1. GENERAL PROVISIONS

1.1. This personal data processing policy (hereinafter referred to as the "Policy") has been developed pursuant to the requirements of Clause 2, Part 1, Article 18.1 of Federal Law No. 152-FZ "On Personal Data" of July 27, 2006 (hereinafter referred to as the "Personal Data Law") in order to ensure the protection of human and civil rights and freedoms when processing their personal data, including the protection of the right to privacy, personal and family secrets.
1.2. This Policy applies to the following categories of personal data subjects whose information is processed by the Operator: employees; counterparties; clients; website visitors.
1.3. Key concepts used in the Policy:
Personal data – any information relating to a directly or indirectly identified or identifiable individual (personal data subject);
Personal Data Operator (Operator) – Morskaya Apteka LLC (TIN 9111022180, OGRN 1169102089650), which independently or jointly with other entities organizes and/or processes personal data, as well as determines the purposes of personal data processing, the composition of personal data to be processed, and the actions (operations) performed with personal data;
Personal data processing – any action (operation) or set of actions (operations) with personal data, performed with or without the use of automated tools. Personal data processing includes, but is not limited to: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction;
Automated personal data processing – the processing of personal data using computer technology;
Dissemination of personal data – actions aimed at disclosing personal data to an indefinite number of persons;
Provision of personal data – actions aimed at disclosing personal data to a specific person or group of persons;
Blocking of personal data – temporary cessation of personal data processing (except in cases where processing is necessary to clarify the personal data);
Destruction of personal data – actions that make it impossible to restore the contents of personal data in a personal data information system and/or that result in the destruction of tangible media containing personal data;
Anonymization of personal data – actions that make it impossible to determine the ownership of personal data by a specific data subject without the use of additional information;
Personal data information system – set of personal data contained in databases and information technologies and technical means that support their processing;
Cross-border transfer of personal data – the transfer of personal data to the territory of a foreign state to a foreign government agency, a foreign individual, or a foreign legal entity;
Website is a collection of computer programs and other information contained in an information system accessible via the Internet and located at https://seapharma.ru/.

1.4. Basic Rights and Obligations of the Operator.
1.4.1. The Operator has the right to:
· Independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of obligations stipulated by the Personal Data Law and regulatory legal acts adopted in accordance with it, unless otherwise provided by the Personal Data Law or other federal laws;
· Entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, on the basis of an agreement concluded with that person. The person processing personal data on behalf of the Operator is obliged to comply with the principles and rules for processing personal data stipulated by the Personal Data Law;
· If the personal data subject revokes consent to the processing of personal data, the Operator has the right to continue processing the personal data without the consent of the personal data subject, provided that the grounds specified in the Personal Data Law exist.
1.4.2. The Operator is obliged to:
· Organize the processing of personal data in accordance with the requirements of the Personal Data Law;
· Respond to inquiries and requests from personal data subjects and their legal representatives in accordance with the requirements of the Personal Data Law;
· Notify the authorized body for the protection of the rights of personal data subjects (hereinafter referred to as "Roskomnadzor"), upon request, of the necessary information within 10 business days of receipt of such request.
1.5. Basic Rights of Personal Data Subjects. A personal data subject has the right to:
· Receive information regarding the processing of their personal data, except in cases stipulated by federal laws. Information is provided to the personal data subject by the Operator in an accessible form and must not contain personal data related to other personal data subjects, unless there are legal grounds for disclosure of such personal data. The list of information and the procedure for obtaining it are established by the Personal Data Law;
· Request that the Operator clarifies, blocks, or destroys their personal data if such personal data is incomplete, outdated, inaccurate, illegally obtained, or not necessary for the stated purpose of processing, and also takes measures provided by law to protect their rights;
· Appeal to Roskomnadzor or in court any unlawful actions or inactions of the Operator in the processing of their personal data.
The data subject may exercise the right to receive information regarding the processing of their personal data, as well as the right to clarify, block, or destroy their personal data, by submitting a request to the Operator at the following address: 298318, Republic of Crimea, Kerch, Furmanova Street, Building 10, Office 3, or by sending a request to the Operator by email at info@seapharma.ru. In both cases, the request must be submitted in compliance with the requirements of Section 8 of this Policy.
1.6. Compliance with the requirements of this Policy is monitored by the authorized person responsible for organizing the processing of personal data at the Operator.
1.7. Liability for violation of the requirements of Russian Federation legislation and the Operator's local regulations regarding the processing and protection of personal data is determined in accordance with Russian Federation legislation.

2. PRINCIPLES OF PERSONAL DATA PROCESSING

2.1. The Operator processes personal data in accordance with the requirements of Russian Federation law and is based on the following principles:
· legality and fairness;
· limiting the processing of personal data to achieve specific, predetermined, and legitimate purposes;
· preventing the processing of personal data incompatible with the purposes for which the personal data was collected;
· preventing the merging of databases containing personal data processed for incompatible purposes;
· processing only personal data that meets the purposes for which they are processed;
· compliance with the content and volume of processed personal data with the stated purposes of processing;
· preventing the processing of excessive personal data in relation to the stated purposes of processing;
· ensuring the accuracy, sufficiency, and relevance of personal data in relation to the purposes for which they are processed;
· destruction or depersonalization of personal data upon achieving the purposes of their processing or in the event of loss of the need to achieve these purposes, if the Operator is unable to eliminate the violations of personal data committed, unless otherwise provided by federal law.

3. LEGAL BASIS FOR PERSONAL DATA PROCESSING

3.1. The legal basis for personal data processing is the set of regulatory legal acts pursuant to which and in accordance with which the Operator processes personal data, including:
· The Constitution of the Russian Federation;
· The Labor Code of the Russian Federation;
· The Civil Code of the Russian Federation;
· The Tax Code of the Russian Federation;
· Federal Law No. 402-FZ "On Accounting" of December 6, 2011;
· Other regulatory legal acts governing relations related to the Operator's activities.
3.2. The legal basis for personal data processing also includes:
· Agreements concluded with the Personal Data Subject;
· The Personal Data Subject's consent to the processing of personal data.

4. VOLUME, CATEGORIES, AND CONDITIONS OF PROCESSED PERSONAL DATA, CATEGORIES OF PERSONAL DATA SUBJECTS IN RELATION TO THE STATED PURPOSES OF PERSONAL DATA PROCESSING

4.1. The processing of personal data is limited to achieving specific, predetermined, and legitimate purposes. Processing of personal data that is incompatible with the purposes for which it was collected is prohibited. Only personal data that is relevant to the purposes for which it was processed may be processed.
4.2. The content and scope of personal data processed must correspond to the stated purposes of processing, as set forth in this section. The personal data processed must not be excessive in relation to the stated purposes of processing. Personal data is processed by the Operator for the following purposes:
· Ensuring compliance with Russian labor legislation (assisting employees in finding employment, obtaining education, and career advancement, ensuring employee personal safety, monitoring the quantity and quality of work performed, and ensuring the safety of property, ensuring compliance with laws and other regulations)
· Preparing, concluding, and executing contracts
· Offering and promoting the Operator's products and brand on the market through marketing (advertising, PR) activities and sales promotion
· Processing incoming requests from the Website
· Maintaining Website visitor statistics
4.3. In accordance with this Policy, the Operator may process personal data belonging to the following categories of Personal Data Subjects:
· Employees of the Operator
· Contractors of the Operator
· Clients of the Operator
· Visitors to the Operator's Website
4.4. Processing personal data to ensure compliance with Russian labor legislation.
4.4.1. In accordance with this section of the Policy, the Operator determines the categories and list of personal data processed, the categories of subjects whose personal data is processed, the methods and timeframes for processing and storing such data, and the procedure for destroying personal data upon achieving the processing purpose or upon the occurrence of other legal grounds applicable to the purpose of "ensuring compliance with Russian labor legislation (including assisting employees in finding employment, obtaining education, and career advancement, ensuring the personal safety of employees, monitoring the quantity and quality of work performed, and ensuring the safety of property, ensuring compliance with laws and other regulatory legal acts)."
4.4.2. For the purpose specified in this section of the Policy, the Operator processes personal data belonging to the following category(ies) of personal data subjects:
· the Operator's employees
4.4.3. The Operator processes the following categories and list of employees' personal data for the purposes specified in this section of the Policy:
a) General (other) categories of employees' personal data are processed in accordance with the following list:
· Last name, first name, patronymic
· Residential address
· Education
· Occupation
· Passport details
· Contact phone number
· Income
· Job title
· Taxpayer Identification Number
· Insurance Number of Individual Ledger Account
· Marital status
b) Special categories of employees' personal data are processed in accordance with the requirements of Russian Federation law, namely:
· Health information
· Nationality
c) The Operator processes employees' biometric personal data (information that characterizes a person's physiological and biological characteristics, based on which their identity can be established) in accordance with the requirements of Russian Federation law, namely:
· Facial image data obtained using photo and video devices
4.4.4. The Operator performs mixed processing of employees' personal data for the purposes specified in this section of the Policy, including transfer via the internal network and transfer via the internet.
4.4.5. The list of actions performed by the Operator with employees' personal data for the purposes specified in this section of the Policy includes: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (provision, access), blocking, deletion, and destruction.
4.4.6. The processing of employees' personal data does not require obtaining the relevant consent, provided that the volume of personal data processed by the Operator corresponds to the purpose of ensuring compliance with Russian labor legislation specified in this section of the Policy, based on paragraph 2 of Part 1 of Article 6 of the Law on Personal Data.
4.4.7. When concluding an employment contract, employees provide the Operator with the following documents containing their personal data:
· passport or other identity document;
· work record book and/or employment history information, except in cases where the employment contract is being concluded for the first time;
· document confirming registration in the individual (personalized) accounting system, including in electronic form;
· military registration documents - for those liable for military service and persons subject to conscription;
· document certifying education and/or qualifications or specialized knowledge - when applying for a job requiring specialized knowledge or training;
· other documents in accordance with legal requirements.
4.4.8. In the case of the initial conclusion of an employment contract with employees, the Operator shall issue the work record book and state pension insurance certificate.
4.4.9. If other documents are required for employee employment in accordance with legislation, the Operator will request that applicants provide such documents containing their personal data.
4.4.10. The Operator will store employees' personal data in a form that allows for the identification of the personal data subjects for no longer than required for the personal data processing purpose specified in this section of the Policy, unless the personal data retention period is established by federal law.
4.4.11. The Operator will process the personal data of dismissed employees in the cases and within the timeframes stipulated by Russian Federation law. Such cases include, but are not limited to, the processing of personal data for accounting and tax purposes, including to ensure the preservation of documents necessary for the calculation, withholding, and transfer of taxes.
4.4.12. The Operator is obligated to retain accounting documentation for the periods established in accordance with the rules for the organization of state archival affairs, but the minimum retention period may not be less than five (5) years.
4.4.13. Upon expiration of the periods specified by Russian legislation, employee personal files and other documents are transferred to archival storage for a period of 50 years.
4.4.14. Employee consent to the processing of their personal data in cases stipulated by paragraphs 4.4.11 – 4.4.13 of the Policy is not required.
4.4.15. The Operator shall not disclose or distribute employees' personal data to third parties without the consent of employees for the purposes specified in this section of the Policy, unless otherwise provided by Russian legislation.
4.4.16. When transferring employees' personal data to third parties, the Operator must comply with the following requirements:
· Disclosure of employees' personal data to third parties without the employees' written consent is prohibited, except in cases where it is necessary to prevent a threat to the life and health of employees, as well as in cases established by current Russian legislation;
· An employee transferring personal data of the Operator's employees is obligated to notify persons receiving the personal data of employees that this data may only be used for the purposes for which it was disclosed, and to require such persons to confirm compliance with this rule. Persons receiving the personal data of the Operator's employees are obligated to maintain confidentiality. This provision does not apply to the exchange of personal data of employees in the manner established by current Russian Federation legislation.
· An employee transferring personal data of the Operator's employees has the right to transfer their personal data to representatives of the employees in the manner established by the Labor Code of the Russian Federation and to limit this information to only those personal data of the employees necessary for the performance of their functions by said representatives.
· The transfer of employees’ personal data to the Pension and Social Insurance Fund of the Russian Federation (Social Fund of Russia) in the manner established by federal laws, in particular the Federal Law "On Compulsory Pension Insurance in the Russian Federation," the Federal Law "On the Fundamentals of Compulsory Social Insurance," and the Federal Law "On Compulsory Medical Insurance in the Russian Federation" is carried out without the consent of the employees.
· Employee consent is not required in cases where the Operator transfers employees' personal data to tax authorities, military commissariats, or trade union bodies, as provided for by current Russian Federation legislation, as well as when receiving, within the scope of established powers, reasoned requests from prosecutorial authorities, law enforcement agencies, security agencies, from state labor inspectors in the exercise of state supervision and control over compliance with labor legislation, and from other bodies authorized to request information about employees in accordance with the competence stipulated by current Russian Federation legislation.
4.4.17. The Operator does not carry out cross-border transfers of employees' personal data for the purpose specified in this section of the Policy.
4.4.18. The processing and storage periods for personal data for the purposes specified in this section of the Policy are set for the duration of the employment contract and for 5 (five) years after its termination.
4.5. Processing of personal data for the purposes of preparing, concluding, and executing contracts.
4.5.1. In accordance with this section of the Policy, the Operator determines the categories and list of personal data processed, the categories of subjects whose personal data is processed, the methods and periods of processing and storage, and the procedure for destroying personal data upon achieving the processing purpose or upon the occurrence of other legal grounds applicable to the purpose of "preparing, concluding, and executing contracts."
4.5.2. For the purposes specified in this section of the Policy, the Operator processes personal data belonging to the following category(ies) of personal data subjects:
· the Operator's counterparties
· the Operator's clients
4.5.3. The Operator processes the following categories and list of personal data of counterparties and clients for the purposes specified in this section of the Policy:
a) General (other) categories of personal data of counterparties and clients are processed in accordance with the following list:
· Last name, first name, patronymic
· Residential address
· Passport details
· Contact phone number
· Email address
· Gender
b) Special categories of personal data of counterparties and clients are processed in accordance with the following list:
· Health status of clients and counterparties.
c) Biometric personal data of clients (information that characterizes the physiological and biological characteristics of a person, based on which their identity can be established) is not processed.
4.5.4. The Operator performs mixed processing of personal data of counterparties and clients for the purposes specified in this section of the Policy, with transmission over the internal network and transmission over the internet.
4.5.5. The list of actions performed by the Operator with the personal data of counterparties and clients for the purposes specified in this section: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, blocking, deletion, destruction.
4.5.6. The processing of personal data of counterparties and clients does not require obtaining the relevant consent, provided that the volume of personal data processed by the Operator corresponds to the purpose of preparing, concluding, and executing a civil contract specified in this section of the Policy, based on paragraph 5 of Part 1 of Article 6 of the Law on Personal Data.
4.5.7. The Operator does not disclose or distribute personal data of counterparties and clients to third parties for the purpose specified in this section of the Policy without the consent of the personal data subject, unless otherwise provided by Russian legislation.
4.5.8. The Operator does not carry out cross-border transfers of personal data of counterparties and clients for the purpose specified in this section of the Policy.
4.5.9. The processing and storage periods for personal data for the purpose specified in this section of the Policy are established for the term of the agreement with the client and for 5 (five) years after the termination of such agreement.
4.6. Processing personal data for the purpose of offering and promoting its own products and brand on the market through marketing (advertising, PR) activities and sales promotion.
4.6.1. In accordance with this section of the Policy, the Operator determines the categories and list of personal data processed, the categories of subjects whose personal data is processed, the methods and timeframes for processing and storing such data, and the procedure for destroying personal data upon achieving the processing purpose or upon the occurrence of other legal grounds applicable to the purpose of "offering and promoting its own products and brand on the market through marketing (advertising, PR) activities and sales promotion."
4.6.2. For the purpose specified in this section of the Policy, the Operator processes personal data belonging to the following category(ies) of personal data subjects:
· the Operator's clients
· visitors to the Operator's Website
4.6.3. The Operator processes the following categories and list of personal data of clients and visitors for the purposes specified in this section of the Policy:
a) General (other) categories of personal data of clients and visitors are processed in accordance with the following list:
· Last name, first name, patronymic
· Contact phone number
· Email address
· Gender
b) Special categories of personal data of clients and visitors are not processed;
c) Biometric personal data of clients and visitors (information that characterizes a person's physiological and biological characteristics, based on which their identity can be established) is not processed.
4.6.4. The Operator performs mixed processing of personal data of clients and visitors for the purposes specified in this section of the Policy, including transmission over the internal network and transmission over the internet.
4.6.5. The list of actions performed by the Operator with the personal data of clients and visitors for the purposes specified in this section: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, blocking, deletion, and destruction.
4.6.6. The processing of personal data of clients and visitors for the purposes specified in this section of the Policy is subject to prior consent.
4.6.7. The Operator does not disclose or distribute personal data of clients and visitors for the purposes specified in this section of the Policy to third parties without the consent of the personal data subject, unless otherwise provided by Russian Federation law.
4.6.8. The Operator does not transfer personal data of clients and visitors across borders for the purposes specified in this section of the Policy.
4.6.9. The processing and storage periods for visitors' personal data for the purposes specified in this section of the Policy are established from the moment the personal data of visitors is received until the purpose of processing the personal data is achieved—offering and promoting the Operator's products and brand on the market through marketing (advertising, PR) activities and sales promotion.
4.7. Processing personal data for the purpose of processing incoming requests from the Website.
4.7.1. In accordance with this section of the Policy, the Operator determines the categories and list of personal data processed, the categories of subjects whose personal data is processed, the methods and timeframes for processing and storing such data, and the procedure for destroying personal data upon achieving the processing purpose or upon the occurrence of other legal grounds applicable to the purpose of "processing incoming requests from the Website."
4.7.2. For the purpose specified in this section of the Policy, the Operator processes personal data belonging to the following category(ies) of personal data subjects:
· Visitors to the Operator's Website
4.7.3. The Operator processes the following categories and list of visitors' personal data for the purposes specified in this section of the Policy, including through the external personal data collection form (https://form.gle):
a) General (other) categories of visitors' personal data are processed in accordance with the following list:
· Last name, first name, patronymic
· Contact phone number
· Email address
b) Special categories of visitors' personal data are not processed;
c) Biometric personal data of visitors (information that characterizes a person's physiological and biological characteristics, based on which their identity can be established) is not processed.
4.7.4. The Operator performs mixed processing of visitors' personal data for the purposes specified in this section of the Policy, including transmission via the internal network and transmission via the internet.
4.7.5. The list of actions performed by the Operator with the personal data of visitors for the purpose specified in this section: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, blocking, deletion, and destruction.
4.7.6. The processing of visitors' personal data for the purpose specified in this section of the Policy is carried out subject to obtaining prior consent for such processing.
4.7.7. The Operator does not disclose to third parties or distribute visitors' personal data for the purpose specified in this section of the Policy without the consent of the personal data subject, unless otherwise provided by Russian Federation law.
4.7.8. The Operator does not carry out cross-border transfers of visitors' personal data for the purpose specified in this section of the Policy.
4.7.9. The processing and storage periods for visitors' personal data for the purpose specified in this section of the Policy are established from the moment the visitors' personal data is received until the purpose of processing the personal data is achieved—processing incoming requests from the Website.
4.8. Processing of personal data for the purpose of maintaining statistics of visits to the Website.
4.8.1. In accordance with this section of the Policy, the Operator determines the categories and list of personal data processed, the categories of subjects whose personal data is processed, the methods and timeframes for processing and storing it, and the procedure for destroying personal data upon achieving the purpose of processing or upon the occurrence of other legal grounds applicable to the purpose of "maintaining statistics of visits to the Website."
4.8.2. For the purpose specified in this section of the Policy, the Operator processes personal data belonging to the following category(ies) of personal data subjects:
· Visitors to the Operator's Website
4.8.3. The Operator processes the following categories and list of personal data of visitors for the purpose specified in this section of the Policy:
a) General (other) categories of personal data of visitors are processed in accordance with the following list:
· Information collected through metric programs
b) Special categories of personal data of visitors are not processed;
c) The processing of visitors' biometric personal data (information that characterizes a person's physiological and biological characteristics, based on which their identity can be established) is not performed.
4.8.4. The Operator performs mixed processing of visitors' personal data for the purpose specified in this section of the Policy, with transmission over the internal network and transmission over the internet.
4.8.5. The list of actions performed by the Operator with visitors' personal data for the purpose specified in this section: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (provision, access), blocking, deletion, and destruction.
4.8.6. The processing of visitors' personal data for the purpose specified in this section of the Policy is carried out subject to obtaining prior consent for such processing.
4.8.7. The Operator does not disclose to third parties or distribute visitors' personal data for the purpose specified in this section of the Policy without the consent of the personal data subject, unless otherwise provided by Russian Federation law.
4.8.8. The content of visitors' consent must be specific, objective, informed, conscious, and unambiguous, i.e., contain information that allows for a clear conclusion regarding the purposes and methods of processing, specifying the actions performed with personal data, and the scope of personal data processed.
4.8.9. The Operator does not perform cross-border transfers of visitors' personal data for the purpose specified in this section of the Policy.
4.8.10. The processing and storage periods for visitors' personal data for the purpose specified in this section of the Policy are established from the moment the visitors' personal data is received until the purpose of personal data processing—maintaining Site visitor statistics—is achieved.

5. PROCEDURE FOR PROCESSING VISITORS' PERSONAL DATA USING COOKIES

5.1. Cookies transferred to the Data Subject's technical devices may be used to provide the Data Subject with personalized Website features, for personalized advertising displayed to the Data Subject, for statistical and research purposes, and to improve the Website's performance.
5.2. The Data Subject understands that the equipment and software they use to visit websites on the internet may have the ability to prohibit cookie operations (for all websites or for specific websites) and to delete previously received cookies.
5.3. The Operator reserves the right to establish that the provision of certain Website features is possible only if the Data Subject has consented to the acceptance and receipt of cookies.
5.4. The structure of a cookie, its content, and technical parameters are determined by the Operator and are subject to change without prior notice to the Personal Data Subject.
5.5. Counters placed on the Website or the Website application may be used to analyze the Personal Data Subject's cookies, to collect and process statistical information about the use of the Website, and to ensure the operability of the Website as a whole or its individual functions in particular. The technical parameters of the counters are determined by the Operator and are subject to change without prior notice to the Personal Data Subject.
5.6. The Operator uses the Yandex.Metrica software tool, the use of which allows it to identify unique visitors to the Website and generate information about their preferences and behavior on the Website.

6. PROCEDURE FOR COLLECTING AND STORING PERSONAL DATA

6.1. When collecting personal data, including via the Internet, the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of personal data of citizens of the Russian Federation using databases located within the Russian Federation.
6.2. Persons who have transferred information about another Personal Data Subject to the Operator, including through the Website, without the consent of the subject whose personal data was transferred, are liable in accordance with the legislation of the Russian Federation.
6.3. The Operator stores personal data in a form that allows identification of the personal data subject for no longer than required for the purposes of processing the personal data, unless the retention period for personal data is established by federal law or an agreement to which the Personal Data Subject is a party, beneficiary, or guarantor.
6.4. The Operator strictly adheres to the principles of data minimization and data processing timeframes. Processed personal data is subject to destruction in the following cases:
· the purposes of personal data processing have been achieved;
· consent to personal data processing has been revoked or consent to personal data processing has expired;
· the need to achieve the purposes of personal data processing is no longer necessary;
· the Operator is removed from the Unified State Register of Individual Entrepreneurs.
After the expiration of these periods, the Operator may process personal data if the processing is necessary for the Operator to comply with Russian Federation law.

7. PERSONAL DATA PROTECTION

7.1. The Operator takes the necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, distribution, and other unauthorized actions, including:
· identifying threats to the security of personal data during its processing;
· adopting local regulations and other documents governing relations in the field of personal data processing and protection;
· appointing persons responsible for ensuring the security of personal data in the Operator's structural divisions and information systems;
· creating the necessary conditions for working with personal data;
· organizing the accounting of documents containing personal data;
· organizing work with information systems in which personal data is processed;
· storing personal data in conditions that ensure its security and prevent unauthorized access;
· organizes training for the Operator’s employees who process personal data.

8. UPDATING, CORRECTION, DELETION, AND DESTRUCTION OF PERSONAL DATA; RESPONSES TO REQUESTS FROM SUBJECTS FOR ACCESS TO PERSONAL DATA

8.1. Confirmation of the processing of personal data by the Operator, the legal grounds and purposes for which the personal data is processed, as well as other information specified in Part 7 of Article 14 of the Personal Data Law, shall be provided by the Operator to the Personal Data Subject or their representative upon request or upon receipt of a request from the Personal Data Subject or their representative within 10 (ten) business days of receipt of the request. The information provided shall not include personal data related to other Personal Data Subjects, unless there are legal grounds for disclosure of such personal data.
8.2. The request must contain:
· the number of the primary identity document of the personal data subject or their representative, the date of issue of this document, and the issuing authority;
· information confirming the personal data subject's relationship with the Operator (contract number, contract date, code word designation, and/or other information), or information otherwise confirming the processing of personal data by the Operator;
· the signature of the personal data subject or their representative.
8.3. The request may be submitted in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.
8.4. If the personal data subject's request (appeal) does not contain all the necessary information in accordance with the requirements of the Law on Personal Data, or if the subject does not have the right to access the requested information, a reasoned refusal will be sent to them.
8.5. The right of a personal data subject to access their personal data may be limited in accordance with Part 8 of Article 14 of the Law on Personal Data, including if the personal data subject's access to their personal data violates the rights and legitimate interests of third parties.
8.6. If inaccurate personal data is discovered upon the personal data subject's or their representative's request, or at their request, or at the request of Roskomnadzor, the Operator will block the personal data related to this personal data subject from the moment of such request or receipt of such request for the verification period, unless blocking the personal data violates the rights and legitimate interests of the personal data subject or third parties.
8.7. If the inaccuracy of personal data is confirmed, the Operator, based on information provided by the personal data subject or their representative or Roskomnadzor, or other necessary documents, will clarify the personal data within seven business days from the date of submission of such information and remove the block on the personal data.
8.8. Personal data shall be destroyed by the Operator in the following cases:
· the personal data processing objectives have been achieved;
· the personal data subject revokes their consent to the processing of their personal data;
· unlawful actions with personal data are detected, as well as in other cases stipulated by the current legislation of the Russian Federation.
8.9. If the personal data processing objectives have been achieved, the Operator undertakes to cease processing the personal data or ensure its cessation (if the personal data is processed by another person acting on the Operator's instructions) and to destroy the personal data or ensure their destruction (if the personal data is processed by another person acting on the Operator's instructions) within a period not exceeding thirty days from the date the personal data processing objectives have been achieved, unless otherwise provided by an agreement to which the personal data subject is a party, beneficiary, or guarantor, or by another agreement between the Operator and the personal data subject, or if the Operator is not entitled to process personal data without the consent of the personal data subject.
8.10. In the event that the personal data subject has withdrawn his consent to the processing of personal data, the Operator undertakes to cease their processing or ensure the termination of such processing (if the processing of personal data is carried out by another person acting on behalf of the Operator) and, if the storage of personal data is no longer required for the purposes of processing personal data, to destroy the personal data or ensure their destruction (if the processing of personal data is carried out by another person acting on behalf of the Operator) within a period not exceeding thirty days from the date of receipt of the said revocation, unless otherwise provided by an agreement to which the personal data subject is a party, beneficiary or guarantor, another agreement between the Operator and the personal data subject, or if the Operator does not have the right to process personal data without the consent of the personal data subject.
8.11. In the event of detection of unlawful processing of personal data carried out by the Operator or a person acting on the Operator's instructions, and the impossibility of ensuring the lawfulness of the personal data processing, the Operator undertakes to destroy such personal data or ensure its destruction within a period not exceeding ten business days from the date of detection of the unlawful processing of personal data. The Operator undertakes to notify the personal data subject or their representative of the destruction of personal data, and if the personal data subject's or their representative's request or the authorized body for the protection of the rights of personal data subjects were sent by the authorized body for the protection of the rights of personal data subjects, and also the said body.

9. FINAL PROVISIONS

9.1. The Operator may send advertising and informational messages to the Personal Data Subject via email, SMS, and push notifications only with prior consent to receive advertising in accordance with Part 1 of Article 18 of Federal Law No. 38-FZ "On Advertising" of March 13, 2006. Consent to receive advertising messages from the Operator via email, SMS, and push notifications is provided in writing or electronically by checking the appropriate box on the Website.
9.2. The Personal Data Subject may unsubscribe from receiving advertising messages by clicking the appropriate link in emails received from the Operator or by sending a notice of unsubscribing from receiving advertising messages to the support service at the Operator's registered office: 298318, Republic of Crimea, Kerch, st. Furmanova St., Building 10, Office 3, or by emailing the Operator at info@seapharma.ru.
9.3. Pursuant to Part 2 of Article 18.1 of the Law on Personal Data, this Policy is posted at the Operator's registered office and is publicly accessible on the Website.
9.4. The Operator reserves the right to amend this Policy. The new version shall take effect from the moment it is posted on the Website, unless otherwise provided in the new version of the Policy.