1. TERMS AND DEFINITIONS

PDIS Administrator is an employee of the Bank who ensures the correct functioning of PDIS, is responsible for stable operability of PDIS elements when processing personal data, and also provides and delimits access of PDIS users to elements storing personal data.

Automated Personal Data Processing is personal data processing using computer technology.

Analytical Service is a web analytics tool that allows tracking and studying user behavior on Bank websites in the information and telecommunications network "Internet".

Bank , Bank 131, JSC, is a personal data operator that independently or jointly with other persons organizes and (or) processes personal data, as well as determines purposes of personal data processing, composition of personal data subject to processing, actions (operations) performed with personal data.

Blocking of Personal Data is a temporary suspension of personal data processing (except for cases where the processing is necessary to clarify personal data).

Personal Data Information System (PDIS) is a set of personal data contained in databases and information technologies and technical means that ensure their processing.

Confidentiality of Personal Data is non-disclosure to third parties and non-distribution of personal data without the consent of personal data subject by operators and other persons who have access to personal data, unless otherwise provided by Federal Law No. 152-FZ.

Depersonalization of Personal Data - actions which resulted in impossibility to determine the ownership of personal data to a specific subject of personal data without use of additional information.

Personal Data Processing any action (operation) or set of actions (operations) performed with personal data using automation tools or without use of such tools, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Personal Data Operator (operator) is a state body, municipal body, legal entity or individual, who independently or jointly with other persons organizes and (or) processes personal data, as well as determines purposes of personal data processing, composition of personal data subject to processing, actions (operations) performed with personal data.

Data Processing Officer is an employee of the Bank appointed by order of the Chairman of the Board as responsible for organizing personal data processing.

Personal Data (PD) is any information relating to a directly or indirectly identified or identifiable individual (personal data subject).

Personal data permitted by personal data subject for distribution - personal data, access to which is provided by personal data subject to an unlimited number of persons by giving consent to the personal data processing permitted by personal data subject for distribution in the manner prescribed by Federal Law No. 152-FZ.

Provision of personal data - actions aimed at disclosing personal data to a certain person or a certain scope of persons.

Dissemination of personal data - actions aimed at disclosing personal data to an indefinite scope of persons.

Cross-border transfer of personal data is transfer of personal data to the territory of a foreign state to an authority of a foreign state, foreign individual or foreign legal entity.

Destruction of personal data - actions which resulted in impossibility to restore the personal data content in the personal data information system and (or) which resulted in destruction of material media of personal data.

Cookies are small pieces of data that contain information about the user and his/her actions on the site. The data is used to identify the device, to personalize the experience of interacting with the site and to offer information based on previous interactions with the site.

Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) is the authorized body for protection of the rights of personal data subjects in the Russian Federation.

2. GENERAL PROVISIONS

2.1 This Policy regarding personal data processing in Bank 131, JSC (hereinafter referred to as the Policy) has been developed in compliance with the requirements of paragraph 2 of Part 1 of Article 18.1 of the Federal Law No. 152-FZ "On Personal Data" dated 27/07/2006 (hereinafter referred to as Federal Law No. 152-FZ) in order to ensure protection of the rights and freedoms of a person and citizen when processing his/her personal data in the Bank, including protection of the rights to privacy, personal and family secrets.

2.2 The Policy defines basic rights and obligations of the Bank and personal data subjects, purposes of personal data processing, legal grounds for personal data processing, categories of personal data processed, categories of personal data subjects, procedure and conditions for personal data processing, as well as measures to ensure personal data security during their processing, used by the Bank.

2.3 This Policy applies to all personal data processed by the Bank.

2.4 The provisions of the Policy are mandatory for all employees of the Bank directly involved in personal data processing.

2.5 Based on the order of the Federal Service for Supervision of Communications, Information Technology, and Mass Media, the Bank is included in the register of operators processing personal data.

2.6 The Policy is the fundamental internal document of the Bank regulating the general provisions regarding personal data processing and, in compliance with the requirements of Part 2 of Article 18.1 of Federal Law No. 152-FZ, this Policy is published in the public domain on the information and telecommunications network "Internet" on the official websites of the Bank: https://www.131.ru/, https://dengi.ru/ru.

3. LEGAL BASIS FOR PERSONAL DATA PROCESSING

3.1 Legal basis for personal data processing, pursuant to which and in accordance with which the Bank processes personal data, is a set of regulatory legal acts, internal documents of the Bank, as well as other documents, including:

- Constitution of the Russian Federation

- Labor Code of the Russian Federation;

- Civil Code of the Russian Federation;

- Tax Code of the Russian Federation;

- Federal Law No. 115-FZ "On Countering the Legalization (Laundering) of Proceeds from Crime and Financing of Terrorism" dated 07/08/2001 (hereinafter referred to as Federal Law No. 115-FZ);

- Federal Law No. 149-FZ "On Information, Information Technologies and Information Protection" dated 27/07/2006 (hereinafter referred to as Federal Law No. 149-FZ);

- Federal Law No. 161-FZ "On the National Payment System" dated 27/06/2011;

- Federal Law No. 27-FZ "On Individual (Personalized) Accounting in the System of Compulsory Pension Insurance and Compulsory Social Insurance" dated 01/04/1996;

- Federal Law No. 39-FZ "On the Securities Market" dated 22/04/1996;

- Federal Law No. 138-FZ "On Citizenship of the Russian Federation" dated 28/04/2023;

- Federal Law No. 173-FZ "On Currency Regulation and Currency Control" dated 10/12/2003;

- Federal Law No. 63-FZ "On Electronic Signature" dated 06/04/2011;

- Federal Law No. 208-FZ "On Joint-Stock Companies" dated 26/12/1995;

- Federal Law No. 125-FZ "On Archival Affairs in the Russian Federation" dated 22/10/2004;

- Law of the Russian Federation No. 2300-1 "On Protection of Consumer Rights" dated 07/02/1992;

- Federal Law No. 167-FZ "On Compulsory Pension Insurance in the Russian Federation" dated 15/12/2001;

- Federal Law No. 402-FZ "On Accounting" dated 06/12/2011;

- Order of the Ministry of Labor of Russia No. 320н "On approval of the form, procedure for maintaining and storing work record books" dated 19/05/2021;

- Instruction of the Bank of Russia No. 1486-U "On qualification requirements for special officials responsible for compliance with internal control rules in order to counter the legalization (laundering) of proceeds from crime and the financing of terrorism and programs for its implementation at credit institutions" dated 09/08/2004;

- Instruction of the Bank of Russia No. 4662-U "On the Qualification Requirements for the Head of the Risk Management Service, Internal Control Service and Internal Audit Service of a Credit Institution, Person Responsible for Organizing the Risk Management System, and Controller of a Non-State Pension Fund, Auditor of Insurance Organization, on the Procedure for Notifying the Bank of Russia of the Appointment to the Position (On the Dismissal from the Position) of the Said Persons (With the Exception of the Controller of a Non-State Pension Fund), Special Officials Responsible for the Implementation of Internal Control Rules for the Purpose of Countering the Legalization (Laundering) of Criminally Obtained Incomes and the Financing of Terrorism of a Credit Institution, Non-State Pension Fund, Insurance Organization, Management Company of Investment Funds, Mutual Investment Funds and Non-State Pension Funds, Microfinance Company, Employee of the Internal Control Service of the Management Company of Investment Funds, Mutual Investment Funds and Non-State Pension Funds, as well as on the Procedure for Assessing the Compliance of the Said Persons by the Bank of Russia (with the Exception of Controller of a Non-State Pension Fund) qualification requirements and requirements for business reputation" of 25/12/2017

- Federal Law No. 395-1 "On banks and banking activities" dated 02/12/1990, other federal laws and legal acts adopted on their basis, regulating relations involved in the activities of the Bank;

- Bank Charter;

- Basic license for banking operations No. 3538 (issued by the Bank of Russia on 29/11/2024);

- consent of subjects to personal data processing (in cases not directly provided for by the legislation of the Russian Federation, but corresponding to the powers of the Operator);

- agreements concluded between the Bank and personal data subjects;

- agreements where the party as personal data subject is a beneficiary or guarantor;

- agreements concluded between the Bank and third parties, where the Bank is the person processing personal data on behalf of the Operator;

- execution of the rights and legitimate interests of the Bank and third parties.

4. PURPOSES OF COLLECTION AND PERSONAL DATA PROCESSING. SIZE AND CATEGORIES OF PERSONAL DATA PROCESSED. CATEGORIES OF PERSONAL DATA SUBJECTS

4.1 Personal data processing by the Bank is limited to achieving specific, predetermined and legitimate purposes.

4.2 Personal data processing that is incompatible with the purposes of personal data collection is not permitted.

4.3 Content and volume of personal data processed by the Bank should correspond to the stated purposes of processing. The processed personal data should not be excessive in relation to the stated purposes of their processing.

4.4 The categories of personal data subjects are defined by the internal documents of the Bank, including:

- Bank employees, dismissed employees, applicants, relatives of employees;

- clients and counterparties of the Bank (individuals), beneficiaries under contracts, including those who have provided consent to the cross-border transfer of personal data;

- representatives/employees of clients and counterparties of the Bank, legal representatives (of legal entities);

- members of the Board of Directors of the Bank, members of the Board of the Bank;

- website visitors;

- other categories of personal data subjects whose personal data are processed by the Bank.

4.5 The purposes of personal data processing are defined by the internal documents of the Bank, including:

- ensuring compliance with the labor legislation of the Russian Federation;

- maintaining personnel and accounting records;

- ensuring compliance with the tax legislation of the Russian Federation;

- ensuring compliance with the pension legislation of the Russian Federation;

- ensuring compliance with the legislation of the Russian Federation on combating the legalization of the financing of terrorism;

- voluntary health insurance;

- promotion of goods, works, services on the market;

- ensuring access control to the territory of the Bank;

- recruitment of personnel (applicants) for vacant positions in the Bank;

- concluding any agreements with personal data subjects, including as representatives of a legal entity;

- concluding and fulfilling contractual obligations;

- filling out forms on Bank website (feedback, applications for banking services, which processing requires contact with the applicant, etc.).

4.6 The Bank has developed internal documents on personal data processing, including those defining categories and list of personal data processed for each purpose of personal data processing, categories of subjects whose personal data are processed, methods and terms of their processing and storage, procedure for destruction of personal data upon achieving the purposes of their processing or upon occurrence of other legal grounds.

4.7 The Bank does not process special categories of personal data related to race, political views, nationality, religious or philosophical beliefs, or intimate life.

4.8 The Bank processes special categories of personal data related to the health status and criminal record of individuals in cases stipulated by the legislation of the Russian Federation and Bank internal documents and in the presence of legal grounds stipulated by Federal Law No. 152-FZ.

4.9 The Bank does not process biometric personal data.

5. TERMS AND CONDITIONS FOR PERSONAL DATA PROCESSING

5.1 The Bank collects, records, systematizes, accumulates, stores, clarifies (updates, changes), extracts, uses, transfers (distributes, provides, accesses), depersonalizes, blocks, deletes, destroys personal data of personal data subjects.

5.2 Personal data is processed with the consent of the personal data subject to the processing of his/her personal data, as well as without it in cases stipulated by Article 6 of Federal Law No. 152-FZ. Requirements for the content of consent to personal data processing permitted by the personal data subject for distribution are established by Roskomnadzor.

5.3 Personal data provided by personal data subjects is processed by the Bank for each processing purpose specified in clause 4.5 of the Policy, as follows:

- non-automated personal data processing;

- automated personal data processing with or without transfer of the received information via information and telecommunications networks;

- mixed personal data processing.

5.4 The term and condition for termination of personal data processing by the Bank is the achievement of the goals of personal data processing or the loss of the need to achieve them, expiration of the agreement / consent or revocation of the consent of personal data subject to process his/her personal data, expiration of the periods stipulated by federal laws and other acts of the Russian Federation, as well as detection of illegal personal data processing, termination of Bank activities as a legal entity (liquidation, reorganization).

5.5 If the personal data subject revokes their consent to process their personal data, the Bank shall cease their processing (ensure termination of such processing if the personal data is processed by another person on behalf of the Bank) and, if storage of personal data is no longer required for the purposes of personal data processing, destroy the personal data (ensure their destruction if the personal data is processed by another person on behalf of the Bank) within a period not exceeding 30 (thirty) days from the date of receipt of such revocation, unless otherwise provided by an agreement to which the personal data subject is a party, beneficiary or guarantor, or by another agreement between the Bank and the personal data subject, or if the Bank is not entitled to process personal data without consent of the personal data subject on the grounds provided for by Federal Law No. 152-FZ or other federal laws.

5.6 The Bank shall store personal data in a form that allows identifying the personal data subject for no longer than required for the purposes of personal data processing, unless the storage period of personal data is established by federal law, an agreement to which the personal data subject is a party, beneficiary or guarantor. The processed personal data shall be subject to destruction or depersonalization upon achieving the processing purposes or in case of loss of the need to achieve these purposes, unless otherwise provided by federal law.

5.7 The storage periods of personal data are determined by the Bank, in general, in accordance with the terms of requirements of the legislation of the Russian Federation (labor, pension, tax, accounting one, etc.), established by Order of the Federal Archival Agency No. 236 "On approval of the "List of standard management archival documents generated in the course of activities of state bodies, local governments and organizations, indicating the periods of their storage" dated 20/12/2019, limitation period for mutual claims of the Bank and personal data subject. The storage period of personal data processed in personal data information systems corresponds to the storage period of personal data on paper media.

5.8 The Bank has the right to entrust personal data processing to another person with the consent of the personal data subject, unless otherwise provided by Federal Law, on the basis of an agreement concluded with this person. The person processing personal data on behalf of the Bank is obliged to comply with the principles and rules for processing personal data provided for by Federal Law No. 152-FZ, maintain the confidentiality of personal data, and take necessary measures aimed at ensuring the fulfillment of the obligations provided for by Federal Law No. 152-FZ. Bank instruction shall define the list of personal data, list of actions (operations) with personal data that will be performed by the person processing personal data, purposes of their processing, establish obligation of such person to maintain confidentiality of personal data, requirements provided for in Part 5 of Article 18 and Article 18.1 of Federal Law No. 152-FZ, obligation, at the request of the Bank during the term of the instruction, including before personal data processing, to provide documents and other information confirming the adoption of measures and compliance with the requirements established in accordance with Federal Law No. 152-FZ for the purpose of executing Bank instruction, obligation to ensure the security of personal data during their processing, and also specify the requirements for the protection of the personal data being processed in accordance with Article 19 of Federal Law No. 152-FZ, including the requirement to notify the Bank of the cases provided for in Part 3.1 of Article 21 of Federal Law No. 152-FZ. If the Bank entrusts personal data processing to a foreign individual or a foreign legal entity, the Bank and the person processing the personal data on behalf of the Operator shall be liable to the subject of the personal data for the actions of the said persons.

5.9 The Bank shall prohibit making decisions based solely on the automated personal data processing that give rise to legal consequences in relation to personal data subject or otherwise affect his/her rights and legitimate interests, except in cases and under conditions stipulated by the legislation of the Russian Federation.

5.10 The Bank shall transfer personal data to government agencies and authorized legal entities and individuals within the scope of their powers and competence on the grounds stipulated by the current legislation of the Russian Federation. The list of third parties that process personal data on the basis of agreements concluded by them with the Bank, consents of the personal data subjects, is posted on the official websites of the Bank.

5.11 When collecting personal data, including via the Internet, the Bank shall ensure recording, systematization, accumulation, storage, clarification (updating, modification), and extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for cases stipulated by the legislation of the Russian Federation.

5.12 In the course of its activities, the Bank shall have the right to carry out cross-border transfer of personal data in the manner and in accordance with the requirements of Federal Law No. 152-FZ and international agreements of the Russian Federation.

5.13 The Bank shall process personal data for the purpose of promoting goods, works, and services on the market through direct contacts with the personal data subject using communication facilities only subject to the prior consent of the personal data subject. In this case, evidence of such consent shall be provided.

5.14 The Bank may collect and perform other actions to process personal data using Bank websites on the Internet.

5.15 Personal data processing on Bank websites in the information and telecommunications network “Internet” is carried out if there are legal grounds, and can also be done using Analytical Services.

6. ORGANIZATION OF PERSONAL DATA SECURITY

6.1 Only those employees of the Bank whose job responsibilities require personal data processing are allowed to process personal data. These employees have the right to process only the personal data that they need to perform their job responsibilities.

6.2 The Bank ensures the confidentiality of the personal data of the personal data subject, and also ensures the use of personal data exclusively for purposes consistent with Federal Law No. 152-FZ, contract or other agreement concluded with the personal data subject.

6.3 When processing personal data, the Bank takes the necessary legal, organizational and technical measures and ensures their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data.

6.4 The Bank ensures personal data security, in particular:

- by identifying threats to personal data security when processing them in PDIS;

- by applying organizational and technical measures to ensure personal data security when processing them in PDIS, necessary to meet the requirements for personal data protection, which implementation ensures levels of personal data protection established by the Government of the Russian Federation;

- by applying information security tools that have undergone the established procedure for assessing the compliance of information security tools, including use of information destruction tools for personal data destruction that have undergone the established procedure for assessing the compliance of information security tools, which include th information destruction function;

- by assessing effectiveness of measures taken to ensure personal data security before putting PDIS into operation;

- by taking into account machine-readable media containing personal data;

- by detecting instances of unauthorized access to personal data and taking measures, including measures to detect, prevent and eliminate consequences of computer attacks on personal data information systems and to respond to computer incidents there;

- by restoration of personal data modified or destroyed as a result of unauthorized access to them;

- by establishment of rules for access to personal data processed in PDIS, as well as ensuring registration and accounting of all actions performed with personal data in PDIS;

- by control over measures taken to ensure personal data security and PDIS protection level;

- by appointment of a data processing officer;

- by issuance of documents defining Bank policy regarding personal data processing, internal regulatory documents defining categories and list of personal data to be processed for each purpose of personal data processing, categories of subjects whose personal data are processed, methods and terms of their processing and storage, procedure for personal data destruction upon achieving purposes of their processing or upon occurrence of other legal grounds, as well as internal regulatory documents establishing procedures aimed at preventing and identifying violations of the legislation of the Russian Federation, eliminating consequences of such violations;

- by implementation of internal control and (or) audit of compliance of personal data processing with Federal Law No. 152-FZ, regulatory legal acts adopted in accordance with it, requirements for personal data protection, Bank Policy regarding personal data processing, internal regulatory documents of the Bank;

- by assessment of the harm in accordance with the requirements established by Roskomnadzor, which may be caused to personal data subjects in case of a violation of Federal Law No. 152-FZ, ratio of the said harm and measures taken by the Operator aimed at ensuring the fulfillment of the obligations stipulated by Federal Law No. 152-FZ;

- by familiarizing Bank employees directly involved in personal data processing with the provisions of the legislation of the Russian Federation on personal data, including the requirements for personal data protection, this Policy, Bank internal regulatory documents on personal data processing and (or) training of the said employees.

6.5 Personal data processing by the Bank, done without the use of automation tools, is carried out in compliance with the procedure stipulated by the Decree of the Government of the Russian Federation No. 687 "On approval of the Regulation on the specifics of personal data processing carried out without the use of automation tools" dated 15/09/2008, as follows:

- for each category of personal data subjects, storage locations for personal data (material carriers) are determined and a list of persons processing personal data or having access to them is established;

- separate storage of personal data (material media), which processing is carried out for various purposes, is ensured, and when storing material media, conditions ensuring personal data safety and excluding unauthorized access to them are observed;

- a list of measures necessary to ensure such conditions, procedure for their adoption, as well as a list of persons responsible for the implementation of these measures, are established by the Bank.

6.6 Information security tools for personal data protection system are chosen by the Bank in accordance with the regulatory legal acts adopted by the Federal Security Service of the Russian Federation and the Federal Service for Technical and Export Control pursuant to Part 4 of Article 19 of Federal Law No. 152-FZ.

7. PERSONAL DATA PROCESSING

7.1 In the process of using the personal data subject's official websites of the Bank (https://www.131.ru/, https://dengi.ru/ru), the Bank processes their user data.

7.2 User data includes technical data transmitted by the device, including: IP address, information stored in Cookies, information about the browser and language used, the operating system on the device, number of pages viewed, date, time and duration of stay on the site, actions on the site, requests that the subject used when switching to the site, pages where transitions were made from, information about the mobile device, including device identifier, session identifier, information about the subject's online actions using the website and any other technical information transmitted by the subject's device that does not allow for the unambiguous identification of the user or a specific individual.

7.3 User data content processed on the websites may differ depending on the device used and the software on the subject's device.

7.4 User data is processed, among others, using Cookies.

7.5 User data is processed for the following purposes:

- ensuring full functioning, improving the work of Bank websites in the information and telecommunications network Internet;

- authorization of users on Bank website as a registered user, to provide Bank services taking into account personal preferences and settings;

- providing targeted information about the Bank, its products and services;

- improving products and services, developing new products and services of the Bank;

- creating a list of interests, demonstrating Internet content to the user;

- conducting statistical, marketing and other research, including studying (analyzing) user behavior (experience) and the reasons for its change.

7.6 For the above purposes, the Bank has the right to use third-party Analytical Services. On Bank websites, user data may be processed using the Analytical Services of Yandex.Metrika, VK Advertising and others. The owners of the Analytical Services are solely responsible for processing of the data they receive.

7.7 Cookies can be managed independently. The browser and/or device used may allow you to block, delete or otherwise limit Cookies use. To manage, you should follow the instructions provided by the browser developers and/or device manufacturers.

8. UPDATING, CORRECTION, DELETION, DESTRUCTION OF PERSONAL DATA, RESPONSES TO SUBJECTS’ REQUESTS FOR ACCESS TO PERSONAL DATA

8.1 In accordance with the legislation of the Russian Federation, the Bank may receive requests from personal data subjects or their representatives regarding their personal data processing.

8.2 Confirmation of the fact of personal data processing by the Bank, the legal grounds and purposes of personal data processing, as well as other information specified in Part 7 of Article 14 of Federal Law No. 152-FZ, are provided by the Bank to the personal data subject or his/her representative free of charge within 10 (ten) business days from the date of the request or receipt of the request of the personal data subject or his representative. This period may be extended, but not more than by 5 (five) business days. Therefor the Bank shall send the personal data subject a reasoned notice stating the reasons for extending the deadline for providing the requested information. The information provided shall not include personal data relating to other personal data subjects, except in cases where there are legal grounds for disclosing such personal data.

8.3 The recommended form of a request from personal data subjects to obtain information regarding personal data processing is provided in Appendix No. 1 to this Policy.

8.4 The request may be sent in the form of an electronic document and signed with an electronic signature in accordance with Federal Law No. 63-FZ of 06.04.2011 "On Electronic Signature".

8.5 The Bank shall provide the information specified in Part 7 of Article 14 of Federal Law No. 152-FZ to the personal data subject or his/her representative in the form as the relevant request or appeal was sent, unless otherwise specified in the request or appeal.

8.6 If the personal data subject's request (appeal) does not contain all the necessary information in accordance with the requirements of Federal Law No. 152-FZ, or the subject does not have the right to access the requested information, a reasoned refusal shall be sent to the subject within 10 (ten) business days from the date of the personal data subject's or their representative's request or from the date of receipt of the personal data subject's or their representative's request. The specified period may be extended, but not more than by 5 (five) business days, if the Bank sends a reasoned notice to the personal data subject stating the reasons for extending the period for providing the requested information.

8.7 The right of the personal data subject to access his/her personal data may be limited in accordance with Part 8 of Article 14 of Federal Law No. 152-FZ, including if the personal data subject's access to his/her personal data violates the rights and legitimate interests of third parties.

8.8 If inaccurate personal data is discovered upon an application by the personal data subject or his/her representative or at their request or at the request of Roskomnadzor, the Bank shall block the personal data related to this personal data subject from the moment of such application or receipt of the said request for the verification period, unless blocking the personal data violates the rights and legitimate interests of the personal data subject or third parties. If the fact of inaccuracy of personal data is confirmed, the Bank, on the basis of information provided by the personal data subject or his/her representative or Roskomnadzor, or other necessary documents, shall clarify the personal data within 7 (seven) business days from the date of submission of such information and shall remove personal data blocking.

8.9 If unlawful personal data processing is discovered upon an application (request) by the personal data subject or his/her representative or Roskomnadzor, the Bank shall block the unlawfully processed personal data related to this personal data subject from the moment of such application or receipt of the request.

8.10 If the Bank, Roskomnadzor or another interested party discovers an unlawful or accidental transfer (provision, distribution) of personal data (access to personal data) that has resulted in a violation of the rights of personal data subjects, the Data Processing Officer:

- within 24 hours: notifies Roskomnadzor of the incident that has occurred, alleged causes that resulted in a violation of the rights of personal data subjects, alleged harm caused to the rights of personal data subjects, and measures taken to eliminate the consequences of the incident, and also provides information about the person authorized by the Bank to interact with Roskomnadzor on issues related to the incident;

- within 72 hours: notifies Roskomnadzor of the results of internal investigation of the incident identified and provides information about the persons whose actions caused it (if any).

8.11 The Bank notifies Roskomnadzor at its request of the necessary information within 10 (ten) business days from the date of receipt of such request. The specified period may be extended, but not more than by 5 (five) business days if the Bank sends a reasoned notice to Roskomnadzor stating reasons for extending the period for providing the requested information.

8.12 In case of a change in the information specified in Part 3 of Article 22 of Federal Law No. 152-FZ, the Bank shall notify Roskomnadzor of all changes that occurred during the specified period no later than the 15th day of the month following the month when such changes occurred. In case of termination of personal data processing, the Bank shall notify Roskomnadzor of it within 10 (ten) business days from the date of termination of personal data processing.

If a personal data subject applies to the Bank with a request to stop processing personal data, the Bank is obliged, within a period not exceeding 10 (ten) business days from the date of receipt by the Bank of the relevant request, to stop their processing or ensure the termination of such processing (if such processing is carried out by the person processing the personal data), except for the cases provided for in paragraphs 2-11 of Part 1 of Article 6, Part 2 of Article 10 and Part 2 of Article 11 of Federal Law No. 152-FZ. The specified period may be extended, but not more than by 5 (five) business days if the Bank sends to the personal data subject a reasoned notice indicating the reasons for extending the period for providing the requested information.

8.13 If the personal data subject revokes their consent to their personal data processing, the Bank shall be obliged to stop processing them or ensure that such processing is terminated (if the personal data are processed by another person acting on behalf of the Bank) and, if the storage of personal data is no longer required for the purposes of processing the personal data, to destroy the personal data or ensure that they are destroyed (if the personal data are processed by another person acting on behalf of the Bank) within a period not exceeding 30 (thirty) days from the date of receipt of such revocation, unless otherwise provided by an agreement to which the personal data subject is a party, beneficiary or guarantor, or by another agreement between the Bank and the personal data subject, or if the Bank is not entitled to process personal data without the consent of the personal data subject on the grounds provided for by this Federal Law or other federal laws.

8.14 Procedure for the destruction of personal data by the Bank.

8.14.1 Conditions for the destruction of personal data by the Bank:

- achievement of the purposes of personal data processing;

- loss of need to achieve the purposes of personal data processing;

- expiration of consent validity period or consent revocation by personal data subject to personal data processing, unless otherwise provided by the agreement to which the subject of personal data is a party, beneficiary or guarantor, or by another agreement between the Bank and the personal data subject, or if the Bank does not have the right to process personal data without the consent of the personal data subject on the grounds provided for by federal law;

- expiration of the period established by the agreement to which the subject of personal data is a party, beneficiary or guarantor, if the Bank does not have the right to process personal data without the consent of the personal data subject on the grounds provided for by federal law;

- expiration of the period for processing personal data or the period for storing documents containing personal data, provided for by federal laws and other regulatory legal acts of the Russian Federation;

- establishing the fact that the personal data being processed is incomplete, inaccurate, outdated, and there is no possibility to update it;

- detection of unlawful personal data processing (in this case, the Bank, within a period not exceeding 3 (three) business days from the date of such detection, shall cease unlawful personal data processing or ensure that the person acting on its instructions ceases unlawful personal data processing and, if it is impossible to ensure the legality of personal data processing, shall destroy the personal data or ensure that the person acting on its instructions destroys the personal data within a period not exceeding 10 (ten) business days from the date of detection of unlawful personal data processing, including at the request of Roskomnadzor).

8.14.2 Personal data shall be destructed by a commission created by the order of the Chairman of the Board of the Bank.

8.14.3 Personal data destruction in cases stipulated by this section of the Policy is confirmed in accordance with the requirements established by the order of Roskomnadzor.

8.14.4 Methods of destruction of personal data are established by the internal regulatory documents of the Bank.

9. FINAL PROVISIONS

9.1 The Policy shall enter into force on the date of its approval by order of the Chairman of the Board of the Bank.

9.2 If individual clauses of the Policy conflict with legislative acts, regulatory documents of the Bank of Russia, regulatory documents of other regulators and the Charter of the Bank, these clauses lose their legal force, and the Policy shall apply to the extent that they do not conflict with legislative acts, documents of regulators and the Charter of the Bank.

9.3 The Policy shall be reviewed on a regular basis, but at least once every three years.

9.4 The Policy shall be reviewed in case of changes in the legislation of the Russian Federation, regulatory and administrative documents affecting the area of this Policy.

9.5 The Information Security Service of the Security Department of the Bank is responsible for reviewing the Policy.

9.6 From the date of this Policy approval, the Policy for personal data processing in LLC “Bank 131”, approved by order of the Chairman of the Board of the Bank No. 159 dated 19/09/2023, shall cease to be in force.

9.7 This Policy is a publicly available document and should be posted on the official website of the Bank: https://www.131.ru/, https://dengi.ru/ru.

Recommended form for requesting personal data subjects to receive information regarding personal data processing

REQUEST

In accordance with Article 14 of the Federal Law No. 152-FZ “On Personal Data” dated July 27, 2006 (hereinafter referred to as Federal Law No. 152-FZ), I ask Bank 131, JSC as Operator to provide information regarding the processing of my personal data (personal data of the person represented).

Processed within within

(number, date of the agreement or information otherwise confirming the fact of personal data processing by the Operator)

which is confirmed by

(information confirming participation of the personal data subject in relations with the Operator)

I ask to provide the following information:

• 1) confirmation of personal data processing fact by Bank 131, JSC;
• 2) legal grounds and purposes of personal data processing;
• 3) purposes and methods of personal data processing used by Bank 131, JSC;
• 4) name and location of Bank 131, JSC information about persons (except for employees of Bank 131, JSC) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with Bank 131, JSC or based on federal law;
• 5) processed personal data related to the relevant personal data subject, source of their receipt, unless a different procedure such data presentation is provided for by federal law;
• 6) terms of personal data processing, including periods of their storage;
• 7) procedure for implementation of rights provided for by Federal Law No. 152-FZ by the personal data subject;
• 8) information about completed or intended cross-border data transfer
• 9) name or surname, first name, patronymic and address of the person processing personal data on behalf of Bank 131, JSC, if the processing has been or will be assigned to such a person;
• 10) information on Bank 131, JSC methods to fulfill obligations established by Article 18.1 of Federal Law No. 152-FZ;
• 11) other information provided for by Federal Law No. 152-FZ or other federal laws.

If such information is missing, I ask you to notify me about it.

Please send your response to this request in writing to the above address within the time limits prescribed by law.