POLICY

on processing personal data of the website visitors

1. General Provisions

1.1. This Policy regarding the processing of personal data (hereinafter referred to as the "Policy") has been developed in line with clause 2, part 1 of Art. 18.1 of the Federal Law of the Russian Federation "On Personal Data" No. 152-FZ dd July 27, 2006 (hereinafter - the "Law") and determines the position of the legal entity Association "Eurasian Association of Therapists" (OGRN: 1147799014912, TIN: 7725353060, registration address: building 1, 21, Zvezdny Boulevard, Moscow, 129085) and / or its affiliates, (hereinafter - the "Company") in the field of processing and protection of personal data (hereinafter - "Data"), respecting the rights and freedoms of each person and, in particular, the right to privacy, personal and family secrets.

2. Scope

2.1. This Policy applies to the Data received both before and after the moment when this Policy takes effect.

2.2. Understanding the importance and value of the Data, as well as taking care of the observance of the constitutional rights of RF citizens and citizens of other states, the Company ensures reliable protection of the Data.

3. Definitions

3.1. Data is understood as any information relating directly or indirectly to a specific or identifiable natural person (citizen), i.e. such information, in particular, includes: surname, first name, patronymic, e-mail, telephone number, date or place of birth, photograph, profession, education, passport data.

3.2. Data processing means any action (operation) or a set of actions (operations) with Data performed using automation tools and / or without using such tools. Such actions (operations) include: collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of Data.

3.3. Data safety means the Data security against unlawful and / or unauthorized access to them, destruction, alteration, blocking, copying, provision, dissemination of Data, as well as against other illegal actions in relation to the Data.

4. Legal basis and purposes of data processing

4.1. The processing and security of Data in the Company is carried out in accordance with the requirements of the Constitution of the Russian Federation, the Law, the Labor Code of the Russian Federation, bylaws, and other federal laws of the Russian Federation that determine the cases and features of the processing of Data, guidelines and methodological documents of the FSTEC of Russia and the FSB (Federal Security Service) of Russia.

4.2. The subjects of the Data processed by the Company are:

• customers - consumers, incl. visitors to the site https://euat.ru, owned by the Company, including for the purpose of placing an order on the Site https://euat.ru with subsequent delivery to the customer, recipients of services;
• members of loyalty bonus programs.

4.3. The company processes the Data of subjects for the following purposes:

• implementation of the functions, powers and duties assigned to the Company by the laws of the Russian Federation in compliance with federal laws, including, but not limited to: the Civil Code of the Russian Federation, the Tax Code of the Russian Federation, the Labor Code of the Russian Federation, the Family Code of the Russian Federation, the Federal Law No. 27-FZ dd April 01, 1996 On individual (personified) records in the compulsory pension insurance system, Federal Law No. 152-FZ dd 27.07.2006 On Personal Data, Federal Law No. 53 -FZ dd 28.03.1998 On military duty and military service, Federal Law No. 31-FZ dd February 26, 1997 On mobilization training and mobilization in the Russian Federation, Federal Law No. 14-FZ dd February 8, 1998, On limited liability companies, Federal Law No. 2300-1 dd 07.02.1992 On Consumer Rights Protection, Federal Law No. 129-FZ dd 21.11.1996 On Accounting, Federal Law No. 326-FZ dd November 29, 2010 On Compulsory Health Insurance in the Russian Federation;
• Members of loyalty bonus programs in order to:
  1. providing information on goods, promotions, the state of the personal account;
  2. identification of the participant in the loyalty program; ensuring the accounting procedure for the accumulation and use of bonuses;
  3. fulfillment by the Company of obligations under the loyalty program.
• Customers - consumers in order to:
  1. providing information on goods / services, ongoing promotions and special offers;
  2. analysis of the quality of the service provided by the Company and improvement of the quality of customer service of the Company;
  3. informing about the status of the order.

5. Principles and conditions for data processing.

5.1. When processing Data, the Company adheres to the following principles: Data processing is carried out on a legal and fair basis; The Data is not disclosed to third parties and is not disseminated without the consent of the Data subject, except for cases requiring the disclosure of Data at the request of authorized government bodies, legal proceedings; determination of specific legitimate purposes before the start of processing (including collection) of the Data; only those Data are collected that are necessary and sufficient for the said purpose of processing; unification of databases containing Data, the processing of which is carried out for purposes incompatible with each other is not allowed; the processing of the Data is limited to the achievement of specific, predetermined and legitimate purposes; The processed Data are subject to destruction or depersonalization upon achievement of the processing goals or in case of loss of the need to achieve these goals, unless otherwise provided by federal law.

5.2. The Company may include the Data of subjects in publicly available sources of Data, while the Company takes the subject's written consent to the processing of his/her Data, or by expressing consent through the site form (checkbox), by clicking which the subject of personal data expresses his consent.

5.3. The Company shall not process Data related to race, nationality, political views, religious, philosophical and other beliefs, intimate life, membership in public associations, including trade unions.

5.4. Biometric Data (information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity and which is used by the operator to establish the identity of the Data subject) shall not be processed in the Company.

5.5. The Company shall not carry out cross-border transfers of Data.

5.6. In the cases established by the laws of the Russian Federation, the Company has the right to transfer Data to third parties (the federal tax service, the state pension fund and other government bodies) in the cases provided for by the laws of the Russian Federation.

5.7. Persons who process Data on the basis of an agreement concluded with the Company (instructions of the operator) undertake to comply with the principles and rules for the processing and protection of Data provided for by the Law. For each third party, the agreement defines a list of actions (operations) with the Data that will be performed by a third party who processes the Data, the purposes of processing, the obligation of such a person to keep confidential and ensure the security of the Data during their processing is established, the requirements for the protection of the processed Data are specified in compliance with the Law.

5.8. In order to comply with the requirements of the current laws of the Russian Federation and its contractual obligations, the Data processing in the Company is carried out both with and without the use of automation tools. The set of processing operations includes the collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (provision, access), depersonalization, blocking, deletion, destruction of Data.

5.9. The Company prohibits making decisions on the basis of exclusively automated processing of the Data that generate legal consequences in relation to the Data subject or otherwise affect his rights and legitimate interests, except as otherwise provided for by the laws of the Russian Federation.

6. Rights and obligations of Data subjects, as well as the Company in terms of data processing

The subject whose Data is processed by the Company has the right to:

- receive from the Company:

• confirmation of the fact of Data processing and information about the availability of Data related to the relevant data subject;
• information about the legal grounds and purposes of data processing;
• information about the data processing methods used by the Company;
• information about the name and location of the Company;
• information about persons (with the exception of the Company employees) who have access to the Data or to whom the Data may be disclosed under a contract with the Company or on the basis of a federal law;
• the list of processed Data related to the data subject and information about the source of obtaining the data, unless a different procedure for providing such Data is provided for by federal law;
• information about the terms and conditions of data processing, including the terms of their storage;
• information on the procedure for the exercise by the subject of these rights provided for by Law;
• name (Full name) and address of the person who processes the Data on behalf of the Company;
• other information provided by the Law or other regulatory legal acts of the Russian Federation.

- demand from the Company:

• clarification of their Data, their blocking or destruction in the event that the Data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing;
• revoke the consent to the processing of one’s Data at any time; demand the elimination of the Company's illegal actions in relation to one’s Data;
• appeal against the actions or omissions of the Company to the Federal Service for Supervision of Communications, Information Technologies and Mass Communications (Roskomnadzor) or in court if the data subject believes that the Company processes his Data in violation of the requirements of the Law or otherwise violates his rights and freedoms.

- to protect their rights and legitimate interests, including compensation for damages and / or compensation for non-pecuniary damage in court.

6.2. The Company in the process of Data processing is obliged to:

• provide the data subject, upon request, with information concerning the processing of his\her personal data (PD), or legally refuse to do so within thirty days from the date of receipt of the request by the data subject or its representative;
• explain to the data subject the legal consequences of refusing to provide Data, if the provision of Data is mandatory in compliance with federal law;
• prior to the start of Data processing (if the Data is not received from the data subject), provide the data subject with the following information, except for the cases provided for in part 4 of Article 18 of the Law:
  1) the name or surname, first name, patronymic and address of the Company or its representative;
  2) the purpose of data processing and its legal basis;
  3) intended data users;
  4) the rights of data subjects established by law;
  5) the source of Data acquisition.
• take the necessary legal, organizational and technical measures or ensure that they are taken to protect the Data from unauthorized or accidental access to it, destruction, modification, blocking, copying, provision, distribution of Data, as well as from other illegal actions in relation to the Data;
• publish on the Internet and provide unrestricted access via the Internet to the document defining its data processing policy, to information about the implemented data protection requirements;
• provide the data subjects and / or their representatives, free of charge, with the opportunity to get familiarized with the Data when making a corresponding request within 30 days from the date of receipt of such a request;
• to block the unlawfully processed Data related to the data subject, or to ensure their blocking (if the Data processing is carried out by another person acting on behalf of the Company) from the moment of the request or receipt of the request for the verification period, in case of detection of illegal Data processing when the data subject or his representative or at the request of the data subject or his representative or the authorized body for the protection of the rights of personal data subjects;
• clarify the Data or ensure that it is clarified (if the Data is processed by another person acting on behalf of the Company) within 7 business days from the date of the data submission and unblock the Data, if the fact of inaccuracy of the Data is confirmed on the basis of the information provided by the data subject or his representative;
• stop the illegal Data processing or ensure the termination of the illegal data processing by a person acting on behalf of the Company, in case of detection of illegal data processing carried out by the Company or by a person acting on the basis of a contract with the Company, within a period not exceeding 3 working days from the date of this detection;
• terminate or ensure the termination of Data processing (if the Data processing is carried out by another person acting under a contract with the Company) and destroy the Data or ensure their destruction (if the Data processing is carried out by another person acting under a contract with the Company) after the purpose of data processing is achieved, unless otherwise provided by the contract to which the Data subject is a party, beneficiary or guarantor, if the purpose of data processing is achieved;
• stop processing Data or ensure its termination and destroy the Data or ensure their destruction if the Data subject withdraws consent to data processing, if the Company does not have the right to process the Data without the consent of the data subject;
• keep a log of the requests of PD subjects, which should record the requests of data subjects to receive Data, as well as the facts of providing Data on these requests.

7. Data Protection Requirements

7.1. When processing Data, the Company takes the necessary legal, organizational and technical measures to protect the Data from unauthorized and / or unauthorized access to it, destruction, modification, blocking, copying, provision, distribution of Data, as well as from other illegal actions in relation to the Data.

7.2. Such measures in accordance with the Law, in particular, include:

• appointment of the person responsible for the organization of data processing and the person responsible for ensuring data security;
• development and approval of local acts on data processing and protection issues;
• application of legal, organizational and technical measures to ensure data security:
    ·   identification of data security threats during their processing in personal data information systems;
    ·   application of organizational and technical measures to ensure data security during their processing in personal data information systems, necessary to meet the data protection requirements, the implementation of which ensures the levels of data security established by the Government of the Russian Federation;
    ·   use of information security tools that have passed the compliance assessment procedure in accordance with the established procedure;
    ·   evaluation of the effectiveness of the measures taken to ensure data security prior to the commissioning of the personal data information system;
    ·   accounting for machine data mediums, if the Data is stored on machine media;
    ·   detecting unauthorized access to Data and taking measures to prevent such incidents in the future;
    ·   recovery of Data modified or destroyed due to unauthorized access to it;
    ·   establishing rules for access to the Data processed in the personal data information system, as well as ensuring the registration and recording of all actions performed with the Data in the personal data information system.
• control over the measures taken to ensure data security and the level of security of personal data information systems;
• assessment of the harm that may be caused to data subjects in the event of a violation of the requirements of the Law, the ratio of this harm and the measures taken by the Company to ensure compliance with the obligations provided for by the Law;
• compliance with the conditions that exclude unauthorized access to material data mediums and ensure the safety of Data;
• familiarization of the Company's employees directly engaged in data processing with the provisions of the Russian Federation laws on Data, including the requirements for data protection, local acts on data processing and protection, and training of the Company's employees.

8. Period of data processing (storage)

8.1. The period of data processing (storage) are determined based on the purposes of data processing, in accordance with the validity period of the contract with the data subject, the requirements of federal laws, the requirements of data operators on whose behalf the Company processes Data, the basic rules of the archives of organizations, the statute of limitations.

8.2. The data, which processing (storage) period has expired, must be destroyed, unless otherwise provided by federal law. Data storage after the termination of their processing is allowed only after their depersonalization.

9. Procedure for obtaining clarifications on data processing issues

9.1. Persons whose Data is processed by the Company can obtain explanations on the processing of their Data by contacting the Company in person or by sending a corresponding written request to the address of the Company's location: building 1, 21, Zvezdny Boulevard, Moscow, 129085.

9.2. In the case of sending an official request to the Company, the request text must specify:

• surname, first name, patronymic of the data subject or its representative;
• the No. of the main identity document of the data subject or his\her representative, information about the date of issue of the specified document and the issuing authority;
• information confirming the existence of the data subject's relationship with the Company;
• information for feedback in order to send the Company a response to the request;
• signature of the data subject (or representative). If the request is sent in electronic form, it must be issued in the form of an electronic document and signed with an electronic signature in accordance with the laws of the Russian Federation.

10. Features of processing and protection of Data collected by the Company using the Internet

10.1. The Company processes the Data received from the Site users from the resource: https://euat.ru (hereinafter jointly referred to as the Website), as well as incoming calls to the Company's phone number: +7 (495) 708-42-23, to the Company's email address: office@euat.ru.

10.2. Data Collection

There are two main ways in which a Company obtains Data via the Internet:

10.2.1. Provision Of Data

Data Submission (self-entry):

• surname;
• first name;
• patronymic;
• e-mail;
• phone number;
• date or place of birth;
• photograph;
• profession;
• education;
• passport details.

10.2.2. Data Subjects by sending them to the Company's phone number: +7 (495) 708-42-23, to the Company's e-mail address: office@euat.ru.

10.3. Automatically collected information

The Company may collect and process information that is not personal data:

• information about the interests of users on the Site based on the entered search queries of Site users about the products sold and offered for sale by the Company in order to provide up-to-date information to the Company's customers when using the Site, as well as to summarize and analyze information about which sections of the Site and products are most in demand among the Company's customers;
• processing and storing search queries of Site users for the purpose of summarizing and creating customer statistics on the use of Site sections.

The Company automatically receives certain types of information obtained in the course of user interaction with the Site, e-mail correspondence, etc. These are technologies and services, such as web protocols, cookies, web tags, as well as applications and tools of the specified third party.

At the same time, web tags, cookies and other monitoring technologies do not allow automatically receiving of Data. If the user of the Site provides their Data at their own discretion, for example, when filling out a feedback form or sending an email, only then the processes are automatically launched to collect detailed information for the convenience of using the websites and/or to improve interaction with users.

10.4. Data Usage

The Company has the right to use the provided Data in accordance with the stated purposes of their collection with the consent of the data subject, if such consent is required in accordance with the requirements of the laws of the Russian Federation in the field of Data.

The data obtained in a generalized and depersonalized form can be used to better understand the needs of customers of goods and services sold by the Company and to improve the quality of service.

10.5. Data Transmission

The Company may entrust the processing of Data to third parties only with the consent of the data subject. The Data may also be transferred to third parties in the following cases:

a) As a response to legitimate requests from authorized state bodies, in compliance with laws, court decisions, etc.

b) The Data may not be transferred to third parties for marketing, commercial or other similar purposes, except for cases of obtaining the prior consent of the data subject.

10.6. The Site contains links to other web resources, where there may be useful and interesting information for users of the Site. However, this Policy does not apply to such other sites. Users who click on links to other sites are advised to read the data processing policies posted on such sites.

10.7. The User of the Site can withdraw his\her consent to the processing of Data at any time by sending a message, calling the Company's phone number: +7 (495) 708-42-23, to the Company's email address: office@euat.ru, or by sending a written notice to the Company's address: building 1, 21, Zvezdny Boulevard, Moscow, 129085. After receiving such a message, the processing of the User's Data will be terminated and his Data will be deleted, except in cases where the processing can be continued as per the law. Final Provisions of this Policy is a local regulatory act of the Company. This Policy is publicly available. The general availability of this Policy is ensured by publication on the Company's Website. This Policy may be revised in any of the following cases:

• in case of changes in the laws of the Russian Federation in the field of personal data processing and protection;
• in cases of receiving instructions from the competent government authorities to eliminate inconsistencies affecting the scope of the Policy;
• by decision of the Company's management;
• when changing the goals and period of data processing;
• when changing the organizational structure, the structure of information and / or telecommunications systems (or introducing new ones);
• when using new technologies for data processing and protection (including transmission, storage);
• if there is a need to change the data processing process related to the Company's activities.

In case of non-compliance with the provisions of this Policy, the Company and its employees are liable under the applicable laws of the Russian Federation. Control over the implementation of the requirements of this Policy is carried out by the persons responsible for the organization of the Company's data processing, as well as for the security of personal data.