Data Processing Policy

1 GENERAL PROVISIONS

Personal Data Processing Policy of EXPOCENTRE AO (hereinafter the Policy) was developed in accordance with the requirements of the Federal Law No. 152-FZ dated 27 July 2006 «On Personal Data».

The present Policy defines the personal data processing procedure and measures to be taken in EXPOCENTRE AO (hereinafter the Company, operator) to ensure its security in order to protect the rights of personal data owners when processing their personal data.

The following terms and definitions are used in the present Policy:

Automatic Personal Data Processing means personal data processing using computer aids;

Blocking of Personal Data means temporary termination of personal data processing (except for cases when processing is necessary to specify personal data);

Personal Data Information System means the aggregate of personal data contained in databases and information technologies and technical means ensuring personal data processing;

Depersonalization of Personal Data means actions making it impossible to determine to which personal data owner particular personal data belong without using additional information;

Personal Data Processing means any action (operation) or the aggregate of actions (operations) performed with personal data with or without computer aids, including collection, recording, systematization, accumulation, storage, specification (updating, change), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, removal and destruction of personal data;

Operator means a Company carrying out personal data processing, as well as determining the goals of personal data processing, composition of personal data to be processed, and actions (operations) performed with personal data;

Personal Data means any information directly or indirectly related to a definite or identifiable individual (personal data owner);

Provision of Personal Data means actions aimed at the disclosure of personal data to a definite individual or a particular group of individuals;

Distribution of Personal Data means actions aimed at the disclosure of personal data to an indefinite group of individuals (personal data transfer) or at the familiarization of an unlimited group of individuals with personal data, including publication of personal data in mass media, placement in information and telecommunication networks, or granting access to personal data in any other way;

Transborder Transfer of Personal Data means transfer of personal data to a territory of a foreign state, to an authority of a foreign state, a foreign natural or legal entity; Destruction of Personal Data means actions as a result of which it is impossible to recover the content of personal data in a personal data information system and (or) as a result of which physical media bearing personal data are destroyed.

Company’s Employee means an individual that has or used to have labor relations with the Company;

EXPOCENTRE FAIRGROUNDS means FAIRGROUNDS of EXPOCENTRE AO.

2 PRINCIPLES OF PERSONAL DATA PROCESSING

Personal data processing in the Company is based on the following principles:

  • personal data processing is performed on a legal and fair basis;
  • personal data processing is restricted by the achievement of particular, legal goals defined in advance. Personal data processing incompatible with the goals of personal data collection is not allowed;
  • it is not allowed to combine databases containing personal data to be processed for the incompatible purposes;
  • only personal data meeting the goals of their processing can be processed;
  • content and volume of personal data processed complies with the stated goals of their processing. Personal data processed are not excessive in relation to the stated goals of their processing;
  • during personal data processing, accuracy and sufficiency, and in some cases relevance with regard to the goals of the personal data processing, is ensured. The Company implements the required measures or provides for the implementation of measures on the removal or specification of incomplete or inaccurate data;
  • personal data are stored in a form enabling to define a personal data owner for no more than is required for the goals of personal data processing, unless the term of personal data storage is established by a federal law or a contract a party, a beneficiary or a guarantor under which a personal data owner is;
  • personal data processed shall be destroyed or depersonalized upon achieving the goals of processing or if a need for their achievement ceases to exist, unless otherwise implied by a federal law.

3 GOALS OF PERSONAL DATA COLLECTION AND PROCESSING

The Company performs processing of personal data belonging to the following categories of personal data owners:

  • persons entering employment: individuals seeking appointment to the Company (hereinafter — candidates);
  • employees: individuals that have or used to have labor relations with the Company;
  • family members (in the absence thereof — close relatives) of employees: individuals having family or kinship relations with Company’s employees (hereinafter — family members);
  • shareholders: individuals owning Company’s shares;
  • persons being members of Company’s management and control bodies: individuals being members of Company’s Board of Directors, the Board and the Audit Commission;
  • contractors: individuals rendering services and performing works under civil contracts for the Company;
  • contractors’ employees: individuals employed at third-party organizations — contractors — that have or are planning to have contractual relations with the Company;
  • Company visitors: individuals that have or used to have access to the territory of administrative facilities of the Company by temporary or dingle-use pass;
  • Visitors to EXPOCENTRE FAIRGROUNDS: individuals that visit or used to visit exhibitions, participate or used to participate in exhibitions, and planning to visit them.

The Company processes these categories of personal data owners in the following amount:

  • candidates — less than 100,000 persons;
  • employees — less than 100,000 persons;
  • family members — less than 100,000 persons;
  • shareholders — less than 100,000 persons;
  • persons being members of Company’s management and control bodies — less than 100,000 persons;
  • contractors — less than 100,000 persons;
  • contractors’ employees — less than 100,000 persons;
  • Company visitors — less than 100,000 persons;
  • visitors to EXPOCENTRE FAIRGROUNDS — less than 100,000 persons.

The Company has defined the following goals of personal data processing for every category of personal data owners:

  1. candidates:

    — candidate’s personal data are processed solely for the purpose of their recruitment to the Company.

  2. employees:

    — employee’s personal data are processed for the purpose of their training, transfer to another position, occupational and personal safety, control over the quality of work performed, payment for labor in accordance with the requirements of laws and other regulatory legal documents, as well as preservation of Company’s property.

  3. family members:

    — family member’s (close relative’s) personal data are processed for the purpose of compliance with the labor law in relation to a Company’s employee, as well as in cases of voluntary medical insurance of a family member (close relative).

  4. shareholders:

    — exercise of powers for Company management (compliance with the provisions of Company’s Articles of Association);

    — making aid payments.

  5. persons being members of the Company’s management and control bodies:

    — compliance with the requirements of the Russian Federation law (Federal Law No. 129-FZ dated 8 August 2001 «Concerning State Registration of Legal Entities and Individual Entrepreneurs», Federal Law No. 208-FZ dated 26 December 1995 «Concerning Joint Stock Companies», Federal Law No. 39-FZ dated 22 April 1996 «Concerning Securities Market», «Regulations on the Disclosure of Information by Equity Securities Issuers» approved by the Order of the Bank of Russia No. 454-П dated 30 December 2014 and registered in the Ministry of Justice of Russia on 12 February 2015 under No. 35989).

  6. contractors:

    — contractor’s personal data are processed by the Company for the purpose of execution and fulfillment of the terms of civil contracts for service rendering and work performance.

  7. contractors’ employees:

    — personal data of contractor’s employee are processed for the purpose of execution and fulfillment of the terms of a contract (agreement) made between the Company and a thirdparty contractor.

  8. Company visitors:

    — Company visitor’s personal data are processed for the purpose of their registration and admission to the territory of the Company.

  9. visitors to EXPOCENTRE FAIRGROUNDS:

    — personal data of a visitor to EXPOCENTRE FAIRGROUNDS are processed by the Company for the purpose of ensuring their participation and exhibition and non-exhibition activities and their information support.

When determining the volume and content of processed personal data belonging to personal data owners, the Company is governed by the goals of personal data collection and processing. A list of personal data processed in the Company is approved by the order of the Company Director General.

4 CONDITIONS OF PERSONAL DATA PROCESSING

The Company processes personal data if at least one of the following conditions is available:

  • personal data are processed with the consent of a personal data owner to processing of their personal data;
  • personal data processing is required for the purpose of fulfillment of a contract a party, a beneficiary, or a guarantor to which a personal data owner is, as well as for the purpose of execution of a contract on the initiative of a personal data owner or a contract under which the personal data owner will be a beneficiary or a guarantor;
  • personal data processing is required for the purpose of exercise of rights and legal interests of an operator or third parties, provided that it does not violate rights and freedoms of a personal data owner;
  • personal data are processed in statistical or other research purposes subject to compulsory depersonalization of personal data.

5 CONFIDENTIALITY OF PERSONAL DATA

The Company and other persons having access to personal data may not disclose them to third parties and distribute personal data without the consent of the personal data owner, unless otherwise is implied by the Russian Federation law.

6 PUBLICLY AVAILABLE SOURCES OF PERSONAL DATA

For the purpose of information support, the Company creates publicly available sources of personal data containing information on the management of the Company, namely, Company’s official website located at the address http://www.expocentr.ru/. With the written consent of a personal data owner, publicly available sources of personal data may include their last name, first name, middle name, position, information on previous employment and information on education.

Information on the personal data owner shall be removed from publicly available sources of personal data at the request of such personal data owner, or by decision of a court or other authorized state bodies.

7 SPECIAL CATEGORIES OF PERSONAL DATA

The Company may process special categories of personal data with a written consent to processing of such personal data.

Processing of special categories of personal data shall be immediately stopped, if grounds for such processing cease to exist, unless otherwise stipulated by the Russian Federation law.

8 ASSIGNMENT OF PERSONAL DATA PROCESSING TO THIRD PARTIES

The Company may entrust personal data processing to a third party with the consent of a personal data owner, unless otherwise stipulated by the Federal Law No. 152-FZ dated 27 July 2006 «On Personal Data», based on a contract made with such party. A person processing personal data at the direction of the Company shall comply with the principles and rules of personal data processing defined in the Federal Law No. 152-FZ dated 27 July 2006 «On Personal Data». Such direction shall contain a list of activities (operations) that can be performed with personal data by the person carrying out personal data processing, goals of processing, an obligation of such person to keep personal data confidential and ensure the security of personal data during their processing, as well as the requirements to the protection of personal data to be processed.

9 TRANSBORDER TRANSFER OF PERSONAL DATA

The Company may perform transborder transfer of personal data to the territories of foreign states that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as of other foreign states ensuring adequate protection of rights of personal data owners in accordance with contracts made with organizers of exhibition and congress events.

10 RIGHTS OF PERSONAL DATA OWNERS

10.1 Consent of a Personal Data Owner to His Personal Data Processing

A personal data owner makes a decision on the provision of his personal data and gives consent to the processing thereof freely, in his own volition and for his own benefit. Consent to personal data processing can be given by a personal data owner or his representative in any form making it possible to establish the fact of such consent, unless otherwise stipulated by the Federal Law No. 152-FZ dated 27 July 2006 «On Personal Data».

An obligation on the provision of evidence of the consent to personal data processing given by a personal data owner or evidence of the availability of grounds specified in the Federal Law No. 152-FZ dated 27 July 2006 «On Personal Data» rests with the Company.

A person carrying out personal data processing on behalf of the Company is not obliged to obtain consent of the personal data owner to personal data processing.

10.2 Rights of a Personal Data Owner

Pursuant to the requirements of the Federal Law No. 152-FZ «On Personal Data» ensuring the observance of rights of a personal data owner to the access to personal data, the Company has developed and implemented the procedure of work with requests and applications of personal data owners. This procedure ensures the observance of the following rights of personal data owners:

  • a personal data owner may obtain information related to the processing of his personal data within the timeframe defined in the Federal Law No. 152-FZ «On Personal Data»;
  • a personal data owner may ask the Company to update, block or destroy his personal data, if these personal data are incomplete, obsolete, inaccurate, illegally obtained or are not necessary for the stated goal of processing, as well as take measures for the protection of his rights implied by the Federal Law No. 152-FZ «On Personal Data»;
  • a personal data owner may ask the Company to explain the procedure of decision-making based solely on the automatic processing of personal data of the personal data owner and possible legal consequences of such decision;
  • a personal data owner may file an appeal against the activity or inactivity of the Company with an authorized body for the protection of rights of personal data owners (hereinafter - Federal Service for Supervision of Communications, Information Technology, and Mass Media) or through the courts;
  • a personal data owner may protect his rights and legal interests, including recover damages and (or) compensation for moral injury through the courts.

The personal data owner right to access to his personal data can be restricted in accordance with the federal laws.

11 ENSURING PERSONAL DATA SECURITY

Security of personal data processed by the Company is ensured through legal, organizational and technical measures required for the compliance with the requirements of the federal law on personal data protection.

The following organizational and technical measures are taken by the Company to prevent unauthorized access to personal data:

  • appointment of an official in charge of the organization of personal data processing;
  • appointment of an official in charge of the provision of personal data security;
  • accounting of the Company’s employees allowed to process personal data;
  • familiarization of the Company’s employees with the requirements of the Russian Federation law and Company’s internal regulatory documents on personal data processing and protection;
  • organization of accounting, storage and control over the circulation of personal data storage media;
  • identification of security threats to personal data during their processing in information personal data systems, formation of threat models and infringers of personal data security on their basis; application of information security tools required to ensure personal data safety, including cryptographic information protection tools;
  • ensuring recovery of personal data destroyed or modified as a result of unauthorized access thereto;
  • determining places for personal data storage;
  • assessment of efficiency of measures taken to ensure personal data security;
  • control over measures taken to ensure personal data security and over a level of personal data security;
  • organization of access control in the territory of the Company and protection of premises containing technical means of personal data processing.

12 ORGANIZATION OF REQUESTS AND APPLICATIONS PROCESSING

12.1 List of Requests and Applications

In the process of personal data processing by the Company, the following requests and applications can be received from personal data owners or their legal representatives:

  • request for the provision of information on processing of personal data belonging to the personal data owner;
  • request for the provision of information on processing of personal data belonging to the personal data owner for the purpose of promotion of goods, works and services in the market;
  • request for the provision of information on processing of personal data belonging to the personal data owner with decisions made solely based on the automatic personal data processing;
  • request for the provision of information on processing of personal data belonging to the personal data owner in publicly available sources;
  • request for the provision of information on processing of personal data belonging to the personal data owner to third parties;
  • request for the provision of information on transborder transfer of personal data belonging to the personal data owner;
  • application for withdrawal of consent given by the personal data owner to the processing of their personal data;
  • request for the specification of personal data belonging to the personal data owner;
  • request of the personal data owner for blocking of his personal data;
  • request of the personal data owner for destruction of his personal data.

12.2 Receipt of Requests, Applications and Instructions

Organization of processing of requests and applications from personal data owners or their representatives is performed by a person in charge of the organization of personal data processing (hereinafter — Executive).

The Executive is appointed by the order of the Director General of the Company.

For the purpose of registration of requests and applications on the issues of personal data processing and responses thereto, the Executive keeps the Register of Requests and Applications Related to Personal Data.

A request (application) from a personal data owner shall contain the following:

  • last name, first name and middle name of a personal data owner;
  • passport data of a personal data owner (his representative);
  • information confirming involvement of a personal data owner into relations with the Company (contract number, contract date, conventional verbal mark and (or) other information), or any other information certifying the fact of processing of personal data belonging to the personal data owner by the Company;
  • text of the request (application);
  • return address;
  • signature of a personal data owner (his representative).

If the abovementioned mandatory details are present, the request (application) shall be recorded in the Register of Requests and Applications Related to personal Data (hereinafter — the Register). If details specified in the request (application) are incomplete or contain inaccurate information, it is necessary to mention data to be specified in response to such request (application).

12.3 Response to Requests, Applications and Instructions

The Executive in charge of forming a response to a request (application) from a personal data owner related to personal data processing shall ask for and obtain the required information in the relevant subdivision of the Company carrying out processing of personal data belonging to the personal data owner. Structural subdivisions processing personal data specified in the request (application) shall provide information to the Executive within three (3) business days.

When responding to requests (applications) from a personal data owner (his representative), the Executive shall provide for and ensure the implementation of the following measures:

  • collection, analysis and fixation of information on the availability, grounds and conditions of processing of personal data related to the personal data owner, including publicly available personal data;
  • collection of information on the grounds for personal data processing for the purpose of promotion of goods, works and services in the market;
  • collection, analysis and fixation of information on the transfer of personal data belonging to the personal data owner to third-party organizations, and on transborder transfer;
  • collection, analysis and fixation of information on making decisions resulting in legal consequences in relation to the personal data owner, based solely on automatic personal data processing;
  • provision of the personal data owner with an opportunity to get acquainted with his personal data, as well as introduction of the required changes thereto, destruction or blocking of the relevant personal data upon presentation by the personal data owner of information certifying that the personal data are incomplete, obsolete, inaccurate, illegally obtained or unnecessary for the stated goal of processing;
  • development of instructions for third-party organizations to which personal data belonging to the personal data owner are transferred on the necessity of introduction of changes and implementation of measures in relation to the personal data belonging to the personal data owner;
  • in case of refusal to provide information on personal data processing to the personal data owner (his representative) at his request, the development of a motivated refusal containing reference to the relevant norm of the Federal Law No. 152-FZ dated 27 July 2006 «On Personal Data».

The following timeframe is envisaged for the purpose of response to requests (applications) from the personal data owner (his representative):

  • provision of (refusal to provide) information on personal data processing to the personal data owner (his representative), as well as provision with an opportunity to get acquainted with the personal data — within thirty (30) days upon receipt of the request (application);
  • introduction of changes into personal data in case of their incompleteness, inaccuracy or obsolescence — within seven (7) business days upon receipt of the request (application);
  • destruction of personal data in case they are obtained illegally or are not necessary for the stated goal of processing — within seven (7) business days upon receipt of the request (application).

The received requests (applications, instructions) related to personal data, as well as responses thereto shall not violate constitutional rights and freedoms of other people.

13 FINAL PROVISIONS

The present Policy shall be revised as necessary based on the assessment of efficiency of measures on personal data security implemented within the personal data protection system (such assessment shall be performed at least once in 3 years), or in case of introduction of changes into the requirements of the Russian Federation law in the sphere of personal data processing and protection.

Changes to the present Policy shall be introduced by the order of the Company Director General.

The Company grants unrestricted access to the present Policy by means of placing it on the official website of the Company at the address http://www.expocentr.ru/.

Other rights and obligations of the Company are defined by the Russian Federation law in the sphere of personal data.

14 RESPONSIBILITY

The Company’s employees guilty of the breach of requirements of the Federal Law No. 152- FZ dated 27 July 2006 «On Personal Data» shall be held responsible in accordance with the Russian Federation law.


Participate in the event