Operator's Personal Data Processing Policy (hereinafter — the "Policy")

General Provisions

1..This Policy has been developed in compliance with the requirements of Federal Law No. 152-FZ of 27 July 2006 "On Personal Data" (hereinafter — the Personal Data Law), with the aim of protecting the rights and freedoms of individuals when their personal data is processed, including the right to privacy, personal and family confidentiality.
2..Terms used in this Policy are used in the meaning established by applicable law. Where no specific legal definition exists, the generally accepted interpretation of the term shall apply.
3..This Policy applies to all personal data processed by Obschestvo s ogranichennoy otvetstvenostuyu "SB Proect" (hereinafter — the Operator).
4..This Policy covers personal data processing relationships that arose both before and after the adoption of this Policy.
5..This Policy is published in the public domain on the Operator's website(s) on the Internet.
6..The Operator's principal rights are defined by the Personal Data Law and other regulatory acts. In particular, the Operator is entitled to:
  • independently determine the composition and set of measures necessary and sufficient to fulfil the obligations provided by the Personal Data Law and the regulatory acts adopted thereunder, unless otherwise stipulated by the Personal Data Law or other federal laws;
  • entrust the processing of personal data to another party with the consent of the data subject, unless otherwise provided by federal law, on the basis of a contract concluded with that party;
  • in the event that a data subject withdraws consent to the processing of personal data, continue processing without such consent where grounds specified in the Personal Data Law exist.
7..The Operator's principal obligations are defined by the Personal Data Law and other regulatory acts. In particular, the Operator is obliged to:
  • organise the processing of personal data in accordance with the requirements of the Personal Data Law;
  • respond to requests and enquiries from data subjects and their legal representatives in accordance with the requirements of the Personal Data Law;
  • provide the competent authority for the protection of data subjects' rights (the Federal Service for Supervision of Communications, Information Technology and Mass Media — Roskomnadzor) with the necessary information upon request, within the timeframes established by law, or, where no such timeframes are set, within 10 business days from receipt of the relevant request;
  • ensure interaction with the state system for detection, prevention and remediation of the consequences of computer attacks on the information resources of the Russian Federation.
8..The principal rights of data subjects are defined by the Personal Data Law and other regulatory acts. In particular, a data subject is entitled to:
  • receive information regarding the processing of their personal data, in the manner and within the timeframes established by applicable law, or, where no such timeframes or procedures are established by law, in the manner and within the timeframes set by the Operator;
  • request that the Operator clarify, block or destroy their personal data if it is incomplete, outdated, inaccurate, unlawfully obtained or no longer necessary for the stated processing purpose, and to take legally prescribed measures to protect their rights;
  • give prior consent to the processing of personal data for the purposes of promoting goods, works and services on the market;
  • appeal to Roskomnadzor or to a court against unlawful acts or inaction of the Operator in the processing of their personal data.

Purposes of Personal Data Collection
9..The processing of personal data is limited to achieving specific and lawful purposes. Processing that is incompatible with the stated collection purposes is not permitted.
10..The purposes of personal data processing derive from the purposes of the Operator's actual activities, as well as from the purposes set out in the Operator's constituent documents and from the specific business processes carried out within specific personal data information systems (by the Operator's structural divisions and their procedures with respect to particular categories of data subjects).
11..This Policy defines the following purposes for which the Operator processes personal data:
  • Activities related to the organisation of fairs, exhibitions, conferences and congresses, including the preparation, holding and facilitation of data subjects' participation in fairs, exhibitions, conferences, congresses and other business events organised by the Operator;
  • Promotion of goods, works and services on the market;
  • Preparation, conclusion and performance of civil law contracts;
  • Maintaining HR and accounting records;
  • Recruitment of candidates for the Operator's vacant positions;
  • Facilitating introductory, work-based or pre-graduation internships under agreements with educational institutions;
  • Compiling reference materials for the Operator's internal information needs;
  • Ensuring access control to the Operator's premises.

Legal Grounds for Personal Data Processing
12..The legal grounds for personal data processing consist of the body of legal acts pursuant to and in accordance with which the Operator processes personal data, including but not limited to:
  • Federal laws and the regulatory acts adopted thereunder governing relations connected with the Operator's activities;
  • The Operator's constituent documents;
  • Contracts concluded between the Operator and data subjects;
  • Consent to the processing of personal data (in cases not directly provided for by the legislation of the Russian Federation but consistent with the Operator's authority).

Scope and Categories of Personal Data Processed; Categories of Data Subjects
13..The content and scope of personal data processed by the Operator correspond to the processing purposes declared in this Policy. The personal data processed is not excessive in relation to those purposes.
14..For the purpose of activities related to the organisation of fairs, exhibitions, conferences and congresses, including the preparation, holding and facilitation of data subjects' participation in fairs, exhibitions, conferences, congresses and other business events organised by the Operator, the Operator processes the following categories of personal data:
  • Email address
  • Identity document details
  • Identity document details for use outside the Russian Federation
  • Job title
  • Phone number
  • Occupation
  • Educational background
  • Data collected via analytics tools
  • Full name
  • Photo/video image
In respect of the following data subjects:
  • Beneficiaries under contracts
  • Legal representatives
  • Clients
  • Counterparties
  • Website visitors
  • Representatives of counterparties
15..For the purpose of promoting goods, works and services on the market, the Operator processes the following categories of personal data:
  • Email address
  • Voice data
  • Job title
  • Phone number
  • Gender
  • Occupation
  • Educational background
  • Data collected via analytics tools
  • Full name
  • Photo/video image
In respect of the following data subjects:
  • Beneficiaries under contracts
  • Legal representatives
  • Clients
  • Counterparties
  • Website visitors
  • Representatives of counterparties
  • Employees
  • Job applicants
  • Students (higher education)
  • Students (secondary education)
16..For the purpose of preparation, conclusion and performance of civil law contracts, the Operator processes the following categories of personal data:
  • Residential address
  • Registered address
  • Email address
  • Year of birth
  • Citizenship
  • Driving licence details
  • Identity document details
  • Identity document details for use outside the Russian Federation
  • Date of birth
  • Income
  • Financial status
  • TIN (taxpayer identification number)
  • Place of birth
  • Month of birth
  • Personal account number
  • Bank account number
  • Phone number
  • Gender
  • Occupation
  • Bank card details
  • Educational background
  • Marital status
  • Social status
  • Full name
  • SNILS (individual insurance account number)
  • Photo/video image
In respect of the following data subjects:
  • Clients
  • Counterparties
  • Legal representatives
  • Beneficiaries under contracts
  • Representatives of counterparties
17..For the purpose of maintaining HR and accounting records, the Operator processes the following categories of personal data:
  • Full name
  • Date of birth
  • Month of birth
  • Year of birth
  • Identity document details
  • Identity document details for use outside the Russian Federation
  • TIN
  • SNILS
  • Residential address
  • Registered address
  • Phone number
  • Email address
  • Employment history (including length of service, current employment details with the name and bank account number of the organisation), income
  • Educational background
  • Marital status
  • Military service status and military registration details
  • Place of birth
  • Citizenship
  • Gender
  • Birth certificate details
In respect of the following data subjects:
  • Employees
  • Employees' family members
  • Legal representatives
  • Job applicants
  • Students (higher education)
  • Former employees
  • Students (secondary education)
18..For the purpose of recruitment of candidates for the Operator's vacant positions, the Operator processes the following categories of personal data:
  • Residential address
  • Email address
  • Photo/video image
  • Year of birth
  • Citizenship
  • Voice data
  • Date of birth
  • Job title
  • Income
  • Month of birth
  • Phone number
  • Gender
  • Occupation
  • Educational background
  • Employment history (including length of service, current employment details with the name and bank account number of the organisation)
  • Data collected via analytics tools
  • Marital status
  • Social status
  • Full name
In respect of the following data subjects:
  • Website visitors
  • Job applicants
  • Students (secondary education)
  • Students (higher education)
19..For the purpose of facilitating introductory, work-based or pre-graduation internships under agreements with educational institutions, the Operator processes the following categories of personal data:
  • Email address
  • Year of birth
  • Voice data
  • Identity document details
  • Date of birth
  • Identity document details for use outside the Russian Federation
  • Month of birth
  • Phone number
  • Gender
  • Occupation
  • Employment history (including length of service, current employment details with the name and bank account number of the organisation)
  • Educational background
  • Full name
  • Photo/video image
In respect of the following data subjects:
  • Beneficiaries under contracts
  • Job applicants
  • Students (higher education)
  • Students (secondary education)
20..For the purpose of compiling reference materials for the Operator's internal information needs, the Operator processes the following categories of personal data:
  • Residential address
  • Registered address
  • Email address
  • Year of birth
  • Citizenship
  • Driving licence details
  • Birth certificate details
  • Identity document details
  • Identity document details for use outside the Russian Federation
  • Date of birth
  • Job title
  • Place of birth
  • Month of birth
  • Phone number
  • Gender
  • Educational background
  • Marital status
  • Full name
  • Photo/video image
In respect of the following data subjects:
  • Beneficiaries under contracts
  • Legal representatives
  • Employees
  • Employees' family members
21..For the purpose of ensuring access control to the Operator's premises, the Operator processes the following categories of personal data:
  • Job title
  • Full name
In respect of the following data subjects:
  • Employees
  • Job applicants
  • Counterparties
  • Representatives of counterparties
  • Students (higher education)
  • Students (secondary education)
22..The Operator does not process special categories of personal data.

Procedure and Conditions for Processing Personal Data
23..The Operator processes personal data by performing actions (operations) or a set of actions (operations), including collection, recording, systematisation, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (dissemination, provision, access), anonymisation, blocking, deletion and destruction of personal data.
24..For each processing purpose, the Operator processes personal data using the following methods:
  • Non-automated processing of personal data;
  • Automated processing of personal data with or without transmission via the legal entity's internal network, and with or without transmission via the Internet;
  • Mixed processing of personal data.
25..In pursuit of the personal data processing purposes defined in this Policy, the Operator may entrust the processing of personal data to another party (third party). Such entrustment shall be carried out in compliance with the conditions and procedures established by applicable law.
26..The Operator does not carry out cross-border transfer of personal data.
27..The Operator may transfer personal data to inquiry and investigation authorities and other competent bodies on the grounds provided by applicable law.
28..Disclosure to third parties and dissemination of personal data without the consent of the data subject is not permitted, unless otherwise provided by federal law (cross-border transfer of personal data means the transfer of personal data to a foreign state authority, foreign individual or foreign legal entity in the territory of a foreign state — confidentiality of personal data).
29..The Operator takes the necessary legal, organisational and technical measures to protect personal data against unlawful or accidental access, destruction, alteration, blocking, dissemination and other unauthorised actions, including but not limited to:
  • Issuing internal acts on personal data processing, defining for each processing purpose the categories and list of personal data processed, the categories of data subjects whose data is processed, the methods, timeframes for processing and storage, and the procedure for destroying personal data upon achievement of the processing purposes or upon the occurrence of other lawful grounds;
  • Issuing documents defining the Operator's policy regarding personal data processing;
  • Appointing a person responsible for organising personal data processing;
  • Familiarising the Operator's employees directly involved in personal data processing with the provisions of Russian legislation on personal data, including the personal data protection requirements, documents defining the Operator's personal data processing policy, internal acts on personal data processing, and/or providing training to such employees;
  • Applying legal, organisational and technical measures to ensure the security of personal data in accordance with Article 19 of the Federal Law "On Personal Data".
30..The Operator applies the necessary security tools to protect personal data, including but not limited to:
  • Restoration of personal data that has been modified or destroyed as a result of unauthorised access;
  • Detection of unauthorised access to personal data and taking measures, including measures to detect, prevent and remediate the consequences of computer attacks on personal data information systems and to respond to computer incidents within them;
  • Identification of threats to the security of personal data during its processing in personal data information systems;
  • Assessment of the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of a personal data information system;
  • Application of information security tools that have undergone the prescribed conformity assessment procedure;
  • Establishing rules for access to personal data processed in a personal data information system, and ensuring the registration and logging of all actions performed on personal data within that system.
31..The Operator uses encryption (cryptographic) tools when processing personal data (KS1, CryptoPro CSP, CRYPTO-PRO LLC, 385B1A-001102-17433650).
32..Processing of personal data shall cease upon the termination of the Operator's activities.
33..Databases containing personal data are located in the territory of the Russian Federation.
34..The Operator stores personal data in a form that allows identification of the data subject for no longer than required by each processing purpose, unless a storage period is established by federal law or contract.
35..Personal data on paper media is stored by the Operator for the document retention periods prescribed by the legislation of the Russian Federation on archiving.
36..The retention period for personal data processed in personal data information systems corresponds to the retention period for personal data on paper media.

Updating, Correction, Deletion and Destruction of Personal Data; Responses to Data Subject Access Requests
37..Confirmation of the fact of personal data processing by the Operator, the legal grounds and purposes of processing, and other information required to be provided by the Operator to the data subject under applicable law shall be provided to the data subject or their representative within the timeframes established by applicable law. Where no such timeframes are established by law, such information shall be provided by the Operator no later than 10 business days from receipt of the relevant request.
38..A request must contain:
  • The number of the primary identity document of the data subject or their representative, the date of issue of that document and the issuing authority;
  • Information confirming the data subject's relationship with the Operator (contract number, contract date, reference designation and/or other details), or information otherwise confirming that the Operator processes the data subject's personal data;
  • The signature of the data subject or their representative.
39..The information provided shall not include personal data relating to other data subjects, except where there are lawful grounds for disclosing such data.
40..A request may be submitted in electronic form and signed with an electronic signature in accordance with Russian law. The Operator shall provide the requested personal data to the data subject or their representative in the same form in which the corresponding request or enquiry was submitted, unless otherwise specified in that request or enquiry.
41..Requests shall be sent to the Operator's registered legal address or to the email address: Info@sbproect.ru
42..If a data subject's request does not contain all the required information as prescribed by the Personal Data Law, or if the data subject does not have the right to access the requested information, a reasoned refusal shall be sent within the timeframe established for responding to requests.
43..A data subject's right of access to their personal data may be restricted in accordance with the provisions of the Personal Data Law, including where such access would infringe the rights and legitimate interests of third parties.
44..If inaccurate personal data is identified upon the request or enquiry of a data subject or their representative, or upon a request from Roskomnadzor, the Operator shall block the personal data relating to that data subject from the moment of such request or enquiry for the duration of the verification, provided that blocking does not infringe the rights and legitimate interests of the data subject or third parties.
45..If the inaccuracy of personal data is confirmed, the Operator shall, on the basis of information provided by the data subject or their representative or by Roskomnadzor, or other relevant documents, update the personal data within the timeframes established by applicable law, or, where none are established, within no more than 7 business days, and shall lift the blocking of the personal data.
46..If unlawful processing of personal data is identified upon a request or enquiry from a data subject or their representative or from Roskomnadzor, the Operator shall block the unlawfully processed personal data relating to that data subject from the moment of such request or enquiry.
47..Upon the identification by the Operator, Roskomnadzor or any other interested party of the fact of unlawful or accidental transfer (provision, dissemination) of personal data (or access to personal data) resulting in a breach of data subjects' rights, the Operator shall:
  • Within the timeframe established by law (or, where no such timeframe exists, within 24 hours), notify Roskomnadzor of the incident, the suspected causes that led to the breach of data subjects' rights, the estimated harm caused to data subjects' rights, the measures taken to remediate the consequences of the incident, and provide details of the person authorised by the Operator to liaise with Roskomnadzor on matters related to the incident;
  • Within the timeframe established by law (or, where no such timeframe exists, within 72 hours), notify Roskomnadzor of the results of the internal investigation into the identified incident and provide information on the persons whose actions caused the incident (if any).
48..Procedure, conditions and timeframes for the destruction of personal data by the Operator:
  • Upon achievement of the personal data processing purpose or upon the loss of the necessity to achieve that purpose — within the timeframe established by law, or, where none exists, within 30 days from the moment of achievement of the purpose or loss of the necessity;
  • Upon reaching the maximum document retention periods for documents containing personal data — within the timeframe established by law, or, where none exists, within 30 days from reaching the maximum period;
  • Upon confirmation by the data subject (or their representative) that the personal data was obtained unlawfully or is no longer required for the stated processing purpose — within the timeframe established by law, or, where none exists, within 7 days from receipt of such confirmation;
  • Upon withdrawal by the data subject of consent to the processing of their personal data, where retention is no longer required for the processing purpose — within the timeframe established by law, or, where none exists, within 30 days from receipt of the request.
49..Upon achievement of the personal data processing purpose, as well as in the event of withdrawal by the data subject of consent to processing, the personal data shall be destroyed, unless otherwise provided by a contract to which the data subject is a party, beneficiary or guarantor.


Last updated: 19 November 2025
Go to the main page