Personal data treatment and protection policy of RELX limited liability company

List of terms and definitions

The following terms and definitions are used in this document:

Automated processing of personal data - Processing of personal data using computer technologies.

Blocking of personal data - Temporary interruption of personal data processing (except for the cases when processing is necessary to amend the personal data).

Personal data system - The personal data contained in the databases and the information technologies and technical means ensuring their processing.

Depersonalisation of personal data - Actions as a result of which it becomes impossible to assign personal data to a particular subject without additional information.

Personal data processing - Any action (operation) or a set of actions (operations) made with personal data using or without using automation aids, including collection, recording, classification, accumulation, storage, clarification (updating, modification), retrieval, use, transmission (distribution, submission, access), depersonalisation, blocking, deletion, destruction of personal data.

Operator - A governmental body, municipal authority, juridical or physical person which organises and/or carries out, independently or jointly with other persons, personal data processing and determines purposes of personal data processing, scope of personal data to be processed, actions (operations) made with personal data.

Personal data - Any information related to an individual (personal data subject) who is identified or may be identified directly or indirectly.

Disclosure of personal data - Actions aimed at disclosing personal data to a certain person or group of persons.

Cross-border transmission of personal data - Transmission of personal data to the territory of a foreign state, to a governmental body of a foreign state, to a foreign individual or legal entity.

Diffusion of personal data - Actions aimed at disclosing personal data to an undefined group of persons.

Destruction of personal data - Actions as a result of which the recovery of personal data content in the personal data information system becomes impossible and/or a result of which physical media of personal data are destructed.

1. General

This Personal Data Treatment and Protection Policy (hereinafter referred to as "the Policy") was developed in accordance with Article 18.1 of Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data" and is a basic internal regulatory document of RELX Limited Liability Company (hereinafter referred to as "the Company") which determines its main activities in the field of treatment and protection of personal data (hereinafter "PD") of which the Company is an operator.

The policy was developed to implement the legal requirements concerning treatment and protection of PD and is aimed at ensuring the protection of peoples' and citizens' rights and freedoms upon processing of their PD by the Company.

2. Principles and purposes of personal data processing

The Company processes PD fairly and in compliance with the laws, solely for the achievement of concrete, preliminarily defined and legal purposes. Only PD required for the defined goals are processed. The content and the scope of PD processed by the Company meet the stated goals of their processing; no redundancy of processed PD is allowed.

Upon processing of PD in the Company, their accuracy, sufficiency and, if necessary, their relevance for the purposes of PD processing are ensured. The Company takes the necessary measures (ensures that they are taken) for the deletion or updating of incomplete or incorrect PD.

Storage of PD in the Company is performed in such a form that allows to determine the PD subject for no longer than required by the purposes of PD processing, unless a term for PD storage is set by the federal law or by an agreement to which the PD subject is a party, beneficiary or guarantor. The processed PD are destroyed or depersonalised after the purposes of their processing have been achieved, or if the achievement of such purposes is no longer required, unless otherwise provided for by the federal law.

The purposes of processing, the composition and the content of PD, and the categories of PD subjects whose data are processed by the Company are specified in the Company's PD processing notice sent to the authority competent for the protection of PD subjects' rights (Federal

Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor)), and are updated if any changes in them occur.

During its activity the Company may provide and (or) delegate PD processing to another entity, with the PD subject's consent, unless otherwise required by the federal law. A mandatory condition for the provision and (or) delegation of PD processing to another entity is the parties; obligation to ensure the confidentiality and safety of PD upon their processing.

The Company does not publish the subject's PD on publicly accessible sources without the subject's prior consent.

In the course of its activity the Company may transmit PD across the border to foreign countries, to the government authorities of other countries, to foreign individuals or legal entities. Issues related to ensuring proper protection of PD subjects' rights and safety of their PD upon cross-border transmission have the highest priority for the Company, and are resolved in accordance with the laws of the Russian Federation on PD processing.

Cross-border transmission of PD to other countries which do not ensure proper protection of PD subjects' rights is performed only with the PD subjects' written consent to cross-border transmission of their PD or under an agreement to which the PD subject is a party, as well as in other cases provided for by the laws.

3. Scope and category of processed personal data, catrgories of personal data subjects

The content and scope of the personal data processed by the Company for each subject, and the purposes, storage term and legal grounds for the processing are specified in the "Lost of Personal Data Processed by RELX LLC".

4. Personal data subjects' rights

4.1. Personal Data Subjects' Consent to Processing of Their Personal Data

Personal data subjects decide on the provision of their personal data and give their consent to processing of such data freely, voluntarily and for their own interest. Personal data subjects or their representatives may give their consent to personal data processing in any form allowing to confirm its receipt, unless otherwise provided for by the federal laws.

The Company bears the obligation to prove the receipt of the personal data subjects' consent to personal data processing or to prove the existence of the grounds specified in Law 152-FZ.

4.2. Personal data subjects' rights

The personal data subjects have the right to receive from the Company information concerning the processing of their personal data, unless such right is not restricted under the federal laws. The personal data subjects shall have the right to demand that the Company update, block or destroy their personal data if the personal data are incomplete, obsolete, incorrect, were received illegally or are not necessary for the stated purposes of processing, and to take the measures provided for by the laws for the protection of their rights.

The processing of personal data to promote products, works and services in the market by making direct contact with a potential customer by means of communication, or for political solicitation, is allowed only with the prior consent of the personal data subject. The stated processing of the personal data shall be considered as carried out without preliminary consent of the personal data subject, unless the Company proves that this consent was obtained.

The Company shall immediately discontinue processing of the personal data for the above-mentioned purposes on the demand of the personal data subject.

It shall be prohibited to make decisions giving rise to legal consequences with regard to the personal data subjects or otherwise affecting their rights and legal interests on the basis of only automated processing of the personal data, except for the cases provided for by the federal laws, or with the personal data subjects' written consent.

If the personal data subjects think that the Company carries out processing of their personal data in violation of the requirements of Law 152-FZ or otherwise violated their rights and freedoms, the personal data subjects shall have the right to file an appeal against the Company’s acts or omissions to the competent body for protection of the personal data subjects' rights, or to file a lawsuit.

The personal data subjects shall have the right to protection of their rights and legal interests and to reimbursement of the losses and/or compensation for the moral damage in a judicial proceeding.

5. Main measures to ensure personal data safety

To ensure the protection of PD upon their processing, the Company shall autonomously determine the list of measures necessary and sufficient for the performance of its legal obligations in connection with the processing and protection of PD. Such measures shall include:

  • appointment of a person in charge of the PD processing;
  • issue of documents determining the Company's policy in respect of PD processing, internal regulations on PD processing, and internal regulations establishing the procedures aimed at preventing and identifying violations of the laws regulating processing and protection of PD, elimination of the consequences of such violations;
  • taking of legal, organisational and technical measures aimed at ensuring PD safety;
  • internal control of compliance of PD processing with the laws concerning PD processing and safety and the relevant regulations, PD protection requirements, the Company's PD processing policy, internal regulations of the Company;
  • assessment of the damage which can be caused to PD subjects in case of violation of legal requirements concerning PD processing and protection, correspondence between the said damage and the PD safety measures taken by the Company;
  • familiarisation of the Company's employees directly performing the processing of PD with the requirements of the laws concerning PD processing and protection;
  • organisation of receipt and processing of the application and requests submitted by PD subjects or their legal representatives, and control of the receipt and processing of such applications and requests.

The Company's management understands the importance and necessity of PD protection and encourages continuous improvement of the system for protection of PD processed in the course of performance of the Company's core business.

6. Final provisions

Other rights and obligations of the Company as a personal data operator are determined by the laws of the Russian federation on personal data.

The officers of the Company who violate the regulations concerning processing and protection of personal data shall bear material, disciplinary, administrative, civil or criminal liability in accordance with the federal laws.