Policy on processing and protection of personal data

1.1 This document defines Sharmax Motor’s policy regarding the processing of personal data, as well as information about the implemented requirements to the protection of personal data and is developed in accordance with Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” (as amended and supplemented) in accordance with this law and other laws and regulations that define the procedure for handling personal data and requirements to its security.

2.1 In this Policy, the terms are used in the meaning ascribed to them in Article 3 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data.

2.2 The Operator in this Policy means the Sharmax Motors company, and the portal means the Internet portal (website) located on the Internet at: http://sharmax.ae

2.3 This Policy applies to all information which the Operator, its dealers and partners can obtain about the User during their use of the Operator’s portal/site or services (hereinafter also referred to as the Services) and during the performance of any agreements and contracts with the User by the Operator. The User’s consent to the Policy, expressed by him within the framework of the relations with one of the listed persons, extends to all other listed persons.

2.4 Using the Operator’s services (any contact with the portal/website) means the User’s unconditional consent to this Policy and the terms of processing his personal information specified in it; in case of disagreement with these terms the User must refrain from using the Services.

3.1 The Operator processes personal data on the following categories of subjects: – counterparties – individuals associated with the Operator by civil law relations; – counterparty employees – individuals associated with the counterparty by labor or civil law relations; – users of the portal and/or the Operator’s website, including representatives of Dealers, Companies, Partners, Buyers, casual visitors and third parties as well as Buyers of goods or services, advertising information about which is placed on the website and/or portal; – other subjects in connection with the existence with the Operator of legal relations that are not contrary to the legislation of Ros Ros

3.2 The operator is guided by the following principles for determining the purposes of personal data processing. – Processing of personal data shall be performed on a lawful and fair basis. – The content and scope of processed personal data must comply with the declared processing purposes. – When processing personal data, the Operator shall comply with other principles and rules of processing stipulated by the laws of the UAE

3.3. The purpose of processing of personal data varies. The operator is guided by the terms of personal data processing depending on the categories of personal data subjects and taking into account the provisions of regulatory legal acts of the UAE. The operator shall be entitled to process personal data only for legitimate purposes, and processing of personal data shall be limited to achieving those purposes.

3.4 The purposes of personal data processing by the Company are: – with regard to counterparties, their representatives and employees – implementation of the norms of the Civil Code of the AUE on contractual obligations, conclusion and execution of agreements with counterparties, provision by the operator of an Internet service for work with contracts, performance by the operator of actions on behalf of representatives of personal data subjects; – with regard to Users – provision by the operator of an Internet service for work with contracts, identification of the party within the Services and services, agreements and contracts with the operator; promotion of goods, works,

3.5 Processing of personal data by the Operator is allowed in the following cases:

3.5.1 If the consent of the subject of personal data to the processing of his personal data is available. The procedure for obtaining the consent of the subject of personal data by the Company is defined in section 5 of the Policy.

3.5.2 Processing of personal data is necessary for the implementation and performance of the functions, powers and duties imposed on the operator by law.

3.5.3 To enter into an agreement at the initiative of a personal data subject and to perform an agreement to which the personal data subject is a party. Such contracts are, without limitation, any civil law contracts, including in the form of an accepted offer with Users. Prior to the conclusion of contracts, the Operator shall process personal data at the pre-contracting stage, when the subject’s consent to the processing is confirmed by filling out an application on the portal and/or website or by sending an electronic message indicating personal data to the operator by e-mail.

3.5.4 The processing of personal data by the Operator is necessary in order to exercise the rights and legitimate interests of the Operator and/or third parties or to achieve socially important goals, provided that the rights and freedoms of personal data subjects are not violated thereby.

3.5.5 The Operator shall process Personal Data for statistical or other research purposes, subject to mandatory depersonalization of Personal Data.

3.5.6 Processing of personal data, access to which is provided by the subject of personal data or at his/her request.

3.5.7 Personal data is subject to publication or compulsory disclosure in accordance with the law.

3.6 The Operator shall not process personal data related to special categories and concerning nationality, political views, religious or philosophical beliefs, intimate life, about membership of subjects of personal data in public associations or their trade union activities, except for information related to the issue of the Employee’s ability to perform labor functions and necessary for the purposes defined by pension legislation.

3.7 The operator may process personal data on criminal records only in the cases and in the manner prescribed by AUE law.

3.8 The operator does not process biometric personal data.

3.9. When collecting personal data, the operator ensures recording, systematization, accumulation, storage, clarification (updating, modification), and extraction of personal data using databases located in the UAE

3.10. The operator may carry out trans-border transfer of personal data in cases of concluding contracts with users and counterparties located abroad, to the extent necessary for the conclusion and execution of such contracts. In case of transborder transfer of personal data to states, which are not parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, or which do not provide adequate protection of personal data, personal data subjects shall give their consent in writing for such transfer.

3.11. The operator shall not take decisions, generating legal consequences in relation to personal data subjects or otherwise affecting their rights and legitimate interests, based solely on automated processing of personal data.

3.12. When processing personal data, the Operator shall be obliged to observe security and confidentiality of the processed personal data, as well as fulfill other requirements stipulated by the legislation of the UAE in the field of personal data.

3.13. In accordance with the Federal Law “On Personal Data”, the operator shall appoint a person responsible for organizing the processing of personal data.

3.14. The person responsible for organizing the processing of personal data must exercise internal control over the compliance of personal data processing with the Federal Law “On Personal Data” and the regulations adopted in accordance with it, the requirements for the protection of personal data, this policy of the operator, the local acts of the operator.

4.1 Employees of the Operator who obtain access to personal data must ensure the confidentiality of such data. Confidentiality is not required in relation to: – personal data after its depersonalization; – publicly available personal data.

5.1 The subject of personal data decides to provide their personal data to the Operator and consents to their processing freely, willingly and in their own interest. The consent to the processing of personal data must be specific, informed and conscientious and may be given by the subject in any form that allows to confirm the fact of its receipt, unless otherwise provided by the legislation of the UAE.

5.2 The consent of the client-physical person, who uses the services provided by the Operator through the portal and/or website, is not required, as he is a party of the contract with the Operator, who has accepted the public offer and/or User Agreement, placed on the Operator’s website. Filling in the registration form and/or order to purchase a product or service (or other order form, application, etc.) on the portal and/or website by the buyer expresses his will and consent to the processing of his personal data.

5.3 The user’s registration on the portal and/or the Operator’s website, confirmed by his login and password, is his simple electronic signature. An electronic document signed with such login and password is equal to a document signed with a handwritten signature.

5.4 The Client’s representatives, Users (after confirming their authorization on the Operator’s website and/or the portal) give their consent to the processing of their personal data by the Operator and/or its partners/dealers, in the form of conclusive actions expressed in providing their data for posting on the website and/or the portal.

5.5 In case the Operator receives personal data from the counterparty on the basis of and for the purpose of execution of the contract concluded with it, including from the client-legal entity, using the services provided by the portal and/or website of the Operator, the responsibility for legitimacy and reliability of personal data, as well as for the consent of the Counterparty Representatives and Client Representatives for transferring their personal data to the Operator shall be born by the counterparty transferring personal data, which is fixed in the text of the Operator contract with counterparty.

5.6 The Operator, who received personal data from the counterparty and the legal entity’s client, does not assume the obligation to inform the subjects (their representatives), whose personal data are transferred to it, about the beginning of processing of personal data, as the obligation to carry out the relevant informing when concluding an agreement with the personal data subject and/or when receiving consent for such transfer is the responsibility of the counterparty (client) who transferred the personal data. This obligation of the counterparty (client) shall be included in the contract concluded with him by the Operator, including the contract in the form of an offer, placed on the portal and/or website.

5.7. In all other cases, the consent of personal data subjects who are Counterparty Representatives, except for persons who have signed contracts with the Operator or have given powers of attorney to act for and on behalf of Counterparties of the Operator, who have independently sent personal data to email and thereby have performed conclusive actions confirming their consent to the processing of personal data specified in the text of the contract (power of attorney) or the email. The counterparty may obtain consent from its representative for the transfer of its personal data to the Operator and the processing of this personal data by the Operator in the manner described in paragraph 5.5. of the Policy. In this case, the Operator’s consent to the processing of the subject’s personal data is not required.

5.8 The consent of the subjects’ Representatives to the processing of their personal data shall be given in the form of conclusive actions by providing a power of attorney with the right to act on behalf of and on behalf of the subjects of personal data and an identity document of the subject’s Representative.

5.9. Subjects’ consent to the provision of their personal data is not required when the Operator receives, within the established authority, motivated requests from prosecution authorities, law enforcement authorities, investigation and inquiry authorities, security authorities, from state labor inspectors in their implementation of state supervision and control over compliance with labor legislation, and other authorities authorized to request information in accordance with the competence provided by law. A motivated request must include an indication of the purpose of the request, a reference to the legal grounds for the request, including confirming the authority of the body which sent the request, as well as a list of the requested information.

5.10. In case of inquiries from organizations that do not have the appropriate authority, the Operator shall be obliged to obtain from the subject who is not an employee the consent to provide his/her personal data in any provable form, and to warn the persons receiving the personal data that this data may be used only for the purposes for which it is communicated, and to require from these persons confirmation that the specified rule will (was) complied with.

5.11. The consent to process personal data, the processing of which is not required by law or is not necessary for the performance of the contract with the Operator, to which the personal data subject is a party, may be revoked by the personal data subject. In this case, the Operator shall destroy such personal data, in respect of which the consent for processing is withdrawn, and shall ensure their destruction by the counterparties to which such data was transferred, within 30 days of receipt of the subject’s withdrawal of consent for processing of his/her personal data.

5.12. In all cases, the obligation to provide proof of the subject’s consent to the processing of his personal data or proof of the existence of the grounds specified in the Federal Law of UAE Federal Law No. 15 of 1980 “On Personal Data” is the responsibility of the operator.

6.1 The operator implements the following requirements of legislation in the field of personal data: – Requirements to ensure confidentiality of personal data; – Requirements to ensure realization of personal data subject’s rights; – Requirements to ensure accuracy of personal data and, if necessary, relevance in relation to the purpose of personal data processing (with taking (ensuring taking) measures to remove or clarify incomplete or inaccurate data); – Requirements to protect personal data from unauthorized or accidental access to it, destruction, change, blocking, copying, provision, dissemination of personal data

6.2 In accordance with the Federal Law “On Personal Data”, the Operator shall independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of obligations stipulated by legislation in the field of personal data. In particular, the protection of personal data is achieved by the Operator by: – appointing a person responsible for organizing the processing of personal data; – issuing this Policy by the Operator; – issuing a local regulatory act on employee personal data and the transfer of personal data within the same organization; – familiarizing employees admitted to the processing of personal data subjects with the requirements established by UAE legislation in the field of personal data, this Policy, as well as other local regulatory acts of the Operator; – organization of the proper procedure for working with p

This Policy is an internal document of the Operator. 7.2.

7.2 Other obligations and rights of the Operator as a person who organizes the processing of personal data, both independently and on behalf of other operators, are defined by the legislation of the UAE in the field of personal data.

7.3 This Policy shall be published, or otherwise unrestrictedly accessible, pursuant to Article 18.1(2) of the Act.

7.4. The Operator’s officials and employees who are guilty of violating the rules governing the processing and protection of personal data shall bear material, disciplinary, administrative, civil and criminal liability in accordance with the laws of the UAE.

7.5. The Operator reserves the right to change this Policy (in all its sections and preamble, as well as in its name).