Information about protection of personal data

QIWI PLC (hereinafter — QIWI) ensures that the following principles are respected when collecting and processing personal data.

THE PRINCIPLES APPLICABLE TO PERSONAL DATA

LAWFULNESS AND PURPOSE LIMITATION

1. Personal data is collected by the QIWI as part of its activities. It is only collected for specific, explicit, lawful purposes.

2. The purposes for which personal data is collected by the QIWI are as follows:

informing about Calendar events;

sending of Press Releases;

sending of Reports and Presentations;

sending of SEC Filings;

maintaining of investors loyalty;

3. The data collected cannot be used subsequently in any way that is incompatible with the purposes set out above.

4. In each instance, the QIWI shall only collect and process the data that is strictly necessary to achieve the objective concerned.

FAIR, TRANSPARENT DATA COLLECTION

5. The data is collected fairly; no data is collected without a person’s knowledge or without their being informed.

6. The QIWI can also be contacted at the following address for more detailed information on its personal data protection policy: ir@qiwi.com

ADEQUACY, RELEVANCE AND MINIMISATION OF DATA COLLECTED

7. The QIWI does everything possible to minimize data by collecting data that is adequate, relevant and limited to what is necessary to the purposes for which it is processed.

8. The personal data (only e-mail address) collected is updated regularly and stored by the QIWI in its databases.

PERSONAL DATA PROTECTION BY DESIGN AND DEFAULT

9. The QIWI has adopted internal policies and processes and does everything possible to implement measures that respect the principles of personal data protection by design and default.

10. The right to the protection of data is thus taken into account from the design stage right through the lifecycle of web-site that are based on personal data processing.

PERSONAL DATA SECURITY

11. The QIWI is particularly attentive to the security of personal data.

12. It implements technical and organizational measures adapted to the sensitivity level of the personal data collected, in order to ensure the integrity and confidentiality of the data and protect it from any malicious intrusion, loss, alteration or disclosure to unauthorized third parties.

13. The QIWI regularly conducts audits in order to ensure the proper operational application of the rules relating to data security.

14. It shall thus take all physical, technical and organizational measures necessary to:

protect its activities;

ensure the security of the personal data of its members, partners, website users, suppliers and service providers;

prevent any unauthorized access to data and any amendment, distortion, disclosure or destruction of the personal data in its possession.

15. However, the security and confidentiality of personal data rely on the good practices of each individual and the person concerned is invited to remain vigilant with regard to issues that may involve the use of his or her personal data.

16. In accordance with its commitments, the QIWI chooses its subcontractors and service providers carefully and requires that they respect the following:

a level of personal data protection equivalent to its own;

the use of personal data or information solely to ensure the management of the services they are to provide;

strict compliance with the applicable legislation and regulations on confidentiality, bank secrecy and personal data;

the implementation of all proper measures to ensure the protection of any personal data they may be required to process;

the definition of the technical and organizational measures needed to ensure security.

PERSONAL DATA PROCESSING CARRIED OUT AS PART OF RUNNING THE WEBSITE

17. As data controller, QIWI PLC, Kennedy 12, Kennedy Business Center, 2d floor, P.O. Box 1087, Nicosia, Cyprus, may collect, use, transfer, store and carry out other processing of your personal data in connection with the running of its website.

18. More specifically, the investor.qiwi.com website collect your personal data in the context of sending of information (Press Releases, Reports and Presentations, SEC Filings, Information about Calendar events).

19. Apart from the data collected in the contexts mentioned above, the investor.qiwi.com website only processes personal data for the purpose of statistical analysis via Google analytics and Yandex Metrics; these data are anonymized.

SENDING OF INFORMATION

20. On the context of sending information, personal data are collected on the basis of your consent and are necessary for sending you information.

21. The purpose of the processing carried out by the website in this context is to:

send information and requests.

22. The data recorded and may be transmitted to external service providers.

23. The personal data collected in this way are retained indefinitely.

24. The data collected can be use in cross-border flows.

25. Whenever in case of transfer your personal data outside of the EEA, QIWI ensure a similar degree of protection is afforded to it and that all third parties respect the security of your personal data and treat it in accordance with the law. QIWI does not allow third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with instructions of QIWI.

List of Processors:

QIWI Bank JSC

YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA

26. In accordance with the Cyprus LAW 125(I) of 2018 “Law providing for the protection of natural persons with regard to the processing of personal data and for the free movement of such data” and European Regulation 2016/679 of 27 April 2016 known as the ‘General Data Protection Regulation’, you have the right to access, query, correct, modify and delete your collected personal data. You may therefore require that any information about you that is inaccurate, incomplete, ambiguous or out of date be corrected, supplemented, clarified, updated or deleted. You may also exercise your rights to object to and restrict the processing of your data, as well as your right to data portability.

27. You may exercise such rights with regard to the following data:

only your personal data, excluding anonymized personal data or data that do not concern you;

declarative personal data as well as operational personal data;

personal data that do not infringe the rights and freedoms of third parties such as those protected by business secrecy.

28. This right is limited to processing based on consent or a contract, as well as to personal data that you have personally generated. This right does not include derived or inferred data, which constitute personal data created by the Data Controller.

29. Furthermore, you also have the right to establish instructions for the retention, erasure and transmission of your personal data after your death.

30. You may give specific post-mortem instructions and exercise your rights by post to the following address: QIWI PLC, Kennedy 12, Kennedy Business Center, 2d floor,. P.O. Box 1087, Nicosia, Cyprus or by email to the following address: ir@qiwi.com.

31. When exercising your rights, you must prove your identity by any means. If in doubt about your identity, QIWI may request any additional information that may be necessary, including a photocopy of an identity document bearing your signature.