PERSONAL DATA PROCESSING AT OOO «DK RUS»

1 General Provisions
1.1. This Personal Data Processing and Protection Policy (hereinafter – the “Policy”) has been adopted and acting at DAIMLER KAMAZ RUS OOO (hereinafter – the “Company”) located at 47 Proizvodstvenniy proezd, Naberezhnye Chelny, 423800, the Republic of Tatarstan.

1.2. The Policy applied to personal data processing by the Company in the following cases:

• use of websites and mobile apps belonging to the Company ;
• any addressing the Company in any form, sending complaints, comments or remarks and sugges-tions;
• visiting offices and other premises of the Company;
• selling vehicles and other goods, carrying out works (including after-sales servicing of vehicles), rendering services (including information services using web services);
• interaction with contractors, business partners, Daimler Truck AG;
• in other cases.

1.3. Personal data owners processed in accordance with this Policy are:

• customers, potential customers of the Company and their representatives;
• contractors or business partners, potential contractors of the Company and their representatives and employees;
• other persons in the cases provided for in item 1.2 above.

1.4. The Company’s personal data processing principles are:

• personal data processing is performed on legal and fair grounds;
• personal data processing is limited to achievement of specific, predefined and legitimate purpos-es;
• personal data processing inconsistent with purposes of collecting personal data is prohibited;
• it is prohibited to combine databases containing personal data, processing of which is carried out for purposes inconsistent with each other;
• only personal data answering to purposes of their processing are subject to processing;
• content and scope of processed personal data are consistent with the stated purposes of pro-cessing. Excessiveness of processed personal data in relation to the stated purposes of their processing is prohibited;
• when processing personal data, accuracy and sufficiency of personal data shall be ensured, and, when necessary, their relevance for purposes of personal data processing; necessary measures are taken to delete or clarify incomplete or inaccurate personal data;
• storage of personal data is carried out in a way that allows to determine an owner of personal data, no longer than required by a purpose of personal data processing, unless a storage period for personal data is defined by a federal law, consent to personal data processing, or agreement, the owner of personal data is either a party, or beneficiary or the trustor to;
• processed personal data is destroyed after a purpose of processing is achieved or in case there is no further need to achieve these purposes, unless a federal law provides otherwise;
• processing of personal data is not used for causing property and / or moral harm to personal da-ta owners, or obstructions in exercising their rights and freedoms;
• other principles defined herein.
2 Scope and Purposes of Personal Data Processing
2.1. In compliance with the personal data processing principles, the Company has defined a scope of processed personal data and purposes of their processing.

In particular, but not limited to, the purposes of personal data processing at the Company in accordance herewith are:

• providing information (including advertising information), including, but not limited to, information on goods and services of the Company, availability of special offers, relevant campaigns, financial services related to purchase and use of goods and services, events, presentations;
• promotion of goods, works and services on a market via direct contacts;
• preparation and communication of price quotations for goods, services, and related financial ser-vices;
• performance of due diligence procedures, pre-contractual alignment, conclusion and execution of any contracts, as well as control of the correctness of conclusion/execution of transactions, in-cluding such for special programs, offers and campaigns;
• quality control of service and works rendering and sale of goods;
• organization of personal data owners’ participation in various events held by the Company;
• market research and other statistical studies, including studies of an index of satisfaction with quality of the goods and services provided, customer surveys;
• processing of potential reclamations and other complaints;
• management of interaction with customers, contractors and business partners including use and support of information systems, automated creation of draft contracts and other documents in specified systems;
• compliance with legal requirements and exercising of the Company’s rights and legal interests.

2.2. The scope and purposes of personal data processing comply with the requirements of the applicable legislation of the Russian Federation regarding personal data processing and protection.

2.3. When processing personal data, the Company pursues only those purposes that were defined prior to the start of data collection. Subsequent changes in purposes are possible only to a limited extent and are subject to justification and notification of the owner of personal data of this.

2.4. The specific scope and purposes of personal data processing are documented and communicated to a personal data owner at the moment of personal data collection in a way and manner consistent with an origin of receipt and grounds for processing of such personal data (e.g. a consent to personal data pro-cessing, notification on service rendering conditions, relevant contract, etc.).
3 Rules of Personal Data Processing
3.1. The Company carries out processing of personal data on a legal basis. In cases provided for by the applicable laws of the Russian Federation, the Company obtains the consent (a written consent) of an owner to their personal data processing in the manner defined by the applicable laws of the Russian Fed-eration. If the Company receives personal data from a third party, then it obligatorily requires confirma-tion from such party that they have necessary grounds to transfer personal data to the Company.

3.2. In the course of its activity the Company is entitled to authorize a third party to process and or transfer personal data (provide access to personal data), unless the applicable laws of the Russian Fed-eration provide otherwise. In this case, a prerequisite for authorizing a third party to process and/or transfer of personal data is (i) an obligation for such a party to comply with the principles and rules of personal data processing established by the applicable laws, to observe confidentiality and to ensure safety and protection of personal data while processing it, ensuring rights of personal data owners, as well as (ii) an obligation of a third party to use the data exclusively for predefined purposes and in prede-fined scope, and (iii) an obligation to comply with other terms of personal data processing and protection, which have been specified/communicated/agreed with the personal data owner by the Company. Such third parties include, in particular, Daimler Truck AG, contractors of the Company (including companies rendering support services for information systems used), dealerships/workshop stations and other per-sons, which the owner in each case is informed of.

3.3. When authorizing a third party to process or transfer (providing access to) personal data, cases of cross-border transfer are possible. In this case, the Company observes requirements of the laws of the Russian Federation and transfers data only to those foreign states that are parties to the Council of Eu-rope Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, or ensure proper protection of rights of personal data owners. Otherwise, the Company observes the re-quirements of part 4, Article 12 of the Federal Law dated July 27, 2006 No. 152-FZ “On Personal Data”. In particular, the Company carries out cross-border transfer of personal data to Daimler Truck AG.

3.4. The Company prohibits making decisions resulting in legal consequences for a personal data owner or otherwise affecting their rights and legal interests, based on solely automated personal data pro-cessing.

3.5. The Company does not process personal data pertaining to race, nationality, political views, religious or philosophical beliefs, or private life.

3.6. The Company does not process biometric personal data. In relevant cases, upon presentation by owners of personal data of their passports or other documents containing a photograph of the owner, the Company does not use this photograph to establish the identity of the personal data owner (identifica-tion), but uses it to verify the identity of the person that submitted the document with the person in the photograph in this document (authentication).

3.7. The Company does not publish personal data of a personal data owner in public sources without their consent.

3.8. Owners can contact the Company regarding all issues related to the processing of personal data provided for by the laws of the Russian Federation by sending an e-mail to tatyana.kazakova@daimler.com, or written request to the Company’s address. Consent to personal data processing may be withdrawn by an owner by sending a scanned copy of a written notice signed by the personal data owner to the e-mail address given above, or the original written notice to the Company ei-ther by registered mail with an enclosure list or courier service. The Company is entitled to continue pro-cessing personal data in cases provided for by the applicable laws of the Russian Federation, or if the personal data is processed in accordance with another legal grounds (in particular, in accordance with the accepted conditions of service rendering).

3.9. The company may request consent of a personal data owner more than once upon each addressing of the owner. If upon subsequent Company’s requests for consent (including when filling in online forms with a field to be ticked as a consent) this is not given, the previously given consent shall not be auto-matically recognized as withdrawn and will continue to be valid for the period stated in the consent.

3.10. The Company transfers personal data to state authorities and local self-governing authorities, courts, law enforcement and other bodies in cases and in the manner provided for by the laws of the Russian Federation.
4 Defining Rules and Manner of Personal Data Processing
4.1.The following is defined in the Company, as well as in relevant contracts with partners, contractors and other third parties, as far as they are concerned:

• procedures for giving access to personal data;
• procedures for changing personal data in order to ensure their accuracy, reliability and relevance, including with respect to the purposes of personal data processing;
• procedures of personal data destruction or blocking when such procedure is necessary;
• procedures for processing enquires of personal data owners (their legal representatives) in cases provided for by the Federal Law dated July 27, 2006 No. 152-FZ “On Personal Data”, in particu-lar, the procedure of preparing information on availability of personal data relating to a specific owner of personal data, information necessary for acknowledgement of an owner of personal da-ta (their legal representatives) with their personal data, as well as the procedure for processing enquiries regarding clarification of personal data, their blocking or destruction, of personal data are incomplete, outdated, inaccurate, obtained illegally, or are not necessary for the processing purpose;
• procedures for handling an enquiry of an authorized body for the protection of personal data owners’ rights;
• procedures for obtaining a consent of a personal data owner to processing of their personal data and to authorization of thirds parties to process their personal data;
• procedures for the transfer of personal data between users of a personal data source, which pro-vides for transfer of personal data between the Company employees having access to personal data only;
• procedures for transferring personal data to third parties;
• procedures for handling material media of personal data.
5 Personal Data Confidentiality and Safety Requirements
5.1. To ensure security of personal data during their processing, the Company implements requirements of the applicable legislation of the Russian Federation in the field of personal data processing and safety.

5.2. The company executes necessary and sufficient legal, organizational and technical measures, includ-ing, but not limited to:

• development of internal documents on personal data processing, as well as local acts defining procedures aimed at prevention and detection of violations of the laws of the Russian Federation, elimination of consequences of such violations;
• protection of personal data from unauthorized access, illegal processing or transfer, as well as from loss, distortion or destruction (regardless of automated or non-automated way of personal data processing);
• prior to introduction of new personal data processing processes and new personal data infor-mation systems (hereinafter - “PDIS”), identification and implementation of technical and organi-zational measures that ensure protection of personal data designed for state of the art technolo-gies and proper degree of personal data protection;
• identification of threats to personal data safety during their processing in the PDIS;
• definition of rules of access to personal data processed in the PDIS, as well as arrangement of registration and tracking of actions performed in PDIS with personal data;
• control and evaluation of efficiency of measures taken (including cases of third party’s involve-ment in such control);
• detection of unauthorized access to personal data (and other incidents relating to personal data) and taking measures;
• personal data recovery.

5.4. In terms of processing confidentiality the Company takes measures aimed at prevention of an unau-thorized collection, processing or use of personal data:

• providing access to personal data only in cases and in manner prescribed by the laws of the Rus-sian Federation;
• introduction of the Company`s employees involved directly in personal data processing to provi-sions of the laws of the Russian Federation on personal data, including personal data safety re-quirements, documents defining the Company`s policy on personal data processing, local acts re-garding personal data processing issues, requirements for non-automated personal data pro-cessing, and (or) training of specified employees.

5.5. The Company has appointed persons responsible for arranging processing and safety of personal da-ta.
6 Control
6.1. Control over the implementation of this Policy is performed by persons responsible for arrangement of personal data processing and safety, as well as employees who in accordance with their functions per-form relevant duties in compliance with the Company’s internal administrative documents, and heads of departments, and subdivisions of the Company - regarding observation of provisions by employees re-porting to them.
7 Final Provisions
7.1. This Policy becomes effective from the moment it is adopted and is valid until introduction of amendments and/or adoption of a new document in accordance with the Company’s internal procedure.

7.2. The Policy may be updated from time to time or otherwise changed by the Company; any changes should be published by the Company. The Company may also notify entities whose personal data are processed by the Company in accordance with the Company’s procedures. Such changes shall become effective from the moment of their publication.

7.3. If any of provisions of this Policy is or becomes invalid, this does not affect the validity of the remain-ing provisions of this Policy.

7.4. In case of changes in the regulatory legal acts referred to in this Policy, this Policy continues to ap-ply, so far as it does not contradict the applicable legislation. Regarding the rest, the Company should observe the norms of the applicable laws of the Russian Federation.