TERMS AND ACCEPTED ABBREVIATIONS

Personal data (PD) – any information relating to a directly or indirectly identified or identifiable individual (subject of personal data).

Processing of personal data – any action (operation) or set of actions (operations) performed using automation tools or without the use of such means with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Operator - a state body, municipal body, legal or natural person, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data.

Dissemination of personal data – actions aimed at disclosing personal data to an indefinite number of persons.

Providing personal data – actions aimed at disclosing personal data to a certain person or a certain circle of persons.

Blocking of personal data – temporary cessation of processing of personal data (except for cases where processing is necessary to clarify personal data).

Destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material media of personal data are destroyed.

Depersonalization of personal data is actions as a result of which it becomes impossible to determine the ownership of personal data by a specific subject of personal data without the use of additional information.

Automated processing of personal data – processing of personal data using computer technology.

Personal data information system (PDIS) is a set of personal data contained in databases and information technologies and technical means that ensure their processing.

Client is an individual who performs any actions on the site, and is also a consumer of products and services of PTM LLC, regardless of the use of the Internet.

1. GENERAL PROVISIONS

1.1. This Policy for the processing and protection of personal data of the limited liability company “Platform Third Opinion” (“PTM”) (hereinafter referred to as the “Policy”) is drawn up in accordance with Article 18.1. Federal Law of July 27, 2006 No. 152-FZ “On Personal Data” (as amended) and is the fundamental internal regulatory document of PTM LLC (hereinafter referred to as the “Company” or “Operator”), defining the key directions of its activities in the field processing and protection of personal data (hereinafter referred to as “PD”), the operator of which is the Company.

1.2. The policy was developed in order to implement the requirements of the legislation of the Russian Federation in the field of processing and protection of personal data and is aimed at ensuring the protection of the rights and freedoms of an individual and citizen when processing his personal data in the Company, including the protection of rights to privacy, personal, family and medical secrets.

1.3. The provisions of the Policy apply to relations for the processing and protection of PD received by the Company both before and after approval of the Policy, except for cases where, for reasons of legal, organizational and other nature, the provisions of the Policy cannot be extended to relations for the processing and protection of PD received before its approval.

1.4. Processing of personal data in the Company is carried out in connection with the performance by the Company of the functions provided for by its constituent documents and determined by:

- Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”;

- Federal Law of November 21, 2011 No. 323-FZ “On the fundamentals of protecting the health of citizens in the Russian Federation”;

- Labor Code of the Russian Federation;

- Government Decree No. 687 of September 15, 2008 “On approval of the Regulations on the specifics of processing personal data carried out without the use of automation tools”;

- Government Decree No. 1119 dated November 1, 2012 “On approval of requirements for the protection of personal data during their processing in personal data information systems”;

- Order of the FSTEC of Russia dated February 18, 2013 No. 21 “On approval of the composition and content of organizational and technical measures to ensure the security of personal data when processed in personal data information systems”;

- Order of Roskomnadzor dated September 5, 2013 No. 996 “On approval of requirements and methods for anonymization of personal data”;

- Order of the Ministry of Labor of the Russian Federation dated October 5, 2020 No. 695n “On identifying threats to the security of personal data that are relevant when processing personal data in information systems
systems of personal data exploited in areas of activity, the legal regulation of which is carried out by the Ministry of Labor and Social Protection of the Russian Federation";

- Decree of the President of the Russian Federation dated March 6, 1997 No. 188 “On approval of the List of confidential information”;

- Decree of the Government of the Russian Federation of July 6, 2008 No. 512 “On approval of requirements for tangible media of biometric personal data and technologies for storing such data outside personal data information systems”;

- other regulatory legal acts of the Russian Federation and regulatory documents of authorized government bodies.

1.5. The current edition is stored at the location of the Company at the address: 121205, Moscow, territory of the Skolkovo Innovation Center, st. Nobelya, 7, floor 2, room No. 37, workplace No. 2, electronic version of the Policy – on the Company’s website https://thirdopinion.ai/

1.6. Personal data is processed with or without automation.

1.7. The company is obliged to notify the authorized body for the protection of the rights of personal data subjects about its intention to process personal data.

1.8. The General Director of the Company has been appointed responsible for the processing and protection of personal data in the Company, in accordance with paragraph 1 of Article 18.1 of Law No. 152-FZ.

1.9. With the written consent of employees and clients, their personal data may be posted on the Company’s website.

1.10. The Company has the right to make changes to this Policy. When changes are made, the date of the last update of the edition is indicated in the title of the Policy.

2. PRINCIPLES FOR ENSURING THE SECURITY OF PERSONAL DATA

2.1. The main task of ensuring the security of personal data during their processing in the Company is to prevent unauthorized access to it by third parties, to prevent deliberate software, hardware and other influences for the purpose of stealing personal data, destruction (destruction) or distortion of them during processing.

2.2. The Company, being an operator of personal data, processes personal data of clients who have entered into contracts with the Company, employees of the Company's counterparties, as well as employees of the Company.

2.3. To ensure the security of personal data, the Company is guided by the following principles:

- Legality: protection of personal data is based on the provisions of regulatory legal acts and methodological documents of authorized government bodies in the field of processing and protection of personal data;

- Systematicity: PD processing in the Company is carried out taking into account all interconnected, interacting and time-varying elements, conditions and factors that are significant for understanding and solving the problem of ensuring PD security;

- Comprehensiveness: personal data protection is built using the functionality of information technologies implemented in the Company’s information systems and other systems and means of protection available in the Company;

- Continuity: PD protection is ensured at all stages of their processing and in all modes of operation of PD processing systems, including during repair and routine maintenance;

- Timeliness: measures to ensure an adequate level of PD security are taken before the start of their processing;

- Continuity and continuity of improvement: modernization and expansion of measures and means of protecting personal data is carried out based on the results of an analysis of the practice of processing personal data in the Company, taking into account the identification of new ways and means of implementing threats to the security of personal data, domestic and foreign experience in the field of information protection;

- Personal responsibility: responsibility for ensuring the security of personal data rests with employees within the limits of their duties related to the processing and protection of personal data;

- Minimization of access rights: access to personal data is provided to employees only to the extent necessary to perform their job duties;

- Flexibility: ensuring the fulfillment of personal data protection functions when the characteristics of the functioning of the Company’s personal data information systems, as well as the volume and composition of processed personal data change;

- Specialization and professionalism: the implementation of measures to ensure the security of personal data is carried out by employees who have the necessary qualifications and experience;

- Efficiency of personnel selection procedures: the Company’s personnel policy provides for careful selection of personnel and motivation of employees, allowing to eliminate or minimize the possibility of them violating the security of personal data;

- Observability and transparency: measures to ensure the security of personal data must be planned so that the results of their application are clearly observable (transparent) and can be assessed by those exercising control;

- Continuity of monitoring and evaluation: procedures for continuous monitoring of the use of PD processing and protection systems are established, and the results of monitoring are regularly analyzed.

2.4. The Company does not produce Processing of personal data is incompatible with the purposes of their collection. Unless otherwise provided by Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data,” upon completion of PD processing in the Company, including when the goals of their processing are achieved or the need to achieve these goals is no longer necessary, the PD processed by the Company is destroyed or anonymized.

2.5. When processing personal data, their accuracy, sufficiency, and, if necessary, relevance in relation to the purposes of processing are ensured. The Company takes the necessary measures to delete or clarify incomplete or inaccurate PD.

3. PROCESSING OF PERSONAL DATA

3.1. Receiving PD:

3.1.1. All personal data should be obtained from the subject of the personal data. If the subject’s PD can only be obtained from a third party, then the PD subject must be notified of this and written consent must be obtained from him.

3.1.2. The company must inform the PD subject about the purposes, intended sources and methods of obtaining PD, the nature of the PD to be received, the list of actions with PD, the period during which the consent is valid and the procedure for its revocation, as well as the consequences of the refusal of the PD subject to give written consent to them receiving.

3.1.3. Documents containing personal data are created by:

- Copies of original documents (passport, education document, TIN certificate, pension certificate, etc.);

- Entering information into accounting forms;

- Obtaining originals of the necessary documents (work book, medical report, characteristics, etc.).

3.2. PD processing:

3.2.1. Processing of personal data is carried out:

- With the consent of the subject of personal data to the processing of his personal data;

- In cases where the processing of personal data is necessary for the implementation and fulfillment of the functions, powers and responsibilities assigned by the legislation of the Russian Federation;

- In cases where the processing of personal data is carried out, access to an unlimited number of persons is provided by the subject of personal data or at his request (hereinafter referred to as “Personal data made publicly available by the subject of personal data”).

Employees' access to processed personal data is provided in accordance with their job responsibilities, the requirements of the Company's internal documents and is regulated by order of the General Director of the Company.

Employees admitted to PD processing, upon signature, familiarize themselves with the Company's documents establishing the procedure for PD processing, including documents establishing the rights and obligations of specific employees.

The Company eliminates identified violations of legislation on the processing and protection of personal data.

3.2.2. Purposes of PD processing:

The Company collects and further processes personal data for the following purposes:

- Implementation of remote interaction of the Company with clients and other interested parties within the framework of service and information services through the use of telephone communications, instant messaging services, IP telephony, e-mail;

- Implementation of remote interaction of the Company with clients and other interested parties through the Company’s website on the Internet;

- Organizing and conducting events aimed at increasing awareness and loyalty towards the Company, as well as promoting the Company’s services;

- Conducting tenders, conducting contractual work not related to the main activities of the Company, within the framework of the emergence, change and termination of legal relations between the Organization and third parties, as well as execution of powers of attorney to represent the interests of the Company;

- Participation of the Company in civil, arbitration, criminal, administrative processes and execution of judicial acts;

- Traffic analysis and optimization of the Company’s website.

3.2.3. Categories of personal data subjects.

The Company collects and further processes personal data of the following categories of personal data subjects:

- Current clients of the Company;

- Potential clients of the Company;

- Family members and other relatives of current and potential clients of the Company;

- Representatives (by force of law and by proxy) of actual and potential clients of the Company;

- Employees and representatives of third-party medical organizations;

- Employees and representatives of the Company’s current counterparties (legal entities), including insurance and assistance companies;

- Persons who are applicants for vacant positions in the Company;

- Current and potential counterparties of the Company (individuals);

- Employees and representatives of the Company’s current and potential counterparties (legal entities);

- Visitors to private and public events organized by the Society;

- Employees of legal entities and individuals representing the interests of the Company;

- Persons participating in civil, arbitration, criminal, administrative processes and enforcement proceedings (of which the Company is a participant);

- Visitors to the premises th, buildings and territory of the Company;

- Visitors to the Company’s website https://thirdopinion.ai/

3.2.4. PD processed by the Company:

- Received during the implementation of civil law relations;

- Obtained during the implementation of medical activities.

- Received from advertising and marketing companies, etc.

3.2.5. The Company has established the following conditions for terminating the processing of personal data:

- Achieving the goals of processing personal data and the maximum storage periods for personal data established by the legislation of the Russian Federation;

- Loss of the need to achieve the purposes of processing personal data;

- Submission by the subject of personal data or his legal representative of documented information that the personal data was illegally obtained or is not necessary for the stated purpose of processing;

- Inability to ensure the legality of processing personal data;

- Revocation by the subject of personal data of consent to the processing of personal data, if the preservation of personal data is no longer required for the purposes of processing personal data;

- Revocation by the subject of personal data of consent to the placement of personal data in a publicly accessible source;

- Expiration of the statute of limitations for legal relations within the framework of which personal data is or has been processed.

3.3. Personal data is processed:

- Using automation tools;

- Without the use of automation tools.

3.4. PD storage:

3.4.1. Subjects' personal data can be received, undergo further processing and transferred for storage both on paper and in electronic form.

3.4.2. PD recorded on paper is stored in locked cabinets or in locked rooms with limited access rights.

3.4.3. Personal data of subjects processed using automation tools for different purposes are stored in different folders (tabs).

3.4.4. It is not allowed to store and place documents containing personal data in open electronic catalogs (file sharing services) in the personal data information system (PDIS).

3.4.5. PD is stored in a form that makes it possible to identify the PD subject for no longer than required by the purposes of their processing, and they are subject to destruction upon achievement of the purposes of processing or in the event of the loss of the need to achieve them.

3.5. Destruction of PD:

3.5.1. The destruction of documents (media) containing personal data is carried out by burning, crushing (grinding), chemical decomposition, transformation into a shapeless mass or powder. A shredder can be used to destroy paper documents.

3.5.2. PD on electronic media is destroyed by erasing or formatting the media.

3.6. Transfer of PDN:

3.6.1. The Company transfers PD to third parties if the PD subject has expressed his consent to such actions or the transfer is provided for by Russian or other applicable legislation within the framework of the procedure established by law.

4. PROTECTION OF PERSONAL DATA

4.1. The main PD protection measures used by the Company are:

4.1.1. Appointment of a person responsible for the processing of personal data, who organizes the processing of personal data, training and instruction, internal control over compliance by the Company and its employees with the requirements for the protection of personal data;

4.1.2. Identification of current threats to the security of personal data during their processing and development of measures and measures to protect personal data;

4.1.3. Development of a policy regarding the processing of personal data;

4.1.4. Establishing rules for access to personal data, as well as ensuring registration and accounting of all actions performed with personal data;

4.1.5. Application of information security means that have passed the compliance assessment procedure in accordance with the established procedure, accounting for computer storage media of personal data, ensuring their safety;

4.1.6. Certified anti-virus software with regularly updated databases;

4.1.7. Certified software for protecting information from unauthorized access;

4.1.8. Certified firewalls and intrusion detection tools;

4.1.9. Compliance with conditions that ensure the safety of personal data and exclude unauthorized access to them, assessment of the effectiveness of measures taken and implemented to ensure the security of personal data;

4.1.10. Establishing rules for access to processed personal data, ensuring registration and accounting of actions performed with personal data, as well as detecting facts of unauthorized access to personal data and taking measures;

4.1.11. Restoration of personal data modified or destroyed due to unauthorized access to them;

4.1.12. Training of the Company's employees directly involved in the processing of personal data, the provisions of the legislation of the Russian Federation on personal data, including requirements for the protection of personal data, documents defining the Company's policy regarding the processing of personal data, local regulations on the processing of personal data;

4.1.13.Implementation of internal control and audit;

4.1.14. The Company's employees directly involved in the processing of personal data must be familiarized with the provisions of the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data, this Policy and amendments to it (if any), before starting work.

5. BASIC RIGHTS OF THE SUBJECT OF PDN AND OBLIGATIONS OF THE COMPANY

5.1. Basic rights of the PD subject:

5.1.1. The PD subject has the right to receive information regarding the processing of his PD, including containing:

- Confirmation of the fact of processing of PD by the Company;

- Legal grounds and purposes of PD processing;

- Goals and methods of processing personal data used by the Company;

- Name and location of the Company, information about persons (except for the Company’s employees) who have access to PD or to whom PD may be disclosed on the basis of an agreement with the Company or on the basis of the relevant Federal Law;

- Processed PD related to the relevant PD subject, the source of their receipt, unless a different procedure for presenting such data is provided for by the relevant Federal Law;

- Terms of processing of PD, including periods of their storage;

- The procedure for the exercise by the subject of personal data of the rights provided for by the Federal Law “On Personal Data” dated July 27, 2006 No. 152-FZ information on the completed or intended cross-border transfer of data;

- Name or surname, first name, patronymic and address of the person processing personal data on behalf of the Company, if the processing has been or will be assigned to such a person;

- Other information provided for by the Federal Law “On Personal Data” dated July 27, 2006 No. 152-FZ or other Federal laws.

5.1.2. The PD subject has the right to demand from the Company that his PD be clarified, blocked or destroyed if the PD is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as take measures provided by law to protect his rights.

5.2. Responsibilities of the Society:

5.2.1. The society is obliged:

- When collecting personal data, provide information to the subject about the processing of his personal data;

- In cases where the PD was not received from the subject of the PD, notify the subject;

- In case of refusal to provide PD, the consequences of such refusal are explained to the subject;

- Publish or otherwise provide unrestricted access to a document defining its policy regarding the processing of personal data, to information about the implemented requirements for the protection of personal data;

- Take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions in relation to personal data;

- Provide responses to requests and appeals from personal data subjects, their representatives and the authorized body for the protection of the rights of personal data subjects;

- Do not disclose the subject’s personal data to a third party without the written consent of the subject, except in cases where this is necessary in order to prevent a threat to the life and health of the employee, as well as in other cases provided for by the Labor Code or other Federal laws of the Russian Federation;

- Do not disclose the personal data of the personal data subject for commercial purposes without his written consent;

- Warn persons receiving the personal data of the subject of the personal data that this data can only be used for the purposes for which they were communicated, and require confirmation from these persons that this rule is observed;

- Allow access to the personal data of the personal data subject only to specially authorized persons, while these persons should have the right to receive only those personal data of the personal data subject that are necessary to perform specific functions.

6. LIABILITY FOR VIOLATION OF STANDARDS GOVERNING THE PROCESSING AND PROTECTION OF PERSONAL DATA

6.1. Persons guilty of violating the provisions of the legislation of the Russian Federation in the field of personal data when processing personal data of personal data subjects are brought to disciplinary and financial liability in the manner established by the Labor Code and other federal laws, and are also brought to civil, administrative and criminal liability in in the manner established by the Federal laws of the Russian Federation.

7. COLLECTION OF PERSONAL DATA USING THE COMPANY WEBSITE

7.1. The Company’s website uses “cookies” and collects the following information about visitors in order to improve the operation of the site: visitor’s IP address, date and time of site visit, browser and operating system types, type and model of mobile device.

7.2. When using electronic services and providing personal information through the Company’s website, the user’s information will not be used by the Company for any other purposes other than satisfying his specific needs.

7.3. By using the site and/or providing the Company with their PD, the site user (PD subject) agrees to the processing of his personal data under the conditions provided for in this Policy.

7.4. In case of disagreement with this Policy, the user should not use this site and provide the Company with his personal data.