GENERAL POLICY ON PERSONAL DATA PROCESSING

1. This General Policy on Personal Data Processing (hereinafter – “Policy”) defines general requirements for the processing of personal data in OCT (as defined below).

2. Personal data means any information relating to an identified or identifiable natural person (‘data subject’).

3. The Policy applies to the group of companies OCT including “OCT Rus” Ltd., registered in Russia, “OCT Group” LLC, registered in the United States of America, “OCT Ukraine” LLC, registered in Ukraine, “OCT Baltic” SIA, registered in Latvia and “OCT Bulgaria” Ltd., registered in Bulgaria (referred herein – “OCT”).

4. Personal data processing is performed in a strict compliance with the international and local legislation of the countries of OCT presence and its customers’ presence.

5. OCT acknowledges and agrees to comply with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679)), as well as with the relevant legislation of the operating countries.

6. OCT develops and implements internal regulating documents concerning personal data processing.

7. Internal regulating documents specify the requirements for particular and/or for general data processing cases in accordance with applicable legislation.

8. Internal regulating documents are based on the provisions of this Policy and applicable legislation.

9. Internal regulating documents of OCT cannot contradict the General Data Protection Regulation (Regulation (EU) 2016/679)) and should primarily be aimed at protecting the rights and freedoms of the subject of personal data.

10. OCT does not collect or process data from persons under age of majority (18 years or more), except as provided by law.

11. All persons carrying out the processing of personal data must be familiarized with this Policy and internal regulating documents of OCT and act in strict compliance with their provisions.

12. OCT takes into account the difference in the legislation of the countries where personal data is processed, and always acts in the interests of the personal data subject.

13. OCT undertakes all possible legal, technical and organizational measures to protect personal data considering possible risks.

14. OCT commits to inform the subjects of personal data about the changes in this Policy in an accessible form by publishing information on OCT website.

15. OCT undertakes not to disclose personal data to third parties, except for cases determined by law of the operating countries and only on the basis of a written decision of courts or public authorities.

16. In order to protect the interests of personal data subjects OCT appoints data protection officers.

17. Subject of personal data has the right to communicate the data protection officer about the processing of his/her personal data.

18. OCT undertakes to secure the confidentiality of applications of personal data subjects as well as impartiality and independence in considering each request.