1.1. This Policy defines the general principles and procedure for personal data processing of Westlegal Company¹ (hereinafter - the "Company") and measures to ensure their security.
2. The Company is a personal data processor with respect to the personal data of the following individuals: employees of the Company; applicants for vacant positions of the Company; counterparties of the Company; visitors to the sites: www.westlegal.ru, www.westlegal.su.
3. Personal data are processed by the Company in accordance with the following principles:
3.1. Lawfulness and equitable basis of personal data processing.
3.2. Limiting the processing of personal data to the achievement of specific predetermined and legitimate goals:

• The purpose of processing is development, conclusion and execution of civil contracts;
• Categories of personal data include surname, first name, patronymic, year of birth, month of birth, date of birth, place of birth, gender, email address, residential address, registration address, phone number, TIN, citizenship, identity document details, bank card details, current account number, personal account number, position;
• Categories of data subjects include Counterparties, Representatives of counterparties, Clients, Beneficiaries under contracts;
• Legal basis - with the consent of a personal data subject to the processing of its personal data;
• List of personal data processing operations - Collection, Recording, Systematization, Accumulation, Storage, Clarification (updating, modification), Extraction, Use, Transfer (provision, access), Blocking, Deletion and Destruction.

3.3. Processing of solely the personal data that meet the previously established purposes of their processing. Preventing the processing of personal data that is incompatible with the purposes of personal data collection, as well as those excessive in relation to the stated purposes of their processing.
3.4. Preventing the consolidation of databases that contain the personal data processed for the purposes incompatible with each other.
3.5. Ensuring the accuracy, sufficiency and relevance of personal data in relation to the purposes of personal data processing.
3.6. Storage of personal data in a form that enables to identify a personal data subject, no longer than is required by the purposes of personal data processing.
3.7. Destruction or depersonalization of personal data upon achievement of the stated purposes of their processing or in case of no further need to achieve these goals, if it is impossible for the Company to remedy violations of the procedure for personal data processing as established by the laws of the Russian Federation, revocation of the subject’s consent to personal data processing.
4. Processing of personal data by the Company is allowed upon availability of the personal data subject’s consent to the processing of its personal data.
5. Methods of personal data processing - the Company processes personal data mainly without using automation tools.
6. Measures to ensure security of personal data during their processing without the use of automation tools:
6.1. The personal data processed without using automation tools should be processed in such a way to ensure that it is possible to determine the storage locations of personal data (physical media) in relation to each category of personal data and establish a list of persons processing the personal data or having access to them.
6.2. It is necessary to ensure separate storage of personal data (physical media) that are processed for different purposes.
6.3. The physical media must be stored in compliance with the conditions ensuring the security of personal data and eliminating the risk of unauthorized access to them.
7. The Company ensures the confidentiality of the personal data processed in accordance with the procedure provided for by the applicable law of the Russian Federation.
8. The personal data subject decides to provide its personal data to the Company and consent to their processing voluntarily and in its own interests. The consent to the processing of personal data should be specific and informed and can be provided by the subject in any form that allows to confirm the fact of its receipt, including by confirming one’s consent in electronic form on the Company's websites.
9.  Information about implemented requirements for the protection of personal data:
- appointment of the person responsible for the personal data management;
- internal supervision and (or) audit of compliance of personal data processing with the requirements of the laws and the Privacy Policy;
- limitation of the number of the Company’s employees who have access to personal data and arrangement of authorization system providing access to them;
- familiarization of the Company's employees with the provisions of the personal data laws of the Russian Federation and this Policy;
- arrangements for management and storage of physical media including personal data, ensuring the prevention of their theft, substitution, unauthorized copying and destruction;
- restriction of the admission of unauthorized persons to the Company's premises, their non-admission to the premises where personal data is processed and technical processing means are placed, uncontrolled by the Company's employees;
- development of a threat model-based system of personal data protection that ensures the determined levels of personal data security;
- registration and recording of actions with personal data of users of the information systems involving the personal data processing;
- detection of malicious software (application of antivirus programs) on all sites of the Company's information network system that provide the appropriate technical capability;
- secure internetworking (application of firewalling).
10. Officials and employees of the Company found guilty in violating the norms governing the processing and protection of personal data shall bear material, disciplinary, administrative, civil or criminal liability in accordance with the applicable law of the Russian Federation.