDS FOR THE PROCESSING OF PERSONAL DATA

4.1. The legal grounds for the processing of personal data are the totality of regulatory legal acts pursuant to and in accordance with which the Operator processes personal data: the Constitution of the Russian Federation; the Labour Code of the Russian Federation; the Civil Code of the Russian Federation; the Tax Code of the Russian Federation; Federal Law No. 402-FZ "On Accounting" dated 06.12.2011; Federal Law No. 152-FZ "On Personal Data" dated 27.07.2006.

4.2. The legal grounds for the processing of personal data also include:

- the Charter of OOO "EVRO FUDS";

- contracts concluded between the Operator and personal data subjects;

- consents of personal data subjects to the processing of their personal data.

5. PROCEDURE AND CONDITIONS FOR THE PROCESSING OF PERSONAL DATA

5.1. The processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.

5.2. The processing of personal data is carried out with the consent of personal data subjects, unless otherwise provided for by the legislation of the Russian Federation.

5.3. The Operator carries out both automated and non-automated processing of personal data.

5.4. Only those employees of the Company whose job duties include the processing of personal data are permitted to process personal data. The list of such positions is approved by a separate order of the General Director.

5.5. The Operator does not disclose personal data to third parties without the consent of the subject, except in cases provided for by federal law (transfer to the Pension Fund of the Russian Federation, the Federal Tax Service, upon request of a court, the Ministry of Internal Affairs, etc.).

5.6. The transfer of personal data by the Operator to third parties (hosting providers, telecommunications operators, courier services) is carried out on the basis of contracts containing a provision on maintaining the confidentiality of personal data and complying with the requirements of Federal Law No. 152-FZ "On Personal Data" dated 27.07.2006, as well as the obligation of third parties to notify the Operator of any security incidents that come to their knowledge.

5.7. The Operator does not carry out cross-border transfers of personal data. The Operator ensures that all persons engaged in the processing of personal data (including hosting providers, telecommunications operators, developers and service organisations) carry out processing within the territory of the Russian Federation using servers located within the territory of the Russian Federation. The Operator does not place personal data on foreign cloud platforms and services, unless otherwise provided for by a separate agreement with the personal data subject.

6. STORAGE OF PERSONAL DATA

6.1. The personal data of subjects are processed and stored for no longer than required by the purposes of processing, unless the storage period is established by federal law or by contract.

- The personal data of employees are stored for the duration of the employment contract and, after its termination, for the retention periods established by the legislation of the Russian Federation on archival matters.

- The personal data of job applicants who are not hired are stored for 3 (three) months from the date of the decision to refuse employment, after which they are subject to destruction, unless otherwise provided for by the applicant's separate consent.

- The personal data of customers and persons who have submitted enquiries (reviews) are stored for 1 (one) year from the date of receipt of the enquiry, unless a different period is established by contract or is required for the performance of obligations, or until the personal data subject withdraws consent, unless a different period is established by contract or is required for the performance of obligations.

- The personal data of counterparties are stored for the duration of the contract and for 5 (five) years after its expiry.

Upon expiry of the specified period, the data are subject to depersonalisation or destruction.

6.2. Documents containing personal data are stored in lockable cabinets (safes) to which access is restricted.

6.3. When personal data are processed in information systems, password-based protection means and antivirus software are used, and data backup is ensured.

6.4. The destruction of documents (media) containing personal data is carried out in a manner that precludes any possibility of unauthorised persons becoming acquainted with them (burning, shredding, erasure).

7. RIGHTS OF PERSONAL DATA SUBJECTS

7.1. A personal data subject has the right to:

- receive complete information about his/her personal data processed by the Operator;

- demand the exclusion or correction of incorrect or incomplete personal data;

- demand that all persons to whom his/her incorrect or incomplete personal data were previously communicated be notified of all changes made thereto;

- appeal against unlawful actions or omissions of the Operator to the authorised body for the protection of the rights of personal data subjects or in court;

- withdraw consent to the processing of personal data.

7.2. In furtherance of the above rights, the Operator is obliged to:

- provide the subject, free of charge, with the opportunity to review his/her personal data;

- make the necessary changes to the personal data upon confirmation of their inaccuracy;

- notify the subject of all changes made;

- cease the processing of personal data upon the subject's withdrawal of consent within a period not exceeding 30 (thirty) days from the date of receipt of the withdrawal, unless otherwise provided for by law.

8. OBLIGATIONS OF THE OPERATOR

8.1. The Operator is obliged to:

- when processing personal data, take the necessary legal, organisational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, dissemination, as well as from other unlawful actions;

- appoint persons responsible for organising the processing of personal data;

- issue internal regulatory acts on matters relating to the processing of personal data;

- obtain the subject's consent to the processing of personal data, except in cases provided for by law;

- ensure unrestricted access to the Personal Data Processing Policy;

- carry out internal monitoring of the compliance of personal data processing with the requirements of Federal Law No. 152-FZ "On Personal Data" dated 27.07.2006.

9. LIABILITY

9.1. Persons guilty of violating the rules for the collection, processing, storage and protection of personal data shall bear disciplinary, administrative, civil or criminal liability in accordance with the legislation of the Russian Federation.

9.2. Non-pecuniary damage caused to a personal data subject as a result of a violation of his/her rights shall be compensated in accordance with the legislation of the Russian Federation.

10. FINAL PROVISIONS

10.1. This Regulation enters into force on the date of its approval by the General Director and remains in effect until it is revoked or a new Regulation is adopted.

10.2. The Company's employees must be familiarised with this Regulation against signature.

10.3. Amendments and additions to this Regulation are made by order of the General Director.