Personal data processing policy

1. Purpose

1.1. The personal data processing policy (hereinafter referred to as the Policy) was developed in accordance with Law of the State of Qatar No. (13) of 2016 on Protecting Personal Data Privacy (PDPPL) in the manner prescribed by it.

1.2. The Policy defines the general goals and principles of personal data processing and measures to ensure the security of personal data in Anabion Investments Holding LLC in order to protect the rights and freedoms of man and citizen when processing their personal data and establishes the intentions and obligations officially expressed by the management of Anabion Investments Holding LLC in this area.

1.3. This Policy is valid for 3 (three) years and may be revised upon reaching this period, or earlier - in case of changes in the current legislation in the field of protection and processing of personal data.

2. Scope

2.1. This Policy is mandatory for all employees of Anabion Investments Holding LLC regardless of their position, including full-time and part-time employees, from the moment the Policy comes into force. Other local regulatory acts on the provision and protection of personal data in Anabion Investments Holding LLC should not contradict this Policy.

3. Terms and designations

3.1. Automated processing of personal data - processing of personal data using computer equipment.

3.2. Blocking of personal data (personal data blocking) - temporary termination of processing of personal data (unless processing is necessary to clarify personal data).

3.3. Anonymization of personal data – actions that make it impossible to determine the ownership of personal data to a specific subject of personal data unless additional information is used.

3.4. Personal data processing - any action (operation) or a set of actions (operations) with personal data performed, either including the use of automation tools or without their use. Personal data processing includes: collection; recording; systematization; accumulation; storage; clarification (updating, changing); extraction; use; transfer (distribution, provision, access); anonymization; blocking; deletion; destruction.

3.5. Processor – Anabion Investments Holding LLC.

3.6. Personal data - any information related directly or indirectly to a specific or identifiable individual (personal data subject).

3.7. A specific (or identifiable) person - a person who can be identified directly or indirectly, for example, by name, passport data, phone number, online identifier or by one or more factors characteristic of the physical, physiological, genetic, mental, economic, cultural or social identity of a person.

3.8. Provision of personal data - actions aimed at disclosing personal data to a specific person or a number of specific persons.

3.9. Dissemination of personal data - actions aimed at disclosing personal data to an uncertain number of non-specific persons (transfer of personal data contained).

3.10. Cross-border transfer of personal data - transfer of personal data to the territory of a foreign state to a foreign authority, foreign individual or foreign legal entity.

3.11. Destruction of personal data - actions which make it impossible to restore the content of personal data in the personal data information system and (or) which destroy/lead to destruction of material carriers of personal data.

3.12. Personal data information system - a set of personal data contained in databases and information technologies and technical means ensuring their processing.

4. Responsibility / owner of the process

4.1. Employees of the Processor, guilty of violating the requirements of this Policy, may be held accountable, including materially, in connection with causing material damage to the Processor, associated with the imposition of administrative or criminal liability on the Processor in the form of fines, reimbursement by the Processor of property and/or moral damages to the subject of personal data as a result of unlawful actions of such employees of the Processor.

5. Main provisions

5.1. Principles and conditions of personal data processing

5.1.1. Processing of personal data by the Processor is carried out on the basis of the following principles:

5.1.1.1. Lawfulness, fairness and transparency.

5.1.1.2. Limitation of personal data processing to achieve specific, predetermined and legitimate goals.

5.1.1.3. Prevention of processing of personal data that is incompatible with the purposes of collecting personal data.

5.1.1.4. Prevention of the merging of databases containing personal data, the processing of which is carried out for purposes incompatible with one another.

5.1.1.5. Processing only the personal data that correspond to the purposes of their processing.

5.1.1.6. Compliance of the content and scope of the processed personal data with the declared purposes of processing.

5.1.1.7. Prevention of the processing of personal data that is excessive in relation to the declared purposes of their processing.

5.1.1.8. Ensuring accuracy, sufficiency and relevance of personal data in relation to the purposes of processing personal data.

5.1.1.9. Destruction or anonymization of personal data upon achievement of the purposes of their processing or in case of loss of need to achieve these goals, if it is impossible for the Processor to eliminate the violations of personal data, unless otherwise provided by law.

5.1.1.10. Processing of personal data in a way that ensures appropriate personal data security, including protection against unauthorized or illegal processing, as well as against accidental loss, destruction or damage, using appropriate technical and organizational measures.

5.1.2. Personal data processing conditions:

5.1.2.1. Categories of personal data subjects, the list of processed personal data, the purposes and legal grounds for their processing are defined in the Regulation on the processing of personal data of the Processor.

5.1.2.2. The Processor, in the absence of other legal grounds for processing personal data, must obtain the explicit consent of subjects to process their personal data at the time of collecting personal data. If the Processor plans to process personal data for a purpose incompatible with the primary purpose of processing personal data, the Processor must obtain a separate consent of personal data subjects for the planned purpose. If personal data are received by the Processor not directly from the personal data subject, the Processor must notify the subject of such processing.

5.1.3. Confidentiality of personal data

5.1.3.1. The Processor and other persons who have access to personal data are obliged not to disclose or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by law.

5.1.4. Commissioning the processing of personal data to another person

5.1.4.1. The Processor has the right to entrust the processing of personal data to other persons with the consent of the personal data subject, unless otherwise provided by PDPPL, on the basis of a contract concluded with this person. A person processing personal data on behalf of the Processor is obliged to comply with the principles and rules for processing personal data provided for by PDPPL, other laws and regulatory acts and this Policy.

5.1.5. Cross-border transfer of personal data

5.1.5.1. The Processor in the course of its activities may carry out cross-border transfer of personal data to the territory of foreign states to foreign authorities, foreign individuals or legal entities. Before starting such a transfer, the Processor must ensure that the foreign state to whose territory it is planned to transfer personal data provides adequate protection of the rights of personal data subjects, before starting such a transfer.

5.1.5.2. Cross-border transfer of personal data to the territory of states that do not provide adequate protection of the rights of personal data subjects can be carried out only in cases of the written consent of the personal data subject to the cross-border transfer of their personal data or execution of the contract to which the personal data subject is a party, as well as in other cases provided for by PDPPL and / or other applicable personal data processing laws.

5.2. The personal data subject has the right to:

5.2.1. Protection of their rights and legitimate interests, including compensation for damages and (or) compensation for moral damage.

5.2.2. Receipt of a notification from the Processor of the obligation to provide reliable personal data, as well as the possible consequences of providing false data.

5.2.3. Exercise of their rights of the subject both independently and through a representative. The Processor reserves the right to request from the representative the information necessary to confirm the legality of the appeal (for example, power of attorney, court decision or guardianship authorities, etc.)

5.3. The personal data subject of the Processor has the right to:

5.3.1. Obtaining information about the Processor: about the location of the Processor, about the existence of the Processor's personal data relating to him as a personal data subject, and acquaintance with such personal data, as well as to receive other information in accordance with PDPPL.

5.3.2. Requiring the Processor to clarify their personal data, limiting their processing, blocking or destruction when their personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing.

5.3.3. Taking measures provided by law to protect their rights.

5.3.4. Withdrawing consent to the processing of personal data with the subsequent destruction (deletion) of personal data.

5.3.5. Submitting a complaint to supervisory authorities in case of violation of the requirements of applicable legislation in the field of processing and ensuring the security of personal data.

5.3.6. The Processor guarantees the following rights:

5.3.6.1. Right to withdraw consent to the processing of personal data with the subsequent destruction of personal data.

5.3.6.2. Right to receive information relating to the processing of personal data.

5.3.6.3. Right to receive a copy of the personal data being processed.

5.3.6.4. Right to correct the personal data provided if they are incomplete or incorrect.

5.3.6.5. Right to delete personal data.

5.3.6.6. Right to restrict the processing of personal data.

5.3.6.7. Right to receive the personal data provided in a structured format and transfer this data to other organizations.

5.3.6.8. Right to object to the processing of personal data.

5.3.6.9. Right to be informed about violations of the security of personal data.

5.3.6.10. Right to lodge a complaint with a supervisory authority if the rights of the personal data subject have been violated.

5.3.6.11. Right to compensation for damages and compensation for moral damage.

5.4. Ensuring the security of personal data

5.4.1. The security of personal data processed by the Processor is ensured by the implementation of legal, organizational and technical measures necessary to meet the requirements of state legislation in the field of personal data protection, including PDPPL.

5.4.2. To prevent unauthorized access to personal data, the Processor applies the following organizational and technical measures:

5.4.2.1. Appointment of officials responsible for organizing the processing and ensuring the security of personal data.

5.4.2.2. Limitation of the number of persons allowed to process personal data.

5.4.2.3. Familiarization of employees with the requirements of state legislation and the Processor's regulatory documents on the processing and protection of personal data.

5.4.2.4. Organization of accounting, storage and circulation of media containing information with personal data.

5.4.2.5. Identification of threats to the security of personal data during their processing, formation of threat models on their basis.

5.4.2.6. Development of a personal data protection system based on a threat model.

5.4.2.7. Development of local regulations in the field of personal data protection.

5.4.2.8. Implementation of internal control over the compliance of personal data processing with applicable legislation in the field of processing and ensuring the security of personal data.

5.4.2.9. Maintaining a register of personal data processing (RoPD) processes and maintaining it up to date.

5.4.2.10. Control and tracking of the processing time of appeals and requests for the implementation of the rights of personal data subjects.

5.4.2.11. Conducting DPIA (Data Protection Impact Assessment) for processes that pose high risks to the rights and freedoms of personal data subjects due to their characteristics (nature, volume and type of data), and taking the necessary measures in relation to such processes.

5.4.2.12. Using the principles of Privacy by Design and Privacy by Default when developing systems or when making changes that affect the processing of personal data.

5.4.2.13. Taking measures to ensure the security of personal data processing by third parties that receive access to personal data (conclusion of special contracts and instructions for processing).

5.4.2.14. Tracking security incidents (if any) and their consequences, investigating them, and, if necessary, notifying the supervisory authority, as well as personal data subjects (if necessary) within 72 hours.

5.4.2.15. Conducting regular audits of personal data processing processes.

5.4.2.16. Implementation of other measures provided for by local regulations of the Processor.

5.5. Rights and obligations of the Processor in processing personal data

5.5.1. The Processor has the right to:

5.5.1.1. Entrust the processing of personal data to other persons with the consent of the subject of personal data, based on an agreement concluded with this person.

5.5.1.2. Determine the purposes, grounds and list of processed personal data.

5.5.1.3. Monitor the legality of personal data processing to eliminate the risks associated with bringing to administrative responsibility for violations of the procedure for processing personal data.

5.5.2. The Processor is obliged to:

5.5.2.1. When collecting personal data, provide the subject of personal data at their request with information regarding the processing of their personal data.

5.5.2.2. Ensure the accuracy of personal data, their sufficiency, and, if necessary, relevance to the purposes of processing personal data.

5.5.2.3. Ensure the collection of consents to the processing of personal data allowed by the subject of personal data for distribution - in the case of providing access to the subject's personal data to an unlimited number of persons.

5.5.2.4. Take the necessary measures or ensure their adoption to remove or clarify incomplete or inaccurate data.

5.5.2.5. Do not disclose to third parties and do not distribute personal data without the consent of the subject of personal data, unless otherwise provided by law.

5.5.2.6. Immediately stop at the request of the subject of personal data, if there are no legal grounds for its continuation.

5.5.2.7. Explain to the subject of personal data the procedure for making a decision on the basis of exclusively automated processing of their personal data and possible legal consequences of such a decision, provide an opportunity to object to such a decision, as well as explain the procedure for protecting the subject of personal data of their rights and legitimate interests.

5.5.2.8. Provide recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of subjects of personal data.

5.5.2.9. Take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from illegal or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data.

5.5.2.10. Provide the subject of personal data or their representative with the opportunity to familiarize themselves with personal data related to this subject of personal data free of charge.

5.5.2.11. Cease processing of personal data or ensure its termination in case the purpose of processing personal data is achieved.

5.5.2.12. Perform other obligations provided for by laws and other regulatory legal acts regulating the processing and protection of personal data.

5.5.3. Processor's employees processing personal data of subjects are obliged to:

5.5.3.1. Process personal data of subjects only within the framework of their official duties.

5.5.3.2. Not disclose personal data of subjects obtained as a result of performing their official duties, as well as those that have become known to them by the nature of their activities.

5.5.3.3. Prevent actions of third parties that may lead to disclosure (destruction, distortion) of personal data of subjects.

5.5.3.4. Identify facts of disclosure, destruction, distortion of personal data of subjects and inform the Processor's Information Security Department about this.