Personal Data Processing Policy - Astrakhan Oil (AOC)

1. General Provisions

1.1. This Personal Data Processing Policy (the “Policy”) of Astrakhan Oil (AOC) has been developed in accordance with applicable data protection legislation, including the Federal Law of the Russia No. 152-FZ “On Personal Data” dated July 27, 2006, as well as other relevant regulatory frameworks.

1.2. The Policy is also aligned with international standards, including the principles set out in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe, and reflects best practices applicable to cross-border energy and trading operations.

1.3. The purpose of this Policy is to inform data subjects and all parties involved in personal data processing of AOC’s commitment to the principles of:

• Legitimacy and fairness

• Data minimization and relevance

• Purpose limitation

• Accuracy and confidentiality

1.4. The protection of individual rights and freedoms, including the right to privacy and personal data protection, constitutes a core priority of AOC.

1.5. This Policy applies to all personal data processed by AOC and is publicly accessible.

2. Legal Grounds for Personal Data Processing

2.1. AOC processes personal data on the following legal grounds:

• With the consent of the data subject

• For compliance with applicable laws and regulatory requirements

• For the performance and execution of contracts where the data subject is a party, beneficiary, or guarantor

• For the protection of legitimate interests of AOC, provided such interests do not override fundamental rights of the data subject

3. Purposes and Methods of Processing

3.1. Personal data may be processed using automated systems, non-automated means, or a combination of both.

3.2. Where automated processing is applied, data may be transmitted through secure internal systems and information networks, including controlled use of the internet.

3.3. Personal data is processed for the following purposes:

• Employment, recruitment, training, and personnel management

• Compliance with labor, tax, and corporate governance regulations

• Execution of commercial agreements, including supply, trading, and service contracts

• Compliance with regulatory, financial, and reporting obligations

• Protection of legal rights and interests in judicial or administrative proceedings

• Internal audit, risk management, and corporate oversight

• Security, access control, and protection of company assets

• Maintenance of corporate directories and communication systems

4. Categories of Processed Data and Data Sources

4.1. Personal data is obtained directly from data subjects or their authorized representatives, unless otherwise provided by law.

4.2. Data may also be obtained from third parties with the consent of the data subject or where legally permitted.

4.3. AOC does not process special categories of personal data (including data relating to ethnicity, political views, religion, health, or private life), except where explicitly permitted by applicable law.

4.4. Personal data shall not be used for political solicitation or unauthorized commercial promotion.

4.5. AOC processes personal data relating to:

• Employees and former employees

• Candidates for employment

• Contractors and counterparties

• Representatives of business partners and affiliated entities

• Shareholders, advisors, and service providers

• Other individuals where processing is necessary for legitimate business purposes

5. Data Processing and Retention Period

5.1. Personal data shall be processed only for as long as necessary to achieve the purposes for which it was collected.

5.2. Processing shall cease once:

• The purpose of processing has been fulfilled

• Legal grounds for processing no longer exist

• Applicable retention periods have expired

5.3. Upon expiration, personal data shall be securely deleted or anonymized for statistical or analytical use.

6. Rights of Data Subjects

6.1. Data subjects have the right to:

• Obtain information regarding the processing of their personal data

• Request correction, blocking, or deletion of inaccurate or unlawfully processed data

• Restrict or object to processing where applicable

• Seek legal remedies in case of violation of their rights

6.2. Access to personal data may be limited where required by law.

6.3. Decisions producing legal effects based solely on automated processing shall only be made with explicit consent or as otherwise permitted by law.

7. Cross-Border Data Transfers

7.1. AOC may transfer personal data across borders in connection with its international operations.

7.2. Such transfers shall be carried out to jurisdictions that ensure an adequate level of data protection or in accordance with legally permitted safeguards, including:

• Consent of the data subject

• Necessity for contract performance

• Protection of vital interests

• Compliance with international legal obligations

7.3. Cross-border transfers may occur within AOC’s operational footprint, including jurisdictions across Europe, the Middle East, Asia, and other regions where the Company conducts business.

8. Third-Party Data Processing

8.1. AOC may engage third parties to process personal data on its behalf, subject to contractual safeguards.

8.2. Such agreements shall define:

• Scope and purpose of processing

• Confidentiality obligations

• Security requirements

8.3. AOC remains responsible for ensuring that third-party processors comply with applicable data protection standards.

9. Data Protection Measures

9.1. AOC implements appropriate legal, organizational, and technical measures to protect personal data from unauthorized access, loss, alteration, or disclosure.

9.2. These measures include:

• Appointment of responsible personnel for data protection

• Internal policies and compliance controls

• Access restrictions and authentication protocols

• Monitoring and logging of data processing activities

• Secure storage and handling of data carriers

• Regular audits and compliance reviews

• Employee training and awareness programs

10. Liability

Employees and representatives of AOC involved in personal data processing may be subject to disciplinary, civil, administrative, or criminal liability in accordance with applicable law for violations of data protection requirements.​

​

​