Personal Data Processing Policy

1. General provisions

1.1. This Personal Data Processing Policy of the Roscongress Foundation (hereinafter the Policy and the Foundation, respectively) defines the principles, purposes, conditions, timeframe, and methods of the processing of personal data, the list of personal data subjects, the list of personal data to be processed, the list of actions performed with personal data, the rights of personal data subjects, measures to monitor compliance with the legal requirements of the Russian Federation regarding the processing of personal data, as well as the measures taken to protect personal data.

1.2. The Policy was prepared taking into account the requirements of the Constitution of the Russian Federation, as well as legislative and other regulatory legal acts of the Russian Federation concerning personal data.

1.3. The Foundation has prioritized the observance of people’s rights and freedoms, including the protection of their rights to privacy and personal and family secrets, as a primary goal and condition for performing its activities when processing their personal data.

1.4. In order to implement the provisions of this Policy, the Foundation prepares the relevant in-house regulations and other documents governing the processing of the personal data of the Foundation’s employees and other personal data subjects.

2. Key terms and definitions

2.1. The following terms and definitions are used in this Policy:

Automated processing of personal data refers to the processing of personal data using computer technology.

Blocking of personal data refers to the temporary cessation of the processing of personal data (except in cases when processing is essential to clarify personal data).

Personal data information system refers to the set of personal data contained in databases and the information technologies and technical means used for its processing.

Information refers to data (messages) regardless of the form of its presentation.

Depersonalization of personal data refers to actions that make it impossible to determine the ownership of personal data by a specific personal data subject without the use of additional information.

Processing of personal data refers to any action (operation) or set of actions (operations) performed with or without automation tools with personal data, including the collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, or destruction of personal data.

Operator refers to a state body, municipal body, legal entity, or individual, who organizes and/or performs the processing of personal data independently or jointly with other entities and also determines the purposes of the processing of personal data and the scope of personal data subject to processing and the actions (operations) performed with personal data.

Personal data refers to any information related to a directly or indirectly defined or definable individual (personal data subject).

Personal data permitted for distribution by a personal data subject refers to personal data to which a personal data subject has provided access to an unlimited number of persons by granting consent to the processing of personal data permitted by the personal data subject for distribution in the manner prescribed by the existing laws of the Russian Federation.

Provision of personal data refers to actions that aim to disclose personal data to a specific person or a specific group of persons.

Distribution of personal data refers to actions that aim to disclose personal data to an unspecified group of persons.

Cross-border transmission of personal data refers to the transmission of personal data to the territory of a foreign state to a foreign government body, foreign individual, or foreign legal entity.

Destruction of personal data refers to actions that make it impossible to restore the content of personal data in a personal data information system and/or destroy the tangible carriers of personal data.

3. Legal grounds for the processing of personal data

3.1. This Policy was prepared in accordance with the following regulatory legal acts:

- Constitution of the Russian Federation

- Civil Code of the Russian Federation

- Labour Code of the Russian Federation

- Federal Law No. 152-FZ dated 27 July 2006 ‘On Personal Data’

- Federal Law No. 149-FZ dated 27 July 2006 ‘On Information, Information Technologies, and the Protection of Information’

- Decree No. 188 of the President of the Russian Federation dated 6 March 1997 ‘On the Approval of the List of Confidential Information’

- Resolution No. 687 of the Government of the Russian Federation dated 15 September 2008 ‘On the Approval of the Regulation on Special Aspects of Processing Personal Data without Automation Tools’

- Resolution No. 1119 of the Government of the Russian Federation dated 1 November 2012 ‘On the Approval of Requirements for the Protection of Personal Data during Processing in Personal Data Information Systems’

- Order No. 21 of the Russian Federal Service for Technical and Export Control dated 18 February 2013 ‘On the Approval of the Scope and Content of Organizational and Technical Measures to Ensure the Security of Personal Data during Processing in Personal Data Information Systems’

- Other regulatory legal acts of the Russian Federation and regulatory documents of authorized government bodies.

4. Processing of personal data

4.1. Purposes and principles of the processing of personal data

4.1.1. Personal data is processed for the following purposes:

- To ensure compliance with the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation, and the in-house regulations of the Foundation

- To exercise the functions, powers, and obligations imposed on the Foundation by the laws of the Russian Federation, including the provision of personal data to government bodies, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund, as well as other government bodies

- To regulate employment relations with the Foundation’s employees (assistance in finding employment, training and career advancement, ensuring personal safety, monitoring the quantity and quality of work performed, and ensuring the safety of property)

- To provide the Foundation’s employees and their family members with additional guarantees and compensation, including a private pension, voluntary medical insurance, medical care, and other types of social security

- To regulate relations with students who are receiving on-the-job training at the Foundation under a contract (interns);

- To prepare and hold national, international, congress, exhibition, business, social, youth, sports, and cultural events organized by the Foundation

- To create an account in the Roscongress personal account and provide access to use the functions, content, and services of the website, the Roscongress personal account, and the mobile application

- To prepare a registration application for events that are organized and/or held by the Foundation, including virtual events

- To directly engage with personal data subjects using communication tools, including electronic communication tools, in order to provide them with information by sending emails and/or another manner about issues concerning participation in events organized and/or held by the Foundation and/or its partners, including the customers of events, the review status of registration applications by the Organizing Committee of the event, as well as new products, services, and special offers

- To conduct statistical research, surveys, expert examinations, and questionnaires

- To create reference materials for the internal information support of the Foundation’s activities

- To protect the life, health, or other vital interests of personal data subjects

- To prepare, conclude, execute, and terminate contracts with counterparties

- To execute judicial acts or the acts of other bodies or officials that are subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings

- To exercise the Foundation’s rights and legitimate interests when implementing the types of activities envisaged by the charter and other local regulatory acts of the Foundation or third parties, or to achieve socially significant goals

- For other legal purposes

4.1.2. The Foundation processes personal data based on the following principles:

- Personal data is processed on a lawful and fair basis

- The processing of personal data is limited to achieving specific, predetermined, and lawful goals

- Personal data may not be processed in a manner that is incompatible with the purposes of collecting personal data

- Databases containing personal data that is processed for purposes that are incompatible with each other may not be combined

- Only personal data that is consistent with the purposes of its processing may be processed

- The content and volume of personal data being processed must correspond to the stated purposes of processing and no redundancy of personal data is permitted with respect to the stated purposes of its processing

- When processing personal data, it is essential to ensure the accuracy of the personal data, as well as its sufficiency and, where necessary, relevance with respect to the purposes of its processing. The Foundation shall take or ensure the adoption of the necessary measures to delete or clarify incomplete or inaccurate personal data

- Personal data shall be stored in a form that makes it possible to identify the subject of the personal data for a period no longer than that needed for the purposes of processing the personal data, unless the personal data storage period is stipulated by federal law or an agreement to which the subject of the personal data is a party, beneficiary, or guarantor

- Personal data that has been processed shall be destroyed or depersonalized once the purposes of its processing have been achieved or in the event there is no longer any need to achieve these purposes, unless otherwise stipulated by federal law

- Personal data shall not be disclosed to third parties or distributed without the consent of the personal data subject, unless otherwise stipulated by federal law

4.2. List of subjects whose personal data is processed by the Foundation

4.2.1. The Foundation processes the personal data of the following categories of personal data subjects:

- Employees of the Foundation

- Other personal data subjects who do not have employment relations with the Foundation (to ensure the purposes of processing specified in clause 4.1.1 of this Policy)

4.3. List of personal data processed by the Foundation

4.3.1. The list of personal data processed by the Foundation is determined based on the laws of the Russian Federation and the Foundation’s in-house regulations, taking into account the purposes of processing personal data specified in clause 4.1.1 of the Policy.

4.3.2. The Foundation does not process any special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, or intimate life.

4.3.3. The Foundation may only process biometric personal data with the written consent of the personal data subject, except for cases stipulated by the laws of the Russian Federation.

4.3.4. The Foundation only processes personal data that the personal subject data has permitted to be distributed with the individual consent of the personal data subject for distribution in compliance with the prohibitions and conditions for the processing of personal data stipulated by the personal data subject.

4.4. List of actions performed with personal data and methods of its processing

4.4.1. The Foundation collects, records, systematizes, accumulates, stores, clarifies (updates, changes), extracts, uses, transfers (distributes, provides, accesses), depersonalizes, blocks, deletes, and destroys personal data.

4.4.2. The Foundation processes personal data in the following ways:

- Non-automated processing of personal data

- Automated processing of personal data with or without the transmission of the information obtained via information and telecommunications networks

- Mixed processing of personal data

4.4.3. Personal data is not transmitted across borders.

4.5. Conditions for the processing of personal data

4.5.1. The Foundation processes personal data with the personal data subject’s consent to the processing of his/her personal data, unless otherwise stipulated by applicable law.

4.5.2. The Foundation may entrust the processing of personal data to another entity with the consent of the personal data subject, unless otherwise stipulated by federal law, based on an agreement concluded with this person (hereinafter the operator’s instructions). The operator’s instructions specify the list of actions (operations) with personal data that will be performed by the person processing personal data based on the instructions and the purposes of its processing, establish the obligation of such person to maintain the confidentiality of the personal data, ensure the security of the personal data during its processing, and specify the requirements for the protection of the personal data that is being processed in accordance with Article 19 of the Federal Law ‘On Personal Data’.

4.5.3. Personal data shall be processed until the purposes of its processing are achieved, unless the personal data processing period is established by federal law or an agreement to which the personal data subject is a party, beneficiary, or guarantor.

4.5.4. Personal data shall be processed by the Foundation’s employees whose job responsibilities include processing personal data, as well as by the Foundation’s interns to the extent necessary to undergo on-the-job training, after an agreement has been signed to maintain the confidentiality of the personal data and following the review of the legislative provisions of the Russian Federation and the Foundation’s in-house regulations concerning personal data, including the requirements for the protection of personal data.

4.5.5. When taking decisions that affect the interests of the personal data subject, the Foundation may not rely on personal data obtained solely as a result of their automated processing.

5. Rights of personal data subjects

5.1. Personal data subjects are entitled to:

- Receive full information about their personal data that is being processed by the Foundation

- Access their personal data, including the right to receive a copy of any record containing their personal data, except for cases stipulated by federal law

- Update, block, or destroy their personal data based on an application if it is incomplete, outdated, inaccurate, illegally obtained, or is not necessary for the stated purpose of processing

- Revoke consent to the processing of their personal data

- Take measures stipulated by law to protect their rights

- Appeal the Foundation’s actions or inaction that were performed in violation of the requirements of the laws of the Russian Federation concerning personal data with the authorized body for the protection of the rights of personal data subjects or with a court

- Exercise other rights stipulated by applicable law

5.2. The rights of personal data subjects to access their personal data may be limited in accordance with federal laws, including if the personal data subject’s access to his/her personal data violates the rights and legitimate interests of third parties.

5.3. The personal data subject may decline informational messages at any time by clicking on the ‘Unsubscribe’ link in each letter or sending an email to info@roscongress.org with the subject line ‘Refusal to receive notifications about new products, services, and special offers’.

5.4. The personal data subject may revoke consent it has previously given to the processing of personal data at any time by personally contacting or sending a written request (including an electronic document signed with a simple electronic signature or an enhanced qualified electronic signature) in electronic form to info@roscongress.org or in writing to the address: 12, Krasnopresnenskaya Naberezhnaya, entrance 7, room 1101, Moscow, Russia, 123610.

6. Protection of personal data

6.1. The Foundation takes the following key to ensure the security of personal data:

6.1.1. The security of personal data is ensured during its processing by preventing any unauthorized, including accidental, access to the personal data, which may result in the destruction, modification, blocking, copying, or distribution of the personal data, as well as any other unauthorized actions with the personal data.

6.1.2. Measures to ensure the security of personal data are determined taking into account the possible emergence of threats to the vital interests of the individual, society, and the country.

6.2. Measures taken by the Foundation to ensure that the operator fulfils its obligations when processing personal data:

6.2.1. The Foundation takes legal, organizational, and technical measures to protect personal data against any unauthorized or accidental access, destruction, modification, blocking, copying, provision, or distribution of the personal data, as well as any other illegal actions with respect to the personal data

6.2.2. As stipulated by the laws of the Russian Federation concerning personal data and the Foundation’s in-house regulations concerning personal data, the measures that are essential and sufficient to ensure that the Foundation fulfils its obligations as an operator include:

- Appointing a person responsible for organizing the processing of personal data at the Foundation

- Adopting in-house regulations and other documents concerning the processing and protection of personal data

- Publishing or otherwise ensuring unrestricted access to the Policy

- Ensuring the Foundation’s employees who are directly involved in the processing of personal data are familiar with the legislative provisions of the Russian Federation and the Foundation’s in-house regulations concerning personal data, including the requirements for the protection of personal data

- Obtaining consent from personal data subjects for the processing of their personal data, except for cases stipulated by the laws of the Russian Federation

- Separating personal data processed without automation tools from other information, in particular by recording it on separate tangible personal data carriers and in special sections

- Ensuring the separate storage of personal data and its tangible carriers that are processed for different purposes and contain different categories of personal data

- Ensuring the security of personal data when transmitting it via open communication channels;

- Storing tangible media with data in conditions that ensure the safeguarding of the personal data and prevent unauthorized access to it

- Conducting internal monitoring to ensure that the processing of personal data complies with the Federal Law ‘On Personal Data’, regulatory legal acts adopted in accordance therewith, the requirements for the protection of personal data, this Policy, and the Foundation’s in-house regulations

- Providing information in the prescribed manner to personal data subjects or their representatives about the existence of personal data concerning the relevant subjects and providing them with an opportunity to review this personal data upon request, unless otherwise stipulated by the laws of the Russian Federation

- Ceasing the processing of personal data and destroying it in cases stipulated by the laws of the Russian Federation concerning personal data

- Taking other measures stipulated by the laws of the Russian Federation concerning personal data

6.2.3. The measures taken to ensure the security of personal data when it is processed in personal data information systems are established in accordance with the Foundation’s in- house regulations concerning the security of personal data when it is processed in such systems.

7. Monitoring compliance with the laws of the Russian Federation and the Foundation’s in-house regulations concerning personal data, including requirements for the protection of personal data

7.1. Compliance with the legislative requirements of the Russian Federation and the Foundation’s in-house regulations concerning personal data, including requirements for the protection of personal data, is monitored for the purpose of:

- Verifying that the processing of personal data complies with these requirements;

- Verifying that the measures taken to protect personal data comply with these requirements

- Taking measures to prevent and identify violations of the laws of the Russian Federation concerning personal data, identify any possible channels used to leak or provide unauthorized access to personal data, and mitigate the aftermath of such violations.

7.2. Internal monitoring of compliance with the legislative requirements of the Russian Federation and the Foundation’s in-house regulations concerning personal data, including requirements for the protection of personal data, is performed by the person responsible for organizing the processing of personal data at the Foundation.