PRIVACY POLICY

 

  1. General provisions

1.1. This Confidentiality Policy (hereinafter – the “Policy”) has been developed in accordance with clause 2 article 18.1 of the Federal Law “Concerning Personal Data” No. 152-FZ dated July 27, 2006 and other regulations of the Russian Federation in the area of personal data protection and processing, and shall apply to all personal data, which the Association for International Cooperation of Non-profit Organizations (hereinafter – the “Operator”) may receive from a personal data subject being an Internet user (hereinafter – the “User”), when using the website “International Forum “The World of Business Associations” available at www.npoforum.org (hereinafter – the “Website”), as well as other personal data subjects, who are in civil-law (including corporate) or employment relations with the Operator.

1.2. To the extent that the Website is intended for the Users being residents of the European Union, the Policy is also based on the Regulation of the European Parliament and the Council of the European Union No. 2016/679 dated April 27, 2016 on protection of natural persons when processing their personal data and on free circulation of such data, as well as on cancellation of Directive 95/46/ЕС (General Data Protection Regulation/GDRP).

1.3. Personal data of the Users, who are not residents of the Russian Federation or the European Union, shall be protected subject to international treaties in the area of personal data protection, legislation applicable to such relations, and the Policy provisions.

1.4. The Operator shall be entitled to unilaterally amend this Policy. All amendments introduced by the Operator to the Policy, shall come into effect and become binding after placement of the recent version on the Website.

1.5. The Policy provisions shall apply as well to all employees of the Operator (including employees employed under employment agreements and persons employed under civil law contracts) and all business units of the Operator, including separate subdivisions.

  1. Basic definitions

Personal data – any information related to any directly or indirectly identified or identifiable person;

Personal data subject – a natural person, who is directly or indirectly identified or identifiable by means of personal data;

Personal data processing – any act (transaction) or a number of acts (transactions) performed with or without the use of automation facilities with regard to the personal data, including collection, recording, systematization, accumulation, storage, rectification (updating, amendment), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data;

Automated processing of personal data – personal data processing by means of compute equipment;

Personal data information system (PDIS) – the total of personal data contained in the databases, as well as information technologies and hardware, which ensure its processing;

Distribution of personal data – acts aimed at disclosure of personal data to the public;

Provision of personal data ‑ acts aimed at disclosure of personal data to a certain person or to a certain group of persons;

Blocking of personal data – suspension of personal data processing (except where the processing is required for rectification of personal data);

Destruction of personal data – acts resulting in impossibility to restore the content of the personal data in the personal data information system and (or) resulting in destruction of physical media bearing the personal data;

Cross-border transfer of personal data – transfer of personal data to a foreign territory, a foreign government authority, a foreign natural person or a foreign legal entity.

  1. Conditions and arrangements for personal data processing

3.1. Personal data shall be processed:

  • with consent of a personal data subject to his personal data processing;
  • in cases when personal data, which was made public by the personal data subject, is processed;
  • in other statutorily provided cases.

3.2. The Operator shall perform both automated and non-automated personal data processing.

Personal data shall be processed by way of:

  • receiving information, which contains personal data, in oral or written form, directly from personal data subjects;
  • provision by personal data subjects of any required original documents;
  • receiving duly certified copies of documents, which contain personal data, or copying original documents;
  • receiving personal data when forwarding requests to government bodies, public non-budgetary funds, other government agencies, local government bodies, profit making organizations and non-profit organizations, natural persons, where and as provided for by law;
  • receiving personal data from publicly available sources;
  • recording (registration) personal data in logs, books, registers and other account forms;
  • entering personal data to the information systems of the Operator;
  • using other means and methods of recording personal data received as part of the Operator’s activities.

Personal data may be transferred to any third parties (including any cross-border transfer) only with the written consent of personal data subjects, except when it is necessary to prevent risks to life or health of personal data subjects, and in other statutorily provided cases.

3.3. The Operator shall be entitled to assign personal data processing to any other legal entity or individual entrepreneur with the consent of personal data subjects on the basis of a contract concluded. In this case the essence of the contract shall be an obligation of such person to ensure confidentiality and personal data security upon its transfer and processing.

A person, who processes personal data on behalf of the Operator, shall comply with the principles and rules of personal data processing, which are provided for by legislation in the area of personal data processing and by this Policy.

3.4. Any cross-border transfer of personal data to foreign territories, which are the parties to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as other foreign states, which ensure adequate protection of rights of personal data subjects, shall be performed in accordance with the Federal Law “Concerning Personal Data” and may be prohibited or restricted for the purpose of protection of the foundations of the constitutional system of the Russian Federation, morals, health, rights and legitimate interests of its citizens, national defense and security. Any cross-border transfer of personal data to a foreign territory, which is not a party to such Convention, shall be performed in accordance with regulations of the Russian Federation subject to conformity of the legal standards and personal data safeguards applicable in such state with the Convention provisions.

  1. Purposes of and legal grounds for personal data processing

4.1. The purposes of personal data processing shall be:

  • personal data subject identification;
  • communication with a personal data subject, including for sending notices, requests and information related to the use of the Website, as well as for processing the User’s requests and applications;
  • exercise and performance of corporate rights and obligations by the Operator, if they arise between the employer of a personal data subject and the Operator (joining the Association of international cooperation between non-profit organizations by the employer of a personal data subject);
  • exercise and performance by the Operator of its labour rights and obligations;
  • performance by the Operator of its obligations stipulated by labour, tax, accounting, pension legislation subsequent to conducting current activities.

4.2. Legal grounds for personal data processing

Legal grounds for personal data processing are the whole of regulations, in pursuance of and in accordance with which the Operator processes personal data, including:

  • Constitution of the Russian Federation;
  • Civil Code of the Russian Federation;
  • Labour Code of the Russian Federation;
  • Tax Code of the Russian Federation;
  • Federal Law “Concerning Non-Commercial Organizations” dated January 12, 1996 No. 7-FZ;
  • Federal Law “On Information, Information Technologies and Information Protection” dated July 27, 2006 No. 149-FZ;
  • Federal Law “On Individual (Personalized) Record-Keeping in the Compulsory Pension Insurance System” dated April 1, 1996 No. 27-FZ;
  • Federal Law “On the Procedure for Exit from the Russian Federation and Entry into the Russian Federation” dated August 15, 1996 No. 114-FZ;
  • other regulations of the Russian Federation and statutory documents issued by competent public authorities;
  • Regulation of the European Parliament and the Council of the European Union No. 2016/679 dated April 27, 2016 on protection of natural persons when processing their personal data and on free circulation of such data, as well as on cancellation of Directive 95/46/ЕС (General Data Protection Regulation/GDRP);
  • the Operator’s articles of association and other in-house policies and procedures of the Operator.
  1. Categories of personal data subjects and volume of processed data

5.1. The Operator shall process personal data of the following personal data subjects:

  • natural persons being the Website Users;
  • natural persons being employees (representatives) of organizations registered on the Website;
  • natural persons being members (participants) of organizations registered on the Website;
  • natural persons engaged for performance of works under civil-law contracts;
  • employees of the Operator, including former employees;
  • candidates to vacant positions of the Operator.

5.2. Volume of processed data.

5.2.1. Natural persons being the Website Users.

  • full name;
  • picture;
  • e-mail address;
  • telephone number.

5.2.2. Natural persons being employees (representatives) of organizations registered on the Website;

  • full name;
  • position within the organization;
  • picture;
  • e-mail address;
  • telephone number.

5.2.3. Natural persons being members (participants) of organizations registered on the Website;

  • full name;
  • picture;
  • e-mail address;
  • telephone number.

5.2.4. Natural persons engaged for performance of works under civil-law contracts:

  • full name;
  • passport details;
  • insurance individual account number (IIAN);
  • taxpayer identification number (if any).

5.2.5. Employees of the Operator, including former employees:

  • full name;
  • gender;
  • age;
  • picture;
  • passport details;
  • registration address and residence address;
  • taxpayer identification number;
  • insurance individual account number (IIAN);
  • education, qualification, occupational training and further training details;
  • marital status, number of children, family ties;
  • information on professional experience, including availability of incentives, rewards and/or disciplinary penalties;
  • marriage registration details;
  • military service details;
  • disability details;
  • maintenance deduction details;
  • details of income from the previous place of work;
  • other personal data provided by employees in accordance with labour legislation requirements.

5.2.6. Candidates to vacant positions of the Operator.

  • full name;
  • year and place of birth;
  • contact details;
  • occupation details and other personal data provided by a candidate in a curriculum vitae and accompanying letters.
  1. Personal data storage

6.1. Personal data of subjects may be received, further processed and deposited for safe-keeping both in hard copy and in electronic form.

6.2. Any personal data recorded on paper shall be stored in lockable cabinets or in lockable premises with restricted access.

6.3. Personal data of subjects processed with the use of automation facilities for different purposes shall be kept in different files.

6.4. It is prohibited to store and place any documents, which contain personal data, in open e-catalogs (file share) in the PDIS.

6.5. Any personal data stored in the form, which allows to identify the personal data subject, shall be kept only as long as is required by the purposes of its processing, and such data shall be subject to destruction upon achievement of the purposes of processing or if there is no further need to achieve them. If the period for retaining personal data is prescribed by the law, such data shall be kept during the required period.

  1. Basic rights of personal data subjects and obligations of the Operator

7.1. A personal data subject shall have the right of access to his personal data and the following information:

  • confirmation of the fact of personal data processing by the Operator;
  • legal grounds for and purposes of personal data processing;
  • purposes and personal data processing procedures used by the Operator;
  • name and location of the Operator, information on any persons (except for the Operator’s employees), who have access to personal data or to whom personal data may be disclosed by virtue of a contract with the Operator or pursuant to the federal law;
  • time limits for personal data processing, including its storage time;
  • company name or surname, name, patronymic and address of a person, who processes personal data on behalf of the Operator, if the processing has been assigned or will be assigned to such person;
  • application to the Operator and forwarding requests to it;
  • complaining against any action or inaction of the Operator.

7.2. A personal data subject shall be entitled to withdraw his consent to personal data processing at any time.

7.3. The Operator shall adopt any required legal, organizational or technical measures or assure adoption thereof for personal data protection from unauthorized or accidental access thereto, personal data destruction, alteration, blocking, copying, disclosure or distribution, as well as from other inappropriate actions with regard to personal data, in particular, as follows:

  • appointment of a person in charge of personal data processing, who organizes personal data processing, training and briefing, conducts internal controls over compliance by the Operator and its employees with the requirements to personal data protection.
  • identification of immediate personal data security threats upon personal data processing in the PDIS and development of measures and activities for personal data protection.
  • making rules of access to personal data processed in the PDIS, as well as assurance of registration and recording of all operations completed with personal data in the PDIS.
  • setting individual passwords for the employees to access the information system in accordance with their job duties.
  • when any facts of unauthorized access to personal data are found and effective adoption of legal measures.
  • restoration of personal data modified or destroyed in consequence of unauthorized access thereto.
  • teaching employees, who actually process personal data, legislative provisions on personal data, including requirements to personal data protection, documents, which define the policy of the Operator in relation to personal data processing, in-house policies and procedures related to personal data processing issues.
  • conducting internal controls and audit.

7.4. The Operator shall respond to requests and applications of personal data subjects, their representatives and the authorized body for protection of the rights of personal data subjects;

7.5. The Operator shall, for the purpose of compliance with the requirements of the GDRP, appoint a representative in the European Union.  

7.6. The Operator shall ensure free access to the Policy by posting it on the Website at: http://npoforum.org/privacy-policy/

7.7. The Operator shall perform other duties provided for by legislation of the RF, the GDRP, this Policy, other in-house policies and procedures of the Operator.

  1. Updating and destruction of personal data

8.1. The Operator shall update personal data, if any fact of inaccuracy thereof is identified or if a personal data subject or his legal representative requests to update the personal data.

8.2. The Operator shall destroy the processed personal data upon the occurrence of the following circumstances and within the following time limits:

  • the purposes of personal data processing specified in clause 4.1. have been achieved – within 30 (thirty) days;
  • the maximum statutory period for retaining personal data has expired – within 30 (thirty) days;
  • there is no further need to pursue the purposes of personal data processing – within 30 (thirty) days;
  • a personal data subject or his legal representative confirms that the personal data has been illegally obtained or is not required for the declared purpose of processing – within 7 (seven) days;
  • a personal data subject withdraws his consent to his personal data processing, if data retention is no longer required for personal data processing – within 30 (thirty) days.

Updated on September 28, 2018