RU

Policy of the Roscongress Foundation regarding the processing of personal data

1. General provisions

This regulation, which defines the personal data processing policy, is prepared in accordance with the requirements of Federal Law of 27.07.2006 No. 152-FZ “On Personal Data” (hereinafter – Personal Data Law) and defines the personal data processing procedure and personal data security measures undertaken by the Roscongress Foundation (hereinafter – “Operator”).

1.1. The Operator’s most important objective and condition for carrying out its activities is to respect human and civil rights and freedoms when processing personal data, including the protection of the rights to privacy, personal and family secrets.

1.2. The Operator’s personal data processing policy (the “Policy”) applies to all information that the Operator may receive about visitors to the website https://rusafetyweek.com/.

2. Basic concepts used in the Policy

2.1. Automated processing of personal data is processing of personal data by means of computer technology.

2.2. Blocking of personal data is temporary suspension of personal data processing (unless processing is necessary to clarify personal data).

2.3. The website is a collection of graphic and informational material, as well as computer programmes and databases, making them available on the Internet at a network address https://rusafetyweek.com/.

2.4. Personal data information system is the totality of personal data contained in databases of personal data, and ensuring its processing with the use of information technologies and technical means.

2.5. De-identification of personal data is actions that make it impossible to determine, without the use of additional information, whether the personal data belongs to a specific User or another subject of personal data.

2.6. Processing of personal data is any action (operation) or a set of actions (operations) performed with or without the use of automation means with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, change), extraction, use, transfer (distribution, provision, access), anonymization, blocking, removal, or destruction of personal data.

2.7. Operator is a government agency, municipal authority, legal entity or natural person, independently or together with other persons, arranging and (or) performing processing of personal

data, as well as determining the purposes of personal data processing, composition of personal data to be processed, actions (operations) performed with personal data.

2.8. Personal data is any information relating directly or indirectly to an identified or identifiable User of the website https://rusafetyweek.com/.

2.9. Personal data permitted by the personal data subject for dissemination – personal data to which access is granted to an unlimited number of persons by the personal data subject by giving consent to processing of personal data permitted by the personal data subject for dissemination in the manner prescribed by the Personal Data Law (hereinafter – “personal data permitted for dissemination”).

2.10. User is any visitor to the website https://rusafetyweek.com/.

2.11. Provision of personal data is the act of disclosing personal data to a certain person or a certain circle of persons.

2.12. Dissemination of personal data is any actions aimed at disclosure of personal data to an indefinite range of persons (transfer of personal data) or to make personal data available to an unlimited range of persons, including disclosure of personal data in the media, placement in information and telecommunications networks or providing access to personal data in any other way.

2.13. Cross-border transfer of personal data is the transfer of personal data to the territory of a foreign country to a foreign authority, a foreign physical person or a foreign legal entity.

2.14. Destruction of personal data is any action resulting in the destruction of personal data irretrievably with the impossibility of further restoration of personal data content in the information system of personal data and (or) destruction of tangible media of personal data.

2.15. A cookie is a small piece of data sent by a web server and stored on the computer of a data subject (User), which the web client or web browser sends to the web server each time it tries to open a website page.

2.16. An IP address is the unique network address of a node in an IP-based computer network.

3. Basic rights and duties of the Operator

3.1. The Operator has the right to:

– receive accurate information and/or documents containing personal data from the data subject;

– if the personal data subject withdraws their consent to the processing of personal data, the Operator may continue the processing of personal data without the consent of the personal data subject on the grounds set out in the Personal Data Law;

– Independently determine the composition and list of measures necessary and sufficient to ensure the fulfilment of obligations under the Personal Data Law and regulations adopted in accordance with it, unless otherwise provided by the Personal Data Law or other federal laws;

– to assign the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, on the basis of a contract concluded with that

person. The person processing personal data on behalf of the Operator must comply with the principles and rules of personal data processing stipulated by the Personal Data Law, maintain the confidentiality of personal data and take necessary measures to ensure fulfilment of the obligations stipulated by the Personal Data Law.

3.2. The Operator is obliged to:

– provide the data subject, at his or her request, with information relating to the processing of his or her personal data;

– organize the processing of personal data in accordance with the procedure laid down in the applicable laws of the Russian Federation;

– respond to requests and enquiries from personal data subjects and their legal representatives in accordance with the requirements of the Personal Data Law;

– inform the authority responsible for the protection of personal data subjects’ rights (the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roscomnadzor)) of the required information upon request of this authority within 10 business days from the date of receipt of such request. This period may be extended, but by no more than five business days. In order to do so, the Operator must send to Roscomnadzor a motivated notice specifying the reasons for extending the deadline for providing the requested information;

– in accordance with the procedure determined by the federal executive body responsible for security, ensure interaction with the state system for the detection, prevention and elimination of computer attacks on Russian information resources, including informing it of computer incidents that have resulted in the unlawful transfer (provision, dissemination, access) of personal data;

– publish or otherwise provide unrestricted access to this policy on the processing of personal data;

– take legal, organizational and technical measures to protect personal data against unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data, as well as against other unlawful acts in relation to personal data;

– stop the transfer (dissemination, provision, access) of personal data, cease processing and destroy personal data in the manner and cases provided for in the Personal Data Law.

4. Basic rights and obligations of subjects of personal data

4.1. Personal data subjects have the right to:

– receive information relating to the processing of his or her personal data, except in cases provided for by federal laws. Information shall be provided to the personal data subject by the Operator in an accessible form and shall not contain personal data relating to other personal data subjects, unless there are legitimate grounds for disclosing such personal data. The list of information and the procedure for obtaining it is established by the Personal Data Law;

– demand that the Operator clarify, block or destroy personal data if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, and to take statutory measures to protect their rights;

– give prior consent to the processing of personal data for the purpose of promoting goods, works and services;

– to withdraw consent to the processing of personal data;

– appeal to the competent authority for the protection of the rights of personal data subjects or to a court of law against unlawful acts or omissions of the Operator in processing his personal data.

4.2. Personal data subjects shall:

– provide the Operator with accurate information about themselves;

– inform the Operator of updates or changes to their personal data.

4.3. Persons who provided the Operator with false information about themselves or information about another personal data subject without their consent shall be liable in accordance with Russian law.

5. Processing of personal data

5.1. The Operator may process the following personal data of the User:

5.1.1. Surname, first name, patronymic (if applicable);

5.1.2. Sex;

5.1.3. Citizenship;

5.1.4. Date and place of birth;

5.1.5. Number of the basic identity document, number of the foreign passport (if applicable), information on the date of issue of these documents and the issuing authority, series and number of a foreign citizen’s passport (if applicable);

5.1.6. Address of registration at the place of residence (domicile) and address of residence;

5.1.7. Contact information (mobile phone number, landline (home) telephone number, e-mail address);

5.1.8. Photographs;

5.1.9. Professional background, workplace/educational institution, and positions held;

5.1.10. The website also collects and processes anonymized visitor data (including cookies) using Internet statistics services (Yandex Metrika and Google Analytics and others);

5.2. The above-mentioned data hereinafter in the text of the Policy is combined with the general term Personal Data; the above personal data in accordance with the legislation of the Russian Federation falls under the category of “other”.

5.3. The Operator does not process special categories of personal data relating to race, ethnicity, political opinions, religious or philosophical beliefs or intimate life.

5.4. The processing of personal data, authorized for dissemination, from among the special categories of personal data specified in Article 10.1 of the Personal Data Law, is permitted if the prohibitions and conditions stipulated in Article 10.1 of the Personal Data Law are complied with.

5.5. The User’s consent to the processing of personal data authorized for dissemination shall be formalized separately from other consents to the processing of their personal data. The conditions stipulated, in particular, by Article 10.1 of the Personal Data Law shall be observed. The requirements for the content of such consent shall be established by the competent authority for the protection of personal data subjects’ rights.

5.5.1. Consent to the processing of personal data authorized for dissemination is given directly to the Operator by the User.

5.5.2. The Operator is obliged, within three business days of receiving the above consent from the User, to publish information about the processing conditions, prohibitions and conditions on the processing of personal data allowed for distribution to an unlimited number of persons.

5.5.3. The transfer (dissemination, provision, access) of personal data permitted by the personal data subject for dissemination shall be terminated at any time at the request of the personal data subject. This request shall include the surname, first name, patronymic (if available), contact information (telephone number, email address or postal address) of the personal data subject, as well as a list of personal data to be discontinued. The personal data specified in this request may only be processed by the Operator to which the request is sent.

5.5.4 Consent to the processing of personal data authorized for dissemination shall terminate upon receipt by the Operator of the request referred to in point 5.5.3 of this Policy regarding the processing of personal data.

6. Principles of personal data processing

6.1. The processing of personal data shall be lawful and fair.

6.2. Processing of personal data shall be limited to achieving specific, predetermined and legitimate purposes. Processing of personal data that is incompatible with the purposes of personal data collection shall not be permitted.

6.3. Databases containing personal data whose processing is incompatible with one another may not be merged.

6.4. Only personal data that fulfils the purposes for which it is processed should be processed.

6.5. The content and scope of personal data processed shall comply with the stated processing purposes. Processed personal data shall not be excessive in relation to the stated processing purposes.

6.6. When processing personal data, the Operator shall ensure the accuracy of personal data, its sufficiency and, where necessary, its relevance in relation to the purpose of personal data processing. The Operator shall take necessary measures and/or ensure that such measures are taken to remove or clarify incomplete or inaccurate data.

6.7. Personal data shall be stored in a form that allows identification of the personal data subject for no longer than is required by the purposes of personal data processing, unless the period of

personal data storage is established by federal law, an agreement to which the personal data subject is a party, a beneficiary or a guarantor under which the personal data subject is a beneficiary. Processed personal data shall be destroyed or depersonalized upon attainment of the processing objectives or if it is no longer necessary to attain such objectives, unless otherwise provided by federal law.

7. Purposes of personal data processing

7.1. For the purpose of creating a profile in the Roscongress personal account (Single Mobile Application) to provide access to its functionality, services and content of the roscongress.org website, the Roscongress Foundation processes personal data of the subject of personal data, classified as other personal data, namely:

- Surname, first name, patronymic (if applicable);

- Sex;

- Citizenship;

- Date and place of birth;

- Number of the basic identity document, number of the foreign passport (if applicable), information on the date of issue of these documents and the issuing authority, series and number of a foreign citizen’s passport (if applicable);

- Address of registration at the place of residence (domicile) and address of residence.

- Contact information (mobile phone number, landline (home) telephone number, e-mail address);

- Photographs;

- Professional background, workplace/educational institution, and positions held.

The methods, terms of processing and storage, as well as the procedure for destroying these personal data when their processing purposes are achieved or when other legitimate grounds arise are set out in the provisions of this Policy.

7.2. For the purpose of informing, by sending e-mails and/or otherwise, about participation in events organized and/or held by the Roscongress Foundation and/or its partners, including event customers, as well as informing about new products, services, special offers, the personal data of the subject of personal data, classified as other personal data, namely:

- Surname, first name, patronymic (if applicable);

- Citizenship;

- Contact information (mobile phone number, e-mail address).

The methods, terms of processing and storage, as well as the procedure for destroying these personal data when their processing purposes are achieved or when other legitimate grounds arise are set out in the provisions of this Policy

7.3. The Operator is entitled to send the User notifications about new products and services, special offers and various events, as well as about the socially oriented activities of the Roscongress Foundation. The User can always unsubscribe from receiving information messages by clicking on the “Unsubscribe” link in each email or by sending an email to info@roscongress.org marked “Unsubscribe from notifications about new products, services and special offers”.

7.4. The anonymised User data collected through Internet statistical services is used to collect information on the activities of Users on the website, to improve the quality of the website and its content.

8. Legal basis for processing personal data

8.1. The legal basis for processing personal data is the body of laws and regulations under which and in accordance with which the Operator processes personal data, including:

- Constitution of the Russian Federation;

- Civil Code of the Russian Federation;

– Federal Law No. 149-FZ of 27 July 2006 on Information, Information Technology and Information Protection;

– Federal Law No. 152-FZ of 27 July 2006 on personal data, other federal laws and regulations on personal data protection;

– Charter of the Roscongress Foundation;

- Users’ consent to the processing of their personal data, to the processing of personal data authorized for dissemination;

- Contracts concluded between the Operator and subjects of personal data;

- other laws and regulations governing relations connected with the activities of the Operator.

8.2. The Operator processes the personal data of the User only in case the User fills them in and/or sends them by himself through the special forms located on the website https://rusafetyweek.com/ or sent to the Operator by e-mail. By completing the relevant forms and/or sending their personal data to the Operator, the User expresses their consent to this Policy.

8.3. The Operator processes anonymized data about the User if the User’s browser settings allow this (cookie saving and use of JavaScript technology are enabled).

8.4. The personal data subject decides for himself/herself to provide his/her personal data and gives his/her consent freely, willingly and in his/her own interest.

9. Terms of personal data processing

9.1. Personal data is processed by the Operator in accordance with the requirements of Russian law.

9.2. The Operator processes personal data:

- with or without the consent of the personal data subjects to the processing of their personal data in cases stipulated by Russian law;

- access by an unlimited number of persons to which the personal data subject has provided or at his or her request (hereinafter “publicly accessible personal data”);

- that are subject to publication or compulsory disclosure under federal laws.

9.3. The Operator processes personal data for each processing purpose in the following ways:

- non-automated processing of personal data;

- automated processing of personal data, with or without transmission of the information received via information and telecommunication networks;

- mixed processing of personal data.

9.4. Employees of the Operator whose job duties include the processing of personal data are permitted to process personal data.

9.5. The processing of personal data for each processing purpose shall be carried out by:

- receiving personal data verbally and in writing, including by filling in forms on the website, directly from subjects of personal data;

- entering personal data into the Operator’s registers and information systems;

- using other ways of processing personal data.

9.6. Disclosure to third parties and dissemination of personal data without the consent of the personal data subject shall not be permitted, unless otherwise provided by federal law. Consent for processing of personal data permitted by the personal data subject for dissemination shall be executed separately from other consents of the personal data subject for processing of his/her personal data.

Requirements for the content of consent to the processing of personal data, authorized by the personal data subject for dissemination, approved by the competent authority for the protection of personal data subjects’ rights.

9.7. The transfer of personal data to the bodies of enquiry and investigation, the Federal Tax Service, the Social Fund of the Russian Federation and other authorized executive authorities and organizations is carried out in accordance with the requirements of Russian legislation.

9.8. The Operator shall take the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, distribution and other unauthorized actions, including:

- identifies security threats to the processing of personal data;

- adopts local normative acts and other documents regulating relations in the field of personal data processing and protection;

- appoints persons responsible for ensuring the security of personal data in the Operator’s organizational units and information systems;

- creates necessary conditions for dealing with personal data;

- organizes the recording of documents containing personal data;

- organizes the operation of information systems in which personal data are processed;

- keeps personal data in a manner that ensures its security and prevents unauthorized access to it;

- organizes training for the Operator’s employees who process personal data.

9.9. The Operator shall store personal data in a form that makes it possible to identify the subject of personal data for no longer than is required for each purpose of personal data processing, unless the period of storage of personal data is established by federal law or contract.

9.9.1. Personal data in hard copy shall be stored at the Roscongress Foundation during the retention periods of documents for which these periods are stipulated by the legislation on archiving in the Russian Federation (Federal Law dated 22 October 2004 No. 125-FZ “On archiving in the Russian Federation”, List of standard management archival documents formed in the course of activities of state bodies, local authorities and organisations, with indication of storage periods (approved by Order of Rosarchive dated 20 December 2019 No. 236)).

9.9.2. The retention period for personal data processed in personal data information systems corresponds to the retention period for personal data on paper.

9.10. The Operator stops processing personal data in the following cases:

- the fact of their inappropriate processing has been detected. Deadline is within three business days of discovery;

- the purpose of their processing has been achieved;

- the data subject’s consent to the processing of this data has expired or has been withdrawn, where the Personal Data Law allows for the processing of this data only with consent.

9.11. When the objectives of personal data processing have been achieved, or if the personal data subject has withdrawn their consent to the processing, the Operator stops processing the personal data if:

- unless otherwise provided in an agreement to which the personal data subject is a party, beneficiary or guarantor;

- the Operator may not process personal data without the consent of the personal data subject on the grounds stipulated by the Personal Data Law or other federal laws;

- unless otherwise provided for in another agreement between the Operator and the data subject.

9.12. When a personal data subject contacts the Operator with a request to terminate personal data processing within a period not exceeding 10 business days from the date the Operator receives the request, personal data processing shall be terminated, except as provided by the Personal Data

Law. This period may be extended, but by no more than five business days. To do this, the operator must send the personal data subject a notice stating the reasons for the extension.

9.13. When collecting personal data, including by means of the information and telecommunications network Internet, the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located in the Russian Federation, except in cases specified in the Personal Data Law.

9.14. Control of compliance with the requirements of this Policy shall be exercised by an authorized person responsible for organizing the processing of personal data at the Operator.

9.15. Liability for violations of Russian law and Roscongress Foundation regulations on processing and protection of personal data is determined in accordance with Russian law.

10. Procedure for the collection, storage, transfer and other processing of personal data

The security of personal data processed by the Operator is ensured by implementing legal, organizational and technical measures necessary for the full implementation of the requirements of current legislation in the field of personal data protection.

10.1. The Operator ensures the security of personal data and takes all possible measures to exclude access to personal data by unauthorized persons.

10.2. Your personal data will never, under any circumstances, be disclosed to third parties, unless:

– related to the implementation of existing legislation;

– if the personal data subject has given consent to the Operator to transfer the data to a third party to fulfil obligations under a civil law contract or to achieve another purpose specified in advance in the consent to the transfer;

– the cases described in point 3.1 of this policy regarding the processing of personal data.

10.3. If inaccuracies in the personal data are identified, the User can update the personal data themselves by sending a notification to the Operator’s email address info@roscongress.org, marked “Update of personal data”.

10.4. The time period for processing personal data is determined by achieving the purposes for which the personal data were collected, unless a different time period is stipulated by contract or applicable law.

The User may withdraw their consent to the processing of personal data at any time, by personal communication or by sending a written request (including an electronic document signed by a simple electronic signature or an enhanced qualified electronic signature, or an electronic image of the document) electronically to info@roscongress.org or in writing to 12, Krasnopresnenskaya Naberezhnaya, entrance 7, office 1101, Moscow, 123610, Russia.

10.5. All information that is collected by third party services, including payment systems, means of communication and other service providers, is stored and processed by these parties (Operators) in accordance with their User Agreement and Privacy Policy. The subject of personal data and/or the User is obliged to acquaint themselves with the said documents in a timely manner. The

Operator shall not be liable for the actions of third parties, including the service providers referred to in this clause.

10.6. The prohibitions established by the personal data subject on the transfer (other than granting access) and processing or conditions of processing (other than obtaining access) of personal data permitted for dissemination shall not apply in cases of processing of personal data in the state, public and other public interests as defined by Russian law.

10.7. The Operator ensures the confidentiality of personal data when processing personal data.

10.8. The Operator shall store personal data in a form that makes it possible to identify the subject of personal data no longer than required by the purposes of personal data processing, unless the period of storage of personal data is established by federal law, an agreement to which the subject of personal data is a party, a beneficiary or a guarantor.

10.9. A condition for the termination of personal data processing may be the achievement of the personal data processing objectives, expiry of the personal data subject’s consent or withdrawal of consent by the personal data subject, as well as the discovery of unlawful personal data processing.

11. List of actions taken by the Operator with the personal data received

11.1. The Operator collects, records, systematizes, accumulates, stores, clarifies (updates, changes), extracts, uses, transmits (distributes, provides access), anonymizes, blocks, deletes, and destroys personal data.

11.2. The Operator carries out automated processing of personal data with or without receiving and/or transmitting the information received via information and telecommunication networks.

12. Cross-border transfer of personal data

12.1. Before transborder transfer of personal data, the Operator must ensure that the foreign country to whose territory the transfer of personal data is to take place provides adequate protection of the rights of personal data subjects.

12.2. The cross-border transfer of personal data in foreign countries that do not meet the above requirements may only take place if the personal data subject consents in writing to the cross- border transfer of his/her personal data and/or the execution of an agreement to which the personal data subject is a party.

13. Privacy of personal data

The Operator and other persons who have access to personal data are obliged not to disclose or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by federal law.

14. Final provisions

14.1. The User can receive any clarifications on questions of interest regarding the processing of their personal data by contacting the Operator in person, via email info@roscongress.org or in writing to the following address: 12, Krasnopresnenskaya Naberezhnaya, entrance 7, office 1101, Moscow, 123610, Russia.

14.2. This document will reflect any changes to the Operator’s personal data processing policy. The policy is valid indefinitely until replaced by a new version.

14.3. The current version of the Policy is freely available on the Internet at https://rusafetyweek.com/.