Ru
Ru

Personal data processing policy

1. Terms and definitions

Personal data (hereinafter: PD) refers any information, directly or indirectly related to a certain or identifiable individual ( subject).

Personal data subject refers to an individual, who is directly or indirectly determined or identified based on the applicable personal data.

Personal data processing operator refers to the National Association of Consulting Engineers in Construction (hereinafter: NACEC), which deals with personal data processing, definition of personal data processing purposes, personal data contents to be processed, and procedures to be applied to personal data.

Specialist in charge of personal data processing refers to operator’s employee, who deals with security, protection, and implementation of the requirements of the current legislation while personal data processing.

Cross-border transfer of personal data refers to handover of personal data to a foreign legal authority, foreign individual, or foreign legal entity.

Personal data confidentiality refers to the mandatory requirement for an operator or other individual having access to personal data not to disclose or spread personal data without a personal data subject or other legal justification, provisioned by federal laws.

Personal data processing refers to any procedure (operation) or combination of procedures (operations), carried out with the use of automation technologies or without them, related to personal data, including personal data collecting, recording, classifying, accumulating, storing, clarifying (updating, changing), extracting, using, transmitting (spreading, providing, accessing), depersonalizing, blocking, deleting, and erasing.

Automated personal data processing refers to processing of personal data with the use of computer engineering means.

Personal data information system (hereinafter: PDIS) refers to combination of personal data stored in the database and information technologies and technical means, which allow processing such personal data with use of computer engineering means or without them.

Personal data protection refers to a set of measures of technical, organizational, and managerial-and-engineering nature, purposed for protection of the data, related to a personal data subject, which is determined or identified, based on such information.

Personal data blocking refers to temporal interruption of personal data processing (apart from the cases when processing is required for personal data clarification).

Personal data depersonalization refers to procedures, by which it is impossible to determine true belonging of personal data to a certain personal data subject without the use of additional information.

Personal data provision refers to procedures, purposed for disclosing of personal data to a certain individual or certain group of individuals.

Personal data erasing refers to procedures, by which it will be impossible to restore personal data contents, stored in the personal data information system and/ or by which personal data tangible media will be erased.

Personal data spreading refers to procedures, purposed for personal data disclosing to an indefinite range of individuals.

2. General provisions

2.1. The present policy is developed as per provisions of the Federal law No 152-ФЗ “On Personal Data” (hereinafter: “FL “On Personal Data”) as of July, 27th, 2006, and in compliance with other federal laws or secondary legislation of the Russian Federation, which are to determine the cases and special aspects of personal data processing, as well as providing security and confidentiality of such information (hereinafter: Personal Data Legislation). This policy is applicable to all personal data to be processed by an operator.

2.2. The present policy is developed for the purpose of implementation of legal requirements, related to personal data processing and security assurance; and it is aimed to protect humans’ rights and fundamental freedoms while processing their personal data by an operator.

2.3. The policy is to regulate the following:

  • Personal data processing purposes;
  • General principles of personal data processing;
  • Arrangement of personal data processing management system;
  • Personal data subject’s rights;
  • Responsibilities of a personal data processing operator.

2.4. Regulations of the present policy refer to the framework, required to arrange personal data processing jobs.

2.5. The policy is mandatory for review and execution to be carried out by all the individuals, authorized for personal data processing.

2.6. The present policy is to be shared at a common access resource.

2.7. Reconsidering and updating of the present policy shall be carried out due to changes in the legislation of the Russian Federation in the area of personal data, based on the findings of the analysis of relevance, sufficiency, and efficiency of the applied procedures to ensure personal data security while processing with the use of personal data information systems and other control measures.

3. Personal data processing purposes

An operator, being on a stand-alone basis or in cooperation with other individuals, shall organize and/ or process PD, as well as determine PD processing purposes, contents to be processed, and procedures (operations) to be carried out. PD processing related to PD subjects shall be carried out by an operator for the following purposes:

  • Recording and registration of World Construction Championship’s visitors;
  • Providing accommodation services to World Construction Championship’s participants;
  • Implementation of other requirements of the Russian legislation.

4. General principles of personal data processing

Personal data processing is carried out based on the following principles:

  • Legitimacy of personal data processing purposes and methods;
  • Correspondence of personal data processing purposes to the purposes, which have been pre-determined and stated while personal data collecting;
  • Correspondence of personal data processing amount, nature, and methods to the purposes of personal data processing;
  • Credibility and sufficiency (and relevance, where appropriate) of personal data with consideration to the stated processing purposes;
  • Non-allowability of combination of databases, which contain those personal data to be processed for contradictory purposes;
  • Erasing or depersonalizing of personal data once the processing goal is achieved, using the methods excluding the possibility of its restoration (unless otherwise required by the Russian legislation);
  • Providing confidentiality and security of the personal data to be processed.

5. Arrangement of personal data processing management system

5.1. Personal data processing with respect to a personal data subject shall be carried out with the official permission to process personal data, unless otherwise required by the Russian legislation, based on the Agreement to be concluded with this individual. Mandatory provisions of that Agreement shall include implementation of personal data processing rules and principles, considered by the Federal law, to be ensured by that individual, as well as personal data confidentiality and security while processing the data in compliance with the Russian legislation.

5.2. Government authorities’ representatives (including supervisory agencies, compliance monitoring authorities, law enforcement bodies, bodies of inquiry and preliminary investigation, and other authorities, based on the grounds established by the current legislation of the Russian Federation) get access to personal data to be processed in the manner and scope, established by the current legislation of the Russian Federation.

5.3. An operator has the right to assign personal data processing to other individual upon the consent of a personal data subject, unless otherwise required by the Federal law. Such personal data processing shall be only carried out based on the Contract, concluded by an operator and a third party. The Contract shall determine the following:

  • The list of procedures (operations) to be applied to personal data to be carried out by a third party in relation to personal data processing;
  • Personal data processing purposes;
  • Obligations of a third party to protect the confidentiality of personal data and ensure personal data security while processing, as well as keep the requirements to personal data security.

5.4. An operator shall have liability to a personal data subject for acts of the individuals, who are assigned with personal data processing related to a personal data subject.

5.5. Personal data shall not be disclosed to third parties and shall not be otherwise spread without the consent of a personal data subject, unless otherwise required by the Russian legislation. In case of disclosing (providing) personal data to third parties it is mandatory to meet the requirement to personal data protection.

5.6. Personal data processing is carried out both with the use of computer equipment and without them, includingpersonal data collecting, recording, classifying, accumulating, storing, clarifying (updating, changing), extracting, using, transmitting (spreading, providing, accessing), depersonalizing, blocking, deleting, and erasing within the time limits, required to follow personal data processing purposes.

5.7. In the normal course of jobs performance, an operator may carry out cross-border transfer of personal data as per provisions of the Federal law No 152-ФЗ with consideration of personal data processing purposes.

5.8. Access to personal data to be processed shall be granted only to those employees, who need to implement their official duties, following the principles of individual accountability.

5.9. Personal data processing shall be stopped once its purposes have been achieved, and upon expiration of the deadline, established by the law, Contract, or consent provided by a personal data subject. In case a personal data subject withdraws the consent for personal data processing, an operator has the right to proceed with personal data processing without such consent, if it is required by the Contract, in which a personal data subject acts as a beneficiary or guarantor. Operators may also proceed with personal data processing, following other agreements between an operator and personal data subject, as well as other Federal laws.

5.10. Personal data storage shall be carried out provided that a personal data subject will be identified only as long as is needed for personal data processing purposes, except for the cases when personal data storage time is regulated by the Federal law or the Contract, in which a personal data subject acts as a beneficiary or guarantor.

6. Personal data subject’s rights

6.1. A personal data subject has the right to get the information related to the applicable personal data to be processed, including the following:

  • Confirmation of personal data processing fact;
  • Legal basis and purposes of personal data processing;
  • Purposes and applicable methods of personal data processing;
  • Identification and location of an operator, information about the individuals (except for operator’s employees) having access to personal data or having possibility to be provided with personal data based on the Contract with an operator or the Federal law;
  • The list and categories of personal data to be processed and related to a correspondent personal data subject and their source unless other procedures for such data provision are established by the Federal law;
  • Personal data processing deadlines, including data storage deadlines;
  • The procedure of implementation of personal data subject’s right, listed in the Federal law No 152-ФЗ;
  • Information about actual or planned cross-border transfer of personal data;
  • Availability of fully automated process to take decisions based on personal data;
  • Other information considered by the Federal law No 152-ФЗ or other Federal laws.

6.2. Personal data subject’s right to receive the information related to applicable personal data processing may be limited in the cases, established by the Federal law No 152-ФЗ.

6.3. Personal data subject has the right to require applicable personal data correction in case of any discrepancies discovered in personal data contents, as well as require updating of personal data, including the method of additional applications;

6.4. Personal data subject has the right to withdraw the consent to applicable personal data processing and require erasing applicable personal data from operator’s system, if personal data are no longer required for the purposes, which had been the reason for their provision;

6.5. Personal data subject has the right to require limitation of applicable personal data processing with the purpose of operator’s advertising offers;

6.6. Personal data subject also has other rights, established by the Federal law No 152-ФЗ.

7. Responsibilities of a personal data processing operator

7.1. In the cases established by the Russian legislation within the area of personal data, an operator shall provide a personal data subject or a correspondent representative with the information, listed in item 6.1 of the present policy, upon application or request made by a representative.

7.2. While collecting personal data (including with the use of the information and telecommunications network “Internet”), an operator shall ensure recording, classifying, accumulating, storing, clarifying (updating, changing), and extracting of personal data of citizens of the Russian Federation with the use of databases, located on the territory of the Russian Federation, except for the cases listed in the Federal law No 152-ФЗ.

7.3. An operator bear other responsibilities, established by the Federal law No 152-ФЗ.

8. Final provisions

8.1. An operator and applicable appointed officials and employees bear civil, administrative, and other responsibilities for non-compliance to the principles and conditions of processing of physical bodies’ personal data, as well as disclosing of personal data or its illegal usage as per Russian legislation.

8.2. The policy is generally available, and it is subject to be located at the official web-site or to be otherwise unlimitedly accessible.

9. Catalog of regulatory documents and legal basis of personal data processing

  • Constitution of the Russian Federation.
  • Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS N 108; signed in Strasbourg on January, 1st, 1981).
  • Federal law No 152-ФЗ “On Personal Data” as of July, 27th, 2006 with consideration of modifications and amendments.
  • Regulation No 2016/679 of the European Parliament and Council of the European Union “On the protection of individuals with regard to the processing of personal data and on the free movement of such data)” (signed in Brussels on April, 27th, 2016).
  • Federal law No 149-ФЗ as of July, 27th, 2006 “On Information, Information Technologies and the Protection of Information”.
  • Decree of the Government of the Russian Federation No 687 as of September, 15th, 2008 “On Establishment of the Regulation on Special Aspects of Personal Data Processing without the Use of Computer Aids”.
  • Decree of the Government of the Russian Federation No 512 as of July, 6th, 2008 “On Establishment of the Requirements to Tangible Media of Biometric Personal Data and Storage Technologies Applicable to such Data beyond Personal Data Information Systems”.
  • Decree of the Government of the Russian Federation No 1119 as of November, 1st, 2012 “On Establishment of the Requirements to Protect Personal Data while Processing such Data in Personal Data Information Systems”.
  • Russia’s FSTEC Order No 21 as of February, 18th, 2013 “On Determination of Contents and Structure of Organizational ad Technical Measures to Ensure Personal Data Security while Processing such Data in Personal Data Information Systems”.
  • Russia’s FSB security agency Order No 378 as of July, 10th, 2014 “On Determination of Contents and Structure of Organizational ad Technical Measures to Ensure Personal Data Security while Processing such Data in Personal Data Information Systems with the Use of Means of Cryptographic Information Protection, Required to Implement the Requirements of the Government of the Russian Federation to Personal Data Protection, Applicable to all the Protection Levels”.
  • Russian Ministry of Communications’ Order No 321 as of June, 25th, 2018 “On Establishment of the Procedure of Processing, Including Collecting and Storing of Biometric Personal Data Parameters for the Purposes of Identification, Location, and Updating of Biometric Personal Data in the Unified Biometric System, as well as Requirements to Information Technologies and Technical Means, Purposed for Biometric Personal Data Processing Required for Identification”.
  • Other legislative acts of the Russian Federation and regulatory documents, issued by the executive state government bodies.