The Bank’s standpoint towards the processing of personal data

1. GENERAL PROVISIONS
1. This Policy of Home Credit and Finance Bank Limited Liability Company regarding personal data processing (hereinafter referred to as the Policy) defines the principles, procedure and conditions for the processing of Personal Data (hereinafter referred to as PD) of HCF Bank LLC (hereinafter referred to as the Bank), as well as the rights and obligations of employees, customers of the Bank and other subjects/ entities in the field of processing personal data.

2. The Bank has introduced a Document package in the field of standardization of the Bank of Russia “Ensuring the information security of the banking system organization of the Russian Federation” (hereinafter referred to as the BR IBBS Complex), which is binding. 3. The Bank is included in the Register of personal data operators of the Federal Service for Supervision of Communications, Information Technologies and Mass Communications (hereinafter – RC.

2.PERSONAL DATA PROCESSING
1. Purpose of personal data processing.
1. The Bank performs PD processing in order to ensure financial and economic activities, banking operations and other activities provided for by the Bank’s Articles of Association, the License and the current legislation of the Russian Federation, as well as the making and execution of agreements with partners (clients) of the Bank and the implementation of labor relations with employees Bank and natural persons intending to enter into labor relations with the Bank.

2. Categories of processed personal data1. The Bank processes the following PD categories: last name, first name, middle name; year, month, date and place of birth; gender, address; contact telephone number; passport data (data of other identification documents); citizenship; E-mail address; registration data; data contained in the work record book; data of mandatory pension insurance certificate, immigration cards (arrival-departure records) / work permits, TIN and driver’s certificates, military registration documents; data of a document on education, qualifications or the availability of special knowledge; marital status; social status; housing data; property status; education; data on labor activity; income data on financial liabilities; the facts on criminal, civil and administrative liability; health status (information relating to employee’s labor capacity).

2. The Bank does not process personal data of a subject relating to racial, national identity, political views, religious or philosophical convictions, state of health, intimate life.

3. Obtaining Personal Data
1. The bank receives PD directly from the subject when concluding or preparing for the conclusion of the contract. A mandatory annex to the contract is the consent to the processing of personal data.
2. When receiving PD from a subject not within the framework of execution of an agreement one of whose parties being PD subject, the Bank shall request written consent to process the PD from the client.
3. The subject undertakes to provide the Bank with reliable information about it and to inform the Bank in a timely manner of a change in its personal data. The Bank is entitled to verify the accuracy of the information by comparing the data provided by the entity with the data obtained from reliable and legally permitted sources.
4. Storage of personal data of the subject

1. Storage of PD of subjects is carried out in the following ways: on tangible media: on paper; on electronic mobile media; in information systems.
2. Personal data processed in information systems are stored in databases located in data centers.Due to the technological features of the automated banking system used, the Bank performs Cross-border transfer of personal data of certain categories to specialized data centers of the Bank in the Czech Republic, which ratified the Convention for the Protection of the Rights of Natural persons with Automatic Processing of Personal Data of January 28, 1981 (ETS N 108 )
3. Storage of personal data of entities in the structural divisions of the Bank, whose employees have the right to access personal data, is carried out in a manner that excludes third-party access to them.

4. The deadline for storing personal data is determined on the basis of legal requirements (civil, labor, tax, pension, security and law enforcement); limitation period of mutual claims of the Bank and the client, and other regulatory documents.

5. The storage periods for paper tangible personal data carriers are determined in accordance with the term of the contract with the subject of personal data, order of the Federal Archive dated 10/06/2000 “List of typical management documents generated in the activities of organizations, with the indication of storage periods”, Decree of the Federal Commission for the Securities Market of 16.07.2003 N 03 –33 / ps “On approval of the Regulation on procedural terms of storing joint-stock companies’ documents”, the limitation period, as well as other requirements of the laws and regulatory documents of the Bank of Russia.

5. Use of personal data of the subject
1. Bank employees who have access to personal data are required to access personal data regarding the performance of their labor duties. 2. All employees of the Bank, regardless of their duties, are familiarized with rules for processing personal data before processing, against signature. 3. Should an employee need to process personal data to perform labor duties, he is granted access to the appropriate automated banking systems after the approval procedure has been completed.

6. Transfer of personal data of the subject to third parties
1. Transfer of PD of a subject to third parties is carried out only upon the subject’s consent in writing.
2. Transfer of PD of the subject to third parties is carried out when: performing work on the preparation, processing and delivery of mail; performing work on the formation, delivery and confirmation of SMS messages delivery; the Bank’s interaction with credit bureaus to verify the correctness of the data provided and to examine a possibility of making agreement; taking measures to collect debt from natural persons according to the agreements made with the Bank; assignment of claims under contracts made by natural persons with the Bank; other actions within the framework of the execution of contractual relations.
3. The provision of PD of a subject to governmental bodies and other persons upon their request is made in accordance with the requirements of applicable law.

7. Destruction of Personal Data
1. The Bank stops processing the personal data of subjects in a form that allows you to determine the subject of personal data upon achieving the processing goals stated when receiving personal data from the subject, or upon receipt of a written request to terminate the processing and destruction of personal data of the subject, unless otherwise provided by applicable law.

3. PERSONAL DATA PROTECTION ORGANIZATION
1. The Bank ensures the protection of PD of subjects from unlawful use, modification or loss through a set of organizational and technical measures.
2. The purposes of protecting personal data are: preventing unauthorized access to processed personal data; prevention of unauthorized actions for modification, distortion, distribution, blocking, destruction of processed data, protection of constitutional rights of citizens to preserve personal secrets and confidentiality of data processed by the Bank, ensuring confidentiality of processed data.
3. Subject to protection: information on the PD of the subject; documents containing PD of the subject; PD contained on electronic and other tangible media; PD transmitted over communication networks.
4 The requirements for the protection of personal data for personal data information systems are set forth in the document “Requirements for ensuring the personal data security in PD information systems of the RF banking system organizations RS BR IBBS-2.3-2010”. This document is included in the document package in the field of standardization of the Bank of Russia “Ensuring the information security of the RF banking system organizations”, which was accepted for execution by the Bank.

4. RIGHTS AND OBLIGATIONS1. The rights of the subjects of personal data 1. The subject whose PD are processed by the Bank is entitled to get access to and become familiar with his Personal data; require the Bank to clarify, exclude or correct incomplete, incorrect, outdated, unreliable, data or the data illegally obtained or which is not necessary for the stated purpose of processing; receive information on the processing time of their personal data, including the periods of their storage; appeal to the authorized body for the protection of the rights of PD subjects or challenge the illegal actions or inaction of the Bank in the processing and protection of its PD in court; to demand the termination of processing and destruction of PD from the Bank after PD processing purpose is achieved.

2. 2. Requests of PD subjects are accepted only in writing from the PD subjects themselves or their legal representatives. Applications are accepted upon presentation and verification of an identity document or by mail.
3. The request must contain the number of the main document proving the identity of the PD subject or his representative, information on the date of document issue and the issuing authority, information confirming the relationship of the personal data subject with the Bank (contract number, date of contract, word mark and (or) other information), or the information that confirms the personal data processing by the operator, the PD subject’s or its representative’s signature.

2. Rights and obligations of the Bank
1. The Bank as the personal data processor is entitled: to defend its interests in court; to provide personal data of the subjects to third parties, if this is provided for by an agreement with the subject of PD or current legislation (law enforcement agencies, tax authorities, pension insurance bodies, etc.); refuse to provide PD in cases stipulated by law; use the personal data of the subject without his consent, in cases provided by law.
2. In case of withdrawal of consent to the PD processing by the PD subject, the Bank is entitled to continue PD processing without the consent of the PD subject if there are grounds specified in clauses 2–11 of part 1 of article 6, part 2 of article 10 and part 2 of article 11 of the Federal Law “On personal data.”
3. The grounds for continuing the personal data processing after receiving feedback are: the personal data processing is necessary for the execution of an agreement to which either the beneficiary or guarantor is a subject of personal data; personal data processing is necessary for the implementation and performance of functions, powers and obligations assigned to the Bank by the Russian laws, including the Federal Law dated August 07, 2001 N 115-FZ (FL) “On Counter-acting Legalisation of Money Laundering of Proceeds from Crime, and Terrorist Financing” , which establishes the obligation to identify persons who are being served in the organization. Also, clause 4, article 7 of this Law establishes the obligation to store documents and information necessary for identification, at least 5 years after the termination of relations with the client.
5. RESPONSIBILITY
1. Persons guilty of violating the rules governing the receipt, processing and protection of PD of Subjects bear material, disciplinary, administrative, civil or criminal liability in the manner prescribed by the federal laws