Corporate Governance

Processing of Personal Data

NSPK JSC Policy of Personal Data Processing and Protection

Version 2.0, Moscow 2022

The official language of the “NSPK JSC Policy of Personal Data Processing and Protection” (Version 2.0, Moscow 2022) is Russian. This English language text is not an official translation and is provided for information purposes only.
In the event of any discrepancies between the English version and the Russian original, the Russian original shall prevail. The recipient is solely responsible for the use of the information contained herein.

1. General Provisions

This NSPK JSC Policy of Personal Data Processing and Protection (hereinafter, the “Policy”) determines the underlying principles, objectives, conditions and methods of personal data processing, lists of subjects and personal data processed by NSPK JSC, functions of NSPK JSC in processing of personal data, rights of personal data subjects, as well as requirements to personal data protection implemented by NSPK JSC.

This Policy was written in compliance with the requirements of the Constitution of the Russian Federation, personal data laws, statutes and regulations of the Russian Federation.

The provisions hereof provide the basis for the drafting of internal policies and procedures governing within NSPK JSC the processing and protection of personal data of NSPK JSC employees and other personal data subjects whose personal data NSPK JSC processes. The provisions hereof are elaborated within the internal NSPK JSC documents.

NSPK JSC ensures the full observance of civil and political rights of personal data subjects when processing their personal data, including protecting their right to privacy, personal and family secrets.

2. Laws and Other Statutes and Regulations

This Policy was written in compliance with the following laws, statutes and regulations of the Russian Federation:

Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”;

The Labour Code of the Russian Federation;

Decree of the President of the Russian Federation No. 188 dated March 6, 1997 “On the approval of the list of confidential information”;

Regulation of the Government of the Russian Federation No. 687 dated September 15, 2008 “On approval of the statute on special aspects of personal data processing without the use of automation technology”;

Regulation of the Government of the Russian Federation No. 1119 dated November 1, 2012 “On approval of the requirements to personal data protection in the course of its processing in personal data information systems”;

Order of FSTEC of Russia No. 21 dated February 18, 2013 “On approving the list and scope of planning and technical activities for protection of personal data while processing via personal data information systems”;

The guidelines of the Federal Security Service of the Russian Federation;

Other statutes and regulations of the Russian Federation and statutory documents of competent public authorities.

3. Terms, Definitions and Abbreviations

The following terms, definitions and abbreviations are used herein:

NSPK JSC – National Payment Card System Joint-Stock Company located at: 11, Bolshaya Tatarskaya Street, Moscow, 115184.

Automated Personal Data Processing – personal data processing by means of computers.

Personal Data Blocking – a temporary interruption of personal data processing (except where processing is required for personal data update or alteration).

Cardholders – private individuals who legally use payment cards as electronic payment facilities.

Domain Name – a symbol designation for addressing sites on the Internet in order to provide access to information hosted on the Internet.

Applicants – private individuals who sent applications to NSPK JSC.

Customers of Faster Payments System Participants – private individuals who entered into a banking agreement with a Faster Payments System Participant.

Mobile Application – computer software developed by NSPK JSC and designed to run at mobile devices to provide access to NSPK JSC web resources, goods/works/services of NSPK JSC, Mir Payment System Participants, partners (contractors) of NSPK JSC.

Personal Data Depersonalization – actions making it impossible to identify personal data as belonging to a certain data subject without using additional information.

Personal Data Processing – any action or a series of actions with personal data with or without the use of automation facilities, including the personal data acquisition, recording, systematization, accumulation, storage, update and alteration, extraction, use, transfer (distribution, presentation, providing access granting), depersonalization, blocking, deleting and annihilation.

Personal Data Operator (Operator) – a state authority, municipal authority, legal entity or private individual, who, independently or jointly, arranges and/or performs personal data processing, as well as defines the objectives of personal data processing, the scope of personal data to be processed and personal data processing operations. In this Policy, NSPK JSC shall be understood to mean the Operator.

Personal Data – any information directly or indirectly related to a specified private individual (data subject).

Subscribers – private individuals who subscribe to newsletters and feedback handling on NSPK JSC Web resources.

Visitors – private individuals who are issued single-use passes to access NSPK JSC premises.

Web Visitors – private individuals who are granted access to external NSPK JSC Web resources using a Web browser and (or) NSPK JSC mobile application.

Regulations on NSPK JSC Operational and Payment Clearing Services – an NSPK JSC document establishing the procedure, conditions and provisions of organizing interaction and obtaining operational and payment clearing services of acquisition, processing, and submission of data on transactions with bank cards to credit institutions and the state corporation “Bank for Development (VEB.RF)” when performing funds transfers in the Russian Federation using international payment cards, with the exception of cross-border transfers.

Regulations on NSPK JSC Operational and Payment Clearing Services within the Faster Payments System – an NSPK JSC document establishing the procedure, conditions, and provisions of organizing interaction and obtaining operational and payment clearing services, including services of acquisition, processing, and submission of data to credit institutions to perform funds transfers using the Faster Payments System (FPS) of the payment system of the Bank of Russia.

Mir Payment System Regulations – a set of documents that determines conditions of participation in the Mir Payment System, performance of funds transfers, provision of payment infrastructure services, and other provisions determined by the Mir Payment System operator under the laws of the Russian Federation.

Loyalty Program Regulations of NSPK JSC – document(s) that define(s) the conditions of participation in the Loyalty Program, and other provisions determined by the Operator under the laws of the Russian Federation.

NSPK JSC Transport Processing Platform Rules – document(s) that define(s) the conditions of participation in NSPK JSC transport system and other provisions determined by the Operator under the laws and regulations of the Russian Federation.

Personal Data Presentation – actions aimed at disclosing personal data to a particular person or a specific group of people.

Personal Data Presentation – actions aimed at disclosing personal data to any number of unspecified persons.

Personal Data Annihilation – actions making it impossible to restore the scope of personal data in the personal data information system and (or) resulting in the elimination of tangible personal data media.

Cookies – a set of data stored in the browser settings of a personal data subject and processed by the NSPK JSC Web resource when a personal data subject uses such a Web resource.

Web Browser – software used by a personal data subject to view information, including Web resources on the Internet.

Web Resource – an NSPK JSC information system that uses data presentation and transmission technologies to provide information services on the Internet.

Other terms and definitions used herein are understood in accordance with the laws of the Russian Federation, Mir Payment System Regulations, Loyalty Program Regulations of NSPK JSC, Regulations on NSPK JSC Operational and Payment Clearing Services, Regulations on NSPK JSC Operational and Payment Clearing Services within the Faster Payments System, NSPK JSC Transport Processing Platform Rules.

4. Concept and Scope of Personal Data

NSPK JSC makes a list of personal data processed and subject to protection in accordance with Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, other regulations, as well as internal policies and procedures of NSPK JSC, with due consideration of personal data processing objectives of personal data subjects specified in Section 5 hereof, and in accordance with the notification on personal data processing sent by NSPK JSC to the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor).

Information constituting personal data is any information directly or indirectly related to an identified or identifiable individual (personal data subject).

NSPK JSC does not process special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, intimate life.

NSPK JSC processes the personal data of the following subjects:

job applicants;

employees, including former ones;

interns;

relatives of employees and interns;

affiliated persons;

cardholders;

FPS Participants’ customers;

NSPK JSC Web resources visitors;

representatives of contractors, including the contractors of Mir Payment System, FPS;

visitors, including attendees of events held by NSPK JSC;

applicants;

subscribers.

5. Objectives and Principles of Personal Data Processing

NSPK JSC in its capacity of a personal data operator processes personal data for the following purposes:

provision of intrafacility access control within NSPK JSC;

staff recruitment (search and review of candidates for employment), including receiving and reviewing CVs and other necessary information about the candidate, conducting the necessary checks, as well as creating and maintaining an external talent pool;

enforcement of laws and other regulations, promotion of employment, education and professional advancement for employees, ensuring personal safety of employees, control of the scope and performance of work, and safekeeping of property;

drafting, conclusion and execution of contracts (agreements) with counterparties, including procurement procedures, due diligence, contract (agreement) management and enforcement of terms thereof;

provision of information and consulting services through conferences and forums, seminars and webinars;

preparation, issuance, record keeping and revocation of Powers of Attorney for NSPK JSC employees and external organizations;

selection, booking, payment for tickets, hotel stays via specialized agents;

receipt and mailing of correspondence, workflow management (preparation, flow management, systematization of internal documents, processing of applications and feedback handling), archival storage;

provision of services for creation and revocation of certificates of digital signature verification keys;

creating business continuity incidents response teams and managing their access to premises of government authorities and partner companies;

fulfillment of conditions of disclosure of mandatory and additional NSPK JSC information, internal and external communication, including press relations used for fair presentation of NSPK JSC operations;

processing of personal data of affiliates in order to comply with laws of the Russian Federation;

ensuring proper operation, click stream analysis and performance optimization of NSPK JSC Web resources and mobile applications to improve the quality of operation and usability, personalization of services and offers;

development and management of customer programs, including fulfillment of conditions of participation in the Loyalty Program, operation under the Loyalty Program Regulations of NSPK JSC, organization of marketing activities and promotions, provision of personalized offers and information about the Loyalty Program, promotions, advertising and other information, including Partner information for Mir Cardholders, information about any marketing activities and promotions for Mir Cardholders;

implementation of payment, record-keeping of benefits and public transport fares, and provision of organizational and legal measures for accedence to the NSPK JSC Transport Processing Platform Rules, as well as provision of support on organizational, operational and technical issues to Participants, Partners;

provision of a service allowing Mir Cardholders to access airport lounges;

operating in accordance with Federal Law of June 27, 2011 No. 161-FZ “On the National Payment System”, the Regulations on NSPK JSC Operational and Payment Clearing Services, the Regulations on NSPK JSC Operational and Payment Clearing Services within the Faster Payments System and FPS OPCC Standards, the Mir Payment System Regulations and Standards, including:

ensuring reliability, efficiency and availability of funds transfer services;

organizational and legal arrangements for accedence to the Regulations, as well as organizational, operational and technical support to Participants and other business partners;

handling mail, requests and other correspondence from Participants, other persons and personal data subjects;

communication with Participants, other persons, personal data subjects, including sending responses, notifications, decisions, requests and other information related to the implementation of regulations and standards;

improving quality of services provided by the Mir Payment System operator, their usability and ease of development of new Mir products and services;

resolution of disputes, exceptions and emergencies, including cases of system crashes, process failures, resolution of disputes between Participants, other persons, including disputes related to Transaction performance (non-fulfillment), including cases of fraudulent use of the card arising both between Participants and between parties involved in a Transaction;

personal data comparison to confirm their accuracy and allow their verification by third parties as provided by applicable law of the Russian Federation;

prevention of unauthorized transactions, fraudulent transactions and other mis-uses, as well as investigation thereof;

statistical and other studies based on anonymized data;

provision of services to Mir Payment System Participants to organize Secure Cardholder Authentication and make decisions when performing transactions on the Internet;

provision of services to Mir Payment System Participants to organize Secure Mir Cardholder Authentication, when performing transactions on the Internet;

provision of the mobile payments service.

When processing personal data, NSPK JSC abides by the following principles stipulated by Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”:

personaldata of personal data subjects is processed on a legitimate and equitable basis;

processing of personal data of personal data subjects is limited to achieving specific, predetermined and legitimate purposes. processing personal data of PD subjects that is incompatible with the purposes of personal data collection is not allowed;

databases containing personal data of personal data subjects that is processed for purposes incompatible with each other must not be integrated;

only personal data of personal data subjects that complies with the purposes of processing is to be processed;

the content and scope of personal data of personal data subjects processed within NSPK JSC meet the declared purpose of their processing;

when processing personal data of personal data subjects, accuracy, sufficiency and, if necessary, relevance of personal data to the purpose of personal data processing is ensured;

personal data of personal data subjects is stored only as long as required for purposes of personal data processing, as well as stipulated by federal laws and agreements where a personal data subject acts as a party, a beneficiary or a guarantor.

6. Personal Data Processing Conditions Within NSPK JSC

NSPK JSC processes personal data with the consent from personal data subjects, unless otherwise provided for by laws of the Russian Federation.

NSPK JSC does not disclose to third parties nor does it disseminate personal data without the consent of personal data subjects, unless otherwise provided for by laws of the Russian Federation.

NSPK JSC is entitled to charge another person with the processing of personal data with the consent from the personal data subject under an agreement with such person. Such agreement must contain a list of actions (operations) with personal data that will be performed by the person processing the personal data, as well as purposes of processing, the obligation of such person to keep personal data confidential and ensure personal data security when processing them, as well as requirements to personal data protection under Article 19 of Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”.

For purposes of internal informational support, NSPK JSC can create internal reference materials which, with the written consent of the personal data subject, unless otherwise provided for by laws of the Russian Federation, may contain their last name, first name, patronymic, photograph, place of work, position, year and place of birth, address, customer number, e-mail address, other personal data conveyed by the personal data subject.

Only authorized NSPK JSC employees may have access to personal data processed within NSPK JSC.

7. Personal Data Handling Operations and Processing Methods

NSPK JSC collects, records, systematizes, accumulates, stores, refines (updates, alters), extracts, uses, transfers (disseminates, provides, grants access), depersonalizes, blocks, deletes and annihilates personal data.

NSPK JSC uses the following personal data processing methods:

non-automated personal data processing;

automated personal data processing with or without transferring the received information via data telecommunications networks;

mixed personal data processing.

8. Personal Data Processing Conditions

The processing conditions of personal data of personal data subjects within NSPK JSC is set forth in the internal documents of NSPK JSC with due regard for:

specified personal data processing objectives;

conditions of contracts to which a personal data subject is a party, a beneficiary or a guarantor, and contracts executed at the initiative of a personal data subject;

Order of the Ministry of Culture of the Russian Federation dated August 25, 2010 No. 558 “On approval of the “List of standard administrative archive documents generated in the course of activities of government agencies, local government bodies and organizations, with the indication of their storage periods”;

Resolution of the Federal Commission for the Securities Market No. 03-33/ps dated 16 July 2003 “On procedure and conditions of storage of documents of Joint Stock Companies”;

statutes of limitations on actions;

other statutory documents of the Russian Federation.

9. Ensuring Personal Data Security and Confidentiality

NSPK JSC takes the legal, technical and organizational measures provided for by laws of the Russian Federation necessary to ensure security of processed personal data of personal data subjects to protect personal data from unlawful or accidental access, annihilation, alteration, blockage, copying, presentation, dissemination, as well as other illegal actions regarding personal data of personal data subjects.

The security of personal data of personal data subjects is ensured within NSPK JSC under the laws of the Russian Federation and NSPK JSC internal policies and procedures regarding processing and protection of personal data, namely:

identifying threats to the security of personal data of personal data subjects when processing via personal data information systems of NSPK JSC;

taking organizational and technical measures to ensure security of personal data of personal data subjects when processing them via personal data information systems of NSPK JSC, necessary to comply with the requirements to personal data security the execution of which ensures the levels of personal data protection established by the Government of the Russian Federation;

application within NSPK JSC of information security facilities approved by FSTEC and the Federal Security Service of the Russian Federation in cases when applying such facilities is required to neutralize immediate threats to personal data security;

assessing the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of the personal data information system of NSPK JSC;

stock-taking of personal data media;

detecting cases of unauthorized access to personal data of personal data subjects and taking appropriate security measures;

restoring personal data of personal data subjects modified or deleted due to unauthorized access;

setting rules of access (including access restriction) to personal data of personal data subjects processed in the personal data information systems of NSPK JSC, as well as ensuring the registration and logging of all actions performed with personal data in the personal data information systems of NSPK JSC;

assigning NSPK JSC officers responsible for processing and protection of personal data of personal data subjects by orders within NSPK JSC;

control over measures taken to ensure personal data security and security levels of the personal data information systems of NSPK JSC.

10. Use of NSPK JSC Web Resources and Mobile Applications

NSPK JSC uses cookies, which includes processing information about Web Visitors, necessary for correct operation of NSPK JSC Web resources and mobile applications, as well as to improve the operation quality and usability of NSPK JSC Web resources and mobile applications, personalize services and offers for Web Visitors.

Some of the functionality of NSPK JSC Web resources and mobile applications can be used for personal data presentation. However, to use special features of NSPK JSC Web resources and mobile applications, user data, including personal data, have to be provided.

By checking a box or clicking a button in the electronic acceptance form provided by the NSPK JSC Web resource and (or) mobile application, a personal data subject agrees to processing of their personal data by NSPK JSC under the conditions provided for herein.

A personal data subject does not use the NSPK JSC Web resources and (or) mobile applications, nor do they provide their personal data to NSPK JSC unless they agree with the provisions of this Section of the Policy.

NSPK JSC processes personal data using Web resources and mobile applications under the conditions set forth in Appendix 1 hereto.

11. Rights and Obligations of NSPK JSC and Personal Data Subjects

NSPK JSC, in its capacity of the personal data operator, is entitled to:

seek legal redress;

provide third parties with personal data of personal data subjects, as provided for in laws of the Russian Federation (tax authorities, law enforcement bodies etc.);

deny the presentation of personal data in cases provided for in laws of the Russian Federation;

use personal data of personal data subjects without their consent in cases provided for in laws of the Russian Federation.

NSPK JSC, in its capacity of the personal data operator, shall:

provide to a personal data subject, at their request, the information provided for in Part 7, Article 14 of Federal Law of July 27, 2006 No. 152-FZ “On Personal Da

explain to a personal data subject the legal implications of their refusal to provide NSPK JSC with their personal data, provided that the provision of personal data to NSPK JSC by the personal data subject is mandatory under the Federal Law;

if personal data was not obtained from a personal data subject, except as provided for in Part 4, Article 18 of Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”, provide the following information to a personal data subject prior to processing such personal data:”;

1) a designation or a full name and address of the operator or its representative;

2) purposes of personal data processing and its legal grounds;

3) intended users of personal data;

4) rights of a personal data provided for in the Federal law;

5) source of personal data.

when collecting personal data of personal data subjects, including via the Internet, ensure recording, systematization, accumulation, storage, refinement (update, alteration), extraction of personal data of personal data subjects using databases located in the Russian Federation, with the exception of cases specified in Clauses 2, 3, 4, 8, Part 1, Article 6 of Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”.

NSPK JSC takes reasonable measures to maintain accuracy and relevance of the available personal data, as well as to delete personal data of personal data subjects if they are obsolete, inaccurate or redundant or if the purposes of their processing have been achieved.

A personal data subject is entitled to:

withdraw consent to the processing of personal data;

require that their personal data be refined, blocked or deleted if such personal data is incomplete, obsolete, inaccurate, obtained illegally or is not necessary for the stated purpose of processing, as well as take measures provided for by law to enforce their rights;

require a list of their personal data processed within NSPK JSC, and their source;

receive information on the processing conditions of their personal data, including the storage period;

require that all persons to whom their incorrect or incomplete personal data was previously conveyed be notified of all exceptions, corrections or additions made to it;

appeal to an authorized body for defense of rights of personal data subjects or to a court against the actions or inaction in processing of their personal data;

seek in court the protection of their rights and legal interests, including indemnification and (or) compensation for moral harm.

Personal data subjects are liable for provision of reliable information to NSPK JSC, as well as for the timely update of the data provided in case of changes.

12. Feedback, Request Handling

If a personal data subject wishes to know what personal data NSPK JSC holds on them, or to supplement, correct, depersonalize or delete any incomplete, inaccurate or obsolete personal data, or wishes for NSPK JSC to stop processing their personal data, or has other legal claims, they can exercise such right as and when required under the laws of the Russian Federation by contacting NSPK JSC.

In some cases (e.g., if a personal data subject wants to delete their personal data or interrupt their processing), such request may also mean that NSPK JSC will no longer be able to provide services to such personal data subject.

To handle requests of personal data subjects, NSPK JSC may require to establish the identity of such personal data subject and request additional information confirming their relations with NSPK JSC, or information otherwise confirming the fact of personal data processing within NSPK JSC. In addition, the right of a personal data subject to access its personal data may be abridged in accordance with the laws of the Russian Federation on personal data, including if access of a personal data subject to its personal data breaches rights and legitimate interests of third parties.

The procedure for submitting requests by a personal data subject is specified by the requirements of Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”. Namely, in accordance with the specified requirements, a request must contain:

series and number of the personal identity document of a personal data subject (his representative), information about the issue date of the specified document and the issuing authority;

evidence of the personal data subject’s relations with NSPK JSC (contract number, contract date, designation and (or) other information) or information otherwise confirming the fact of personal data processing within NSPK JSC;

signature of the personal data subject (their representative).

If a request is sent by a representative of the personal data subject, the request must contain a document (copy of the document) confirming the authority of this representative.

A request may be sent by a personal data subject in electronic form. Such requests must be verified by an enhanced digital signature of the personal data subject.

NSPK JSC contacts for personal data subjects’ requests:

mail address: 11, Bolshaya Tatarskaya str., Moscow, 115184; e-mail: info@nspk.ru.

13. Final Provisions

This Policy is the NSPK JSC internal document which becomes effective upon approval and is publicly accessible and subject to publication (distribution) on the NSPK JSC web-resource with the domain name nspk.ru (the Russian version), nspk.com (the English version).

NSPK JSC may amend this Policy. When amending the front page of this document, the latest date of an update of the version hereof is indicated. Amendments made to this Policy become effective upon approval, unless otherwise specified by the very amendments.

The current version hereof is stored as a hard copy at the location of the NSPK JSC executive body at the address: 11, Bolshaya Tatarskaya Street, Moscow, 115184.

NSPK JSC recommends that personal data subjects regularly refer to this Policy to review the last current version.

Appendix 1. Personal Data Processing Conditions Using NSPK JSC Web Resources and Mobile Applications

NSPK JSC processes personal data using Web resources and mobile applications under the following conditions:

Personal data subject	Purpose of personal data processing	Scope of personal data	Domain name / mobile application	Method of personal data processing	Personal data transfer	Personal data processing operations	Term of consent
Web resources visitors	ensuring proper operation, click stream analysis and performance optimization of NSPK JSC Web resources and mobile applications to improve the of operation and usability, personalization of services and offers	IP address Date and time of the Web resource visit Browser and operating system types Type and model of mobile device Click-through URL Behavioral information (including the number and names of the pages viewed) Age, sex, interests, geographical location of the user Other technical data (cookies, flash, java etc.)	www.nspk.ru privetmir.ru mironline.ru	Using automation facilities	To the limited liability company “SAS Institute” located at: 21 build.1, Stanislavsky street, 109004 Moscow	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data	5 years
Web resources visitors		Full name Contacts (phone number, e-mail address) Device information	Faster Payments System mobile application Mir Pay mobile application	Using automation facilities	None	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, depersonalization, blockage, deletion, annihilation of personal data	5 years
Job applicants	Staff recruitment	Full name Contacts (phone number, e-mail address) City of residence CV	mironline.ru	Mixed processing (with or without the use of automation facilities)	None	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, depersonalization, blockage, deletion, annihilation of personal data	15 years
Job applicants	Staff recruitment	Full name Date of birth (day, month, year) Identity document information (series, number, issuing authority, date of issue) Contacts (phone number, e-mail address; accounts in social networks) INN (Taxpayer Identification Number) Marital status Residence Education (institution, number of diploma, grade, major, professional qualification, academic degree / rank, date of academic degree / rank) Close relatives (Full name, degree of relationship, date of birth) Information about application for relocation and permanent residence in a foreign country Employment history Financial obligations Weapon possession Military service details Hobbies	jobform.nspk.ru/	Mixed processing (with or without the use of automation facilities)	The educational institution of the candidate specified in CV can be transmitted the full name, date of birth and education details	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data	15 years
Employees	Provision of services for creation and revocation of certificates of digital signature verification keys	Full name Position Organization Contacts (phone number, e-mail address, postal address)	cryptomir.sbp.nspk.ru cryptomir.nspk.ru	Mixed processing (with or without the use of automation facilities)	None	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, depersonalization, blockage, deletion, annihilation of personal data	5 years
Affiliated persons	In order to comply with laws of the Russian Federation	Full name Residence Ground(s) for considering the person affiliated Effective date of ground(s) Affiliated person’s interest in the authorized capital of the joint-stock company, % Affiliated person’s share of common stock of the joint-stock company, %	www.nspk.ru www.e-disclosure.ru	Mixed processing (with or without the use of automation facilities)	None	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, depersonalization, blockage, deletion, annihilation of personal data	In accordance with the law
Representatives of contractors	provision of information and consulting services through seminars and webinars	Full name Position Organization Contacts (phone number, e-mail address)	mironline.ru	Mixed processing (with or without the use of automation facilities)	To the limited liability company “WEBINAR TECHNOLOGII” located at: 21 Praskovyina street, 129515 Moscow	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data	5 years
	Provision of information and consulting services through conferences and forums	Full name Position Organization Contacts (phone number, e-mail address) Identity document information (series, number, issuing authority, date of issue)	mir-businessconf.mironline.ru	Mixed processing (with or without the use of automation facilities)	To the contractor involved in preparation and organization of conferences, forums, under a services agreement	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data	5 years
		Full name Position Organization Contacts (phone number, e-mail address)	mironline.ru/mirconf/ Mir.Conf mobile application	Mixed processing (with or without the use of automation facilities)	None	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, depersonalization, blockage, deletion, annihilation of personal data	5 years
	Provision of services for creation and revocation of certificates of digital signature verification keys	Full name Position Organization Contacts (phone number, e-mail address, postal address)	cryptomir.sbp.nspk.ru cryptomir.nspk.ru	Mixed processing (with or without the use of automation facilities)	None	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, depersonalization, blockage, deletion, annihilation of personal data	5 years
	Operation under Federal Law of June 27, 2011 No. 161-FZ “On the National Payment System”, the Mir Payment System Regulations and Standards	Full name Date of birth (day, month, year) Identity document information (series, number) INN (Tax identification number) SNILS (Individual insurance account number) Position Organization Contacts (phone number, e-mail address)	www.spp.nspk.ru	Automated processing (using automation facilities)	Data transferred in accordance with provisions of Mir Payment System Regulations and Standards	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data	Determined by provisions of the Mir Payment System Regulations and Standards
	Organizational and legal arrangements for accedence to the Regulations, as well as organizational, operational and technical support to Participants and other business partners	Full name Position Structural division Organization Contacts (phone number, fax number, e-mail address)	www.support.nspk.ru	Mixed processing (with or without the use of automation facilities)	Data transferred under the Regulations on NSPK JSC Operational and Payment Clearing Services, the Regulations on NSPK JSC Operational and Payment Clearing Services within the Faster Payments System and the Mir Payment System Regulations	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data	Determined by provisions of the Regulations on NSPK JSC Operational and Payment Clearing Services, the Regulations on NSPK JSC Operational and Payment Clearing Services within the Faster Payments System and the Mir Payment System Regulations
	Development and management of customer programs, including fulfillment of conditions of participation in the Loyalty Program, operation under the Loyalty Program Regulations of NSPK JSC	Full name Position Organization Contacts (phone number, e-mail address)	privetmir.ru	Mixed processing (with or without the use of automation facilities)	Data transferred in accordance with provisions of the Loyalty Program Regulations for Mir Cardholders	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data	Determined by provisions of the Loyalty Program Regulations of NSPK JSC
	Implementation of payment, record keeping of benefits and public transport fares, and provision of organizational and legal measures for accedence to the NSPK JSC Transport Processing Platform Rules, as well as provision of support on organizational, operational and technical issues to participants, partners.	Full name Position Organization Contacts (phone number, e-mail address)	transport.nspk.ru	Automated processing (using automation facilities)	Data transferred in accordance with provisions of the NSPK JSC Transport Processing Platform Rules	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data	Determined by provisions of the NSPK JSC Transport Processing Platform Rules
Cardholders	Development and management of customer programs, including fulfillment of conditions of participation in the Loyalty Program, operation under the Loyalty Program Regulations of NSPK JSC, organization of marketing activities and promotions, provision of personalized offers and information about the Loyalty Program, promotions, advertising and other information, including Partner information for Mir Cardholders, information about any marketing activities and promotions for Mir Cardholders	Full name Sex Date of birth (day, month, year) Contacts (phone number, e-mail address) Payment card information (PAN) Information about Mir purchase transactions Identifier in Third Party Services¹ Place of birth Identity document information (series, number, issuing authority, date of issue) Residence and registration address INN (Tax Identification Number) Bank account details (account number)	privetmir.ru Privet Mir! mobile application	Mixed processing (with or without the use of automation facilities)	Data transferred in accordance with provisions of the Loyalty Program Regulations for Mir Cardholders	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data	Determined by provisions of the Loyalty Program Regulations of NSPK JSC
	Operation under Federal Law of June 27, 2011 No. 161-FZ “On the National Payment System”, the Mir Payment System Regulations and Standards	Primary Account Number Payment card expiration date Transaction information Information about the Cardholder’s account involved in a transaction in the store Warnings about device security breaches Information on risk management provided by the store Information about the Cardholder’s device Information about the time zone of the transaction Shipping address Other information provided for by the EMV 3DSecure 2.0 specification	mirconnect.ru	Automated processing (using automation facilities)	Data transferred in accordance with provisions of Mir Payment System Regulations and Standards	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data	Determined by provisions of the Mir Payment System Regulations and Standards
		Primary Account Number Payment card expiration date Transaction information	dispute.nspk.ru
		Primary Account Number Payment card expiration date Transaction information Full name Contacts (e-mail address) Warnings about device security breaches Information about the Cardholder’s device Information about the time zone of the transaction	- Mir Pay mobile application
	Implementation of payment, record-keeping of benefits and public transport fares, and provision of organizational and legal measures for accedence to the NSPK JSC Transport Processing Platform Rules, as well as provision of support and information on organizational, operational and technical issues to participants, partners	Social status (benefit code definition) E-mail address Primary Account Number Payment card expiration date SNILS (Individual insurance account number) Information about fare payment transactions	bilet.nspk.ru ticket.nspk.ru	Automated processing (using automation facilities)	Data transferred in accordance with provisions of the NSPK JSC Transport Processing Platform Rules	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data	Determined by provisions of the NSPK JSC Transport Processing Platform Rules
	Performance of contracts (agreements) with contractors, implementation of conditions of NSPK JSC service provision for contractors	Full name Date of birth (day, month, year) Contacts (phone number)	score.prod.nspk.ru score.prod2.nspk.ru	Automated processing (using automation facilities)	None	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, depersonalization, blockage, deletion, annihilation of personal data	Determined by provisions of the relevant service agreement
FPS Participants’ customers	Operation under Federal Law of June 27, 2011 No. 161-FZ “On the National Payment System”, the Regulations on NSPK JSC Operational and Payment Clearing Services within the Faster Payments System and FPS OPCC Standards	Full name Personal application Place of registration Identity document information (type, series, number) INN (Tax Identification Number) Contacts (phone number) Bank account details (account number)	sbp-prod1.cbrpay.ru sbp-prod2.cbrpay.ru sbp-prod3.cbrpay.ru sbp-prod4.cbrpay.ru	Automated processing (using automation facilities)	Data transfer in accordance with provisions of the Regulations on NSPK JSC Operational and Payment Clearing Services within the Faster Payments System	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data	Determined by provisions of the Regulations on NSPK JSC Operational and Payment Clearing Services within the Faster Payments System
		Full name Contacts (phone number) Bank account details (account number)	Faster Payments System mobile application	Automated processing (using automation facilities)
	Development and management of customer programs, including fulfillment of conditions of participation in the Loyalty Program, operation under the Loyalty Program Regulations of NSPK JSC, marketing activities and promotions, provision of personal offers and information about the Loyalty Program, promotions, advertising and other information	Full name Sex Date of birth (day, month, year) Contacts (phone number, e-mail address) Payment card information (PAN) Information about Mir purchase transactions Identifier in Third Party Services Place of birth Identity document information (series, number, issuing authority, date of issue) Residence and registration address INN (Tax Identification Number) Bank account details (account number)	privetmir.ru Privet Mir! mobile application	Mixed processing (with or without the use of automation facilities)	Data transferred in accordance with provisions of the Loyalty Program Regulations for Mir Cardholders	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, transfer (provision, access granting), depersonalization, blockage, deletion, annihilation of personal data	Determined by provisions of the Loyalty Program Regulations of NSPK JSC
Applicants	Processing of applications and feedback handling	First name Last name Contacts (phone number, e-mail address, account in social networks)	www.nspk.ru	Mixed processing (with or without the use of automation facilities)	None	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, depersonalization, blockage, deletion, annihilation of personal data	5 years
Subscribers	Receiving information about the Loyalty Program, promotions, advertisements, and other information, personalization of services and offers, as well as feedback handling	Contacts (e-mail address)	privetmir.ru	Automated processing (using automation facilities)	None	Collection, recording, systematization, accumulation, storage, refinement (updates, alterations), extraction, usage, depersonalization, blockage, deletion, annihilation of personal data	5 years

¹ The term is used in accordance with the Loyalty Program Regulations of NSPK JSC.

pdf

NSPK JSC Policy of Personal Data Processing and Protection

31.10.2022

pdf

703 Кб