PERSONAL DATA PROCESSING POLICY
1 Introduction
1.1 This document defines the policy at the Editorial Board of the Journal with regard to the processing of Personal Data.
1.2 The Editorial Board is an operator of Personal Data in accordance with the legislation of the Russian Federation on Personal Data.
1.3 This Policy has been developed in accordance with the current laws of the Russian Federation on Personal Data:
- Federal Law of the Russian Federation of 27.07.2006 No. 152-FZ "On Personal Data" (hereinafter - the "152-FZ, the Federal Law" On Personal Data "), establishing the basic principles and conditions for processing personal data, the rights, duties and responsibilities of participants in relations relating to the processing of personal data;
- Decree of the Government of the Russian Federation of 01.11.2012, № 1119 "On approval of requirements for the protection of personal data during their processing in personal data information systems;
- Decree of the Government of the Russian Federation of 15.09.2008 № 687 "On Approval of the Regulations on the specific processing of personal data carried out without the use of automation.
1.4 This Policy applies to any action (operation) or a set of actions (operations) performed with or without the use of automated means with Personal Data, including the collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), anonymization, blocking, removal, destruction of Personal Data.
1.5 This Policy is subject to revision and, if necessary, updating in the event of changes in Russian legislation on Personal Data.
2 Principles of Personal Data Processing
Processing of Personal Data shall be based on the following principles
- Processing of Personal Data shall be performed on a legal and fair basis;
- Processing of Personal Data shall be limited to achieving specific, predetermined and legitimate purposes;
- Processing of Personal Data incompatible with the purposes of collecting Personal Data shall not be allowed;
- Databases containing Personal Data that are processed for purposes incompatible with each other shall not be merged;
- the content and scope of processed Personal Data corresponds to the declared processing purposes. Processed Personal Data shall not be excessive in relation to the declared processing purposes;
- The processing of Personal Data shall ensure the accuracy of Personal Data and their sufficiency, if necessary, and the relevance of Personal Data in relation to the stated purposes of their processing;
- Storage of Personal Data shall be in a form that allows for identification of the subject of Personal Data no longer than required by the purposes of Personal Data processing, unless the term of storage of Personal Data is established by federal law, an agreement to which the subject of Personal Data is a party, a beneficiary, or a guarantor;
- Processed Personal Data shall be destroyed or depersonalized upon attainment of the purposes of processing or when it is no longer necessary to attain those purposes, unless otherwise provided for by federal law.
3 Terms of processing personal data
3.1 Processing of Personal Data is carried out in compliance with the principles and rules established by the Federal Law "On Personal Data". Processing of Personal Data shall be carried out in the following cases:
- Processing of Personal Data is carried out with the agreement of the subject of Personal Data on the processing of his/her Personal Data;
- Processing of Personal Data is necessary to achieve the goals specified in an international agreement of the Russian Federation or by law, to implement and perform the functions, powers and duties imposed on the operator by the legislation of the Russian Federation;
- Processing of Personal Data is necessary to complete an obligation, to which the subject of Personal Data is a party or a beneficiary or guarantor, as well as to conclude an agreement at the initiative of the subject of Personal Data or an agreement, under which the subject of Personal Data will be a beneficiary or guarantor;
- Processing of Personal Data is necessary to protect the life, health or other vital interests of the subject of Personal Data, if obtaining the consent of the subject of Personal Data is impossible;
- Processing of Personal Data is necessary to exercise the rights and legitimate interests of the operator or third parties or to achieve socially important goals, provided that this does not violate the rights and freedoms of the subject of Personal Data;
- Processing of Personal Data is carried out for statistical or other research purposes, subject to mandatory depersonalization of Personal Data. The exception is the processing of Personal Data for the purpose of promoting goods, works, services in the market through direct contact with the potential consumer by means of communication;
- The processing of Personal Data, access to which is provided by the subject of Personal Data or at his request, is performed by an unlimited number of persons.
3.2 Editorial board may include subjects' Personal Data in publicly available sources of Personal Data, in which case Editorial takes the subject's written consent to process his or her Personal Data.
3.3 The Editorial Board transmits Personal Data only to foreign countries that provide adequate protection of the rights of the subjects of Personal Data.
3.4 No decisions shall be made based solely on the automated processing of Personal Data that produce legal consequences with respect to the subject of Personal Data or otherwise affect their rights and legitimate interests.
3.5 The Editorial Board may process Personal Data on behalf of the operator on the basis of an agreement between the Editorial Board and the operator.
3.6 In the absence of the subject's need for written consent to process his Personal Data, the subject's consent may be given by the subject of Personal Data or his representative in any form that makes it possible to obtain the fact of its receipt.
3.7 When entrusting the processing of Personal Data to another person, the Editorial Board shall conclude an agreement (hereinafter - the operator's assignment) with that person and obtain the consent of the subject of Personal Data, unless otherwise provided for by federal law. In this case, the Editorial Board in the order of the operator obliges the person processing personal data on behalf of the Editorial Board, to comply with the principles and rules of processing of personal data provided by the Federal Law "On Personal Data".
3.8 If the Editorial Board entrusts the processing of Personal Data to another person, the Editorial Board is responsible to the subject of Personal Data for the actions of that person. The person who processes Personal Data on behalf of the Editorial Board shall be liable to the Editorial Board
3.9 The Editorial Board undertakes and obliges other persons who obtained access to Personal Data not to disclose to third parties and not to distribute Personal Data without the consent of the subject of Personal Data, unless otherwise provided by federal law.
4 Responsibilities of the Editorial Board
In accordance with the requirements of Federal Law No. 152-FZ "On Personal Data", the Editorial Board is obliged to:
- provide the subject of Personal Data, at his/her request, with information concerning the processing of his/her Personal Data, or legally provide a refusal within thirty days from the date of receipt of the request by the subject of Personal Data or his/her representative;
- At the request of the subject of Personal Data to clarify, block or delete processed Personal Data, if the Personal Data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing within seven working days from the date of the subject of Personal Data or his representative information confirming these facts;
- Keep a log of requests from subjects of Personal Data, which should record the requests of subjects of Personal Data for personal data, as well as the facts of providing Personal Data on these requests;
- notify the subject of Personal Data about the processing of Personal Data if the Personal Data was not received from the subject of Personal Data. The following cases are exceptions:
- The subject of Personal Data is notified of the processing of his or her Personal Data by the Editorial Board;
- Personal information was obtained by the Editorial Board in connection with the execution of an agreement to which the subject of personal information is a party or a beneficiary or guarantor, or on the basis of federal law;
- Personal Data is made publicly available by the subject of the Personal Data or is obtained from a publicly accessible source;
- The Editorial Board processes Personal Data for statistical or other research purposes, if the rights and legitimate interests of the subject of Personal Data are not violated;
- providing the subject of Personal Data with information contained in the Notice of Personal Data Processing violates the rights and legitimate interests of third parties;
- In case the goal of processing personal data is achieved, to immediately stop processing personal data and destroy the data within thirty days of achieving the goal of processing personal data, unless otherwise provided by the contract, to which the subject of personal data is a party, beneficiary or guarantor, or by the agreement between the subject of personal data, Personal data subject is a beneficiary or guarantor under which the subject of personal data, other agreement between the Editorial Board and the subject of personal data or if the Editorial Board is not entitled to the processing of personal data without the consent of the subject of personal data on the grounds provided by № 152-FZ "On personal data" or other federal laws;
- In case of withdrawal of consent to process his Personal Data by the subject of Personal Data, stop processing Personal Data and destroy the Personal Data within thirty days from the date of receipt of such withdrawal, unless otherwise provided for by the agreement between the Editorial Board and the subject of Personal Data. The Editorial Board is obliged to notify the subject of the Personal Data about the destruction of the Personal Data;
- In case the subject of Personal Data receives a request to stop processing Personal Data received for the purpose of promoting goods, works, services on the market, immediately stop processing Personal Data.
5 Measures to ensure the security of personal data during their processing
5.1 When processing Personal Data, the Editorial Board applies the necessary legal, organizational and technical measures to protect Personal Data from unauthorized or accidental access, destruction, change, blocking, copying, provision, distribution of Personal Data, as well as from other unlawful actions in relation to Personal Data.
5.2 Ensuring security of Personal Data is achieved by the following measures:
- Determination of threats to the security of Personal Data when they are processed in the information systems of Personal Data;
- Applying organizational and technical measures to ensure the security of Personal Data when they are processed in Personal Data information systems, necessary to meet the requirements for the protection of Personal Data, the implementation of which ensures the levels of protection of Personal Data as set by the Government of the Russian Federation;
- application of properly passed procedures for conformity assessment of information protection tools;
- assessment of the effectiveness of the measures taken to ensure the security of personal data prior to the commissioning of the information system of personal data;
- accounting of data storage media;
- Detection of unauthorized access to personal data and taking action;
- recovery of Personal Data modified or destroyed as a result of unauthorized access to it;
- Establishing rules for access to Personal Data processed in the information system of Personal Data, as well as ensuring registration and accounting of all actions taken with Personal Data in the information system of Personal Data;
- Control over the measures taken to ensure the security of personal data and the level of protection of personal data information systems.
6 Rights of the subject of Personal Data
In accordance with the Federal Law "On Personal Data" the subject of personal data has the right:
- to receive information concerning the processing of Personal Data by the Editorial Board, namely:
- confirmation of the fact of the processing of Personal Data by the Editorial Board;
- The legal grounds and purposes of the processing of Personal Data by the Editorial Board;
- Methods of processing of Personal Data used by Editorial Board;
- The name and location of the Editorial Board, information about the persons (except for the employees of the Editorial Board) who have access to Personal Data or to whom Personal Data may be disclosed on the basis of the contract with the operator or on the basis of the federal law;
- Processed Personal Data related to the respective subject of Personal Data, the source of their receipt, unless another procedure for presenting such data is stipulated by federal law;
- the terms of processing of Personal Data by the Editorial Board, including the terms of their storage;
- The procedure for exercising the data subject's rights under the Federal Law "On Personal Data";
- information about cross-border data transfers made or suspected to have been made;
- the name or surname, first name, patronymic and address of the person processing the Personal Data on behalf of the Editorial Board, if the processing is or will be assigned to such a person;
- Other information required by the Federal Law "On Personal Data" or other federal laws;
- Request that the Editorial Board to clarify, block or destroy his or her Personal Data if the Personal Data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
- withdraw consent to process Personal Data in cases provided for by law.
7 Procedures for exercising rights
7.1 Appeal of the subject of personal data to the operator in order to exercise their rights established by the Federal Law "On Personal Data", is made in writing in the prescribed form on a personal visit to the Editorial Board of the subject of personal data or his representative. (Hereinafter the subjects of personal data are both the subject of personal data and his/her legal representative: parent, guardian, custodian and other persons whose authority is established by Federal Law 152-FZ or other law of the Russian Federation).
7.2 The application form is issued to the subject of Personal Data or his/her representative by a receptionist and is completed by the subject of Personal Data or his/her representative with his/her handwritten signature in the presence of the said employee.
7.3 An employee of the reception desk, upon receipt of an application in the prescribed form, shall verify the information specified in it on the basic identity document of the subject of the Personal Data, the grounds on which the person acts as a representative of the subject of Personal Data, and the original of this document presented in the application.
7.4 The response to the appeal is sent to the subject of Personal Data in writing by mail to the address specified in the appeal.
7.5 The term of formation of the answer and transfer to the post office for sending cannot exceed thirty days from the date of receipt by the operator of the appeal.
7.6 The period for making necessary changes to Personal Data that are incomplete, inaccurate or irrelevant shall not exceed seven business days from the date the subject of Personal Data or his/her representative provided information confirming that the Personal Data is incomplete, inaccurate or irrelevant.
7.7 The time limit for destroying Personal Data that are illegally obtained or are not necessary for the stated processing purpose shall not exceed seven business days from the date the subject of Personal Data or his/her representative provides information confirming that the Personal Data are illegally obtained or are not necessary for the stated processing purpose.
8 Restrictions on the rights of data subjects
8.1 A data subject's right of access to his or her Personal Data shall be restricted if the provision of Personal Data violates the rights and legitimate interests of others.
8.2 In case information related to the processing of Personal Data, as well as processed Personal Data was provided for review to the subject of Personal Data upon his request, the subject of Personal Data has the right to submit a repeated request for information related to the processing of Personal Data and familiarization with such Personal Data at least thirty days after the original request, unless a shorter period is established by federal law, a legal act adopted in accordance with it or the contract to which a party or beneficiary or a guarantor according the contract of which they are a party or beneficiary.
8.3 The subject of Personal Data shall have the right to submit a second request to the Editorial Board for information relating to the processing of Personal Data, as well as to review the processed Personal Data prior to the deadline specified in paragraph 8.2, if such information and/or processed Personal Data were not made available to him/her in full upon review of the initial request. A repeat request must be reasonable.
8.4 The editorial board has the right to refuse to fulfill a repeated request that does not comply with the conditions stipulated in paragraphs 8.2 and 8.3.