Start In Moscow Website Personal Data Processing Policy
Start In Moscow Website Personal Data Processing Policy
1. General
1.1. This personal data processing policy (hereinafter – the Policy) has been developed in accordance with the Constitution of the Russian Federation, the Labor Code of the Russian Federation No. 197-FZ dated 30.12.2001, the Federal Law on Personal Data No. 152-FZ dated 27.07.2006 (hereinafter – the Federal Law No. 152-FZ) and other regulations applicable to the personal data.
1.2. This Policy defines the principles, terms, conditions, purposes and procedure of personal data processing at https://startin.moscow (hereinafter – the Website), as well as measures to ensure the security of personal data of the Website users in order to protect the rights and freedoms of a person and citizen during their personal data processing.
1.3. The provisions of this Policy shall be binding on all employees of the Human Capital Development Autonomous Non-Profit Organization (hereinafter referred to as HCD ANPO) who have access to personal data of the Website users in accordance with HCD ANPO’s local regulations and job descriptions.
1.4. This Policy shall be posted on the Website in accordance with Part 2 of Article 18.1 of Federal Law No. 152-FZ.
1.5. The address of HCD ANPO (registered office and place of business): 16 Krasina Lane, bldg. 2 Presnensky Municipal District, Moscow, 123056 (TIN 7710364647). HCD ANPO’s e-mail: info@develop.mos.ru.
2. Terms and definitions
Automated personal data processing means personal data processing using the computing equipment.
Blocking of personal data means temporary cessation of personal data processing (except for the cases when processing is required to clarify personal data).
Personal data information system means a set of personal data contained in the databases, as well as information technologies and technical means ensuring their processing.
Personal data anonymization means actions preventing the linking of personal data to a particular personal data subject without additional information.
Personal data processing means any action (operation) or set of actions (operations) performed with personal data with or without the use of automation means, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, or destruction of personal data.
Operator means a governmental authority, municipal authority, legal entity or individual who, independently or jointly with other persons, arrange and/or carry out personal data processing, as well as determine the personal data processing purposes, composition of personal data subject to processing, and actions (operations) performed with personal data. For the purposes hereof, the personal data operator is HCD ANPO.
Operator's partner means legal entities and/or individual entrepreneurs with whom HCD ANPO has concluded agreements/arrangements for personal data processing of the Website users according to Part 3 of Article 6 of the Federal Law No. 152-FZ. 6.
Personal data means any information related directly or indirectly to a specific or identifiable individual (personal data subject), as defined in Section 7 hereof.
Personal data provision means actions aimed at disclosure of personal data to a certain person or a certain number of persons.
User means an individual (Internet user), who is the personal data subject or their legal representative, freely accessing the Operator's website and having an opportunity to log on it.
Personal data distribution means actions aimed at disclosure of personal data to an indefinite number of persons, including the disclosure of personal data in mass media, its placement in information and telecommunication networks or otherwise providing access to personal data.
Website means a set of hardware and software for computers/mobile devices, ensuring the data posting on the Internet for public review. The Website is available at a unique electronic address or its letter designation on the Internet at https://startin.moscow. The Website may contain graphic, text, audio, video, and other information reproducible by computers/mobile devices.
Personal data destruction means actions preventing the restoration of the personal data content in the personal data information system and/or destroying tangible personal media.
3. Personal data collection purposes
Personal data shall be collected and processed for the following purposes:- Enabling the User to access the Website.
- Providing the User with an opportunity to log on the Website.
- Providing the User with access to the account (profile) on the Website.
- Communication with the User for sending notifications, requests and information related to the operation of the Website and Operator's partners' websites, fulfillment of contractual obligations by the Operator, processing of User's requests and applications.
- Personalization of the Operator's service offers targeted at the User.
- Improving the Website usability by conducting promotions, surveys, and research by the Operator.
- Protection of rights and interests of the User and the Operator.
4. Legal basis for personal data processing
The Operator shall process personal data of personal data subjects in compliance with:
- Constitution of the Russian Federation;
- Federal Law No. 152-FZ and other regulations of the Russian Federation and state regulators (Federal Service for Technical and Export Control (FSTEC), Federal Security Service (FSS)) for personal data, as well as the authorized body for the protection of the rights of personal data subjects (hereinafter – Roskomnadzor);
- Labor Code of the Russian Federation;
- Articles of Association of HCD ANPO;
- this Policy;
- local regulations applicable to the Operator and its partners, developed as a follow-up to this Policy;
- consents to the personal data processing obtained from personal data subjects.
5. Personal data processing principles
Personal data shall be processed by the Operator pursuant to the following principles:
1. Legality of predetermined specific purposes and methods of personal data processing.
2. Correspondence of the scope, nature and methods of personal data processing with the purposes of personal data processing.
3. Limiting the personal data processing to the achievement of specific, predetermined and legitimate purposes.
4. Ensuring the reliability, sufficiency and relevance of personal data in relation to the personal data processing purposes.
5. Storage of personal data in a form allowing to identify the personal data subject solely during the period required by their processing purposes.
6. Prevention of the personal data processing in a manner incompatible with the personal data collection purposes.
7. Prevention of the personal data processing in a manner redundant in relation to the personal data collection purposes.
8. Prevention of the merging of databases containing personal data which are processed for incompatible purposes.
9. Prevention of the extraction and use of personal data for commercial purposes.
10. Ensuring confidentiality, protection and security of the personal data being processed.
11. Destruction or anonymization of personal data upon achievement of their processing purposes or where the achievement of these purposes is no longer needed, when the Operator is unable to eliminate the committed violations of personal data, unless otherwise provided for by the Federal Law No. 152-FZ.
6. Terms and conditions of the personal data processing
The Operator shall process the personal data on the following terms and conditions:
1. The personal data is processed subject to the consent of the personal data subject to the processing of their personal data.
2. Personal data processing is required for the fulfillment of the Operator's contractual obligations towards the Website User (personal data subject), including ensuring the Website operation, ensuring the provision of services by the Operator and its partners to the Website User.
3. personal data processing is necessary to ensure the protection of the rights and legitimate interests of the User, the Operator and its partners.
4. Personal data processing is required to fulfill the requirements stipulated by the federal legislation.
7. Scope and categories of the personal data being processed;
categories of personal data subjects
7.1 The scope and categories of data processed by the Operator may differ when the User logs on and creates an account (profile, office) on the Website, as well as in case of access to the Website without logging on and creation of the User's account.7.2 Categories of personal data subjects whose personal data are processed by the Operator:
1) individuals and their legal representatives who have logged on the Website;
2) individual representatives of organizations (legal entities);
3) individuals who provide services and have concluded a civil law contract with the Operator (sole proprietors).
7.3 The Operator shall process the following categories of personal data:
- surname, given name, patronymic, phone number, date of birth of the Website User (personal data subject);
- image (including avatar) of the Website User placed by them in their account (profile);
- e-mail address of the Website User;
- password to the account (profile) of the Website User created by the User when logging on the Website;
- information about the User's activity during the Website use, including the content of message exchanged with the Operator through the Website interface, the list and characteristics of services ordered using the Website, as well as the content and metadata of the User's feedback on the quality of services provided;
- information about the area of residence of the User and/or the person represented by the User (based on geolocation data);
- information about interests (hobbies) of the User and/or the person represented by the User;
- information about the personal data subject (Website user) received by the Operator from the Operator's partners in accordance with the terms and conditions of the personal data processing agreements/arrangements signed with them;
- correspondence with the User using the e-mail address info@startin.moscow specified on the Operator's Website;
- other personal data that need to be processed by the Operator to achieve the purposes specified in Section 3.
7.4. The Operator shall not collect or process biometric personal data, as well as special personal data of Users concerning their race, nationality, political views, religious or philosophical beliefs, health and sexual life.
7.5. The Operator shall not personally verify personal data of the Website Users and shall assume that the Users provide only reliable personal data when logging on. The User shall be responsible for the accuracy of personal data provided to the Operator (when creating a personal account, editing or updating personal data in the personal account, etc.).
7.6. Any User accepting the terms and conditions of this Policy certifies to the Operator that they are fully capable persons under the laws of the Russian Federation.
7.7. The User, when leaving data about themselves on the Website, thereby authorizes the Operator to process the provided personal data, including their collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, provision, access, anonymization, blocking, deletion and destruction of personal data, results of their automated processing, transfer of such personal data to the Operator's partners and other persons, as well as collection (receipt) of personal data by the Operator from the Operator's partners and its processing jointly with them.
7.8. The Website User hereby agrees that their image may be used in social media accounts and information communities of the Operator and its partners, on the websites of HCD ANPO for the purpose of advertising and demonstration of programs and events, as well as for the purpose of preparation of the Operator's reporting documentation to higher authorities.
7.9. Personal data shall be processed by the Operator automatically without direct access by the Operator's employees and/or contractors, except for the cases when such access is required for the fulfillment of official duties or obligations by the said persons under the contract with the Operator, whereby such persons shall comply with the Operator's requirements to ensure security when accessing personal data of the Website users.
7.10. When the User accesses the Website without logging on, the Operator shall collect technical data obtained through the processing of cookies, the information in which allows determining the browser version, IP-address, hardware and software of the User's device, geolocation, the User's activity during the browsing and viewing of materials posted on the Website, etc. The Operator shall collect technical data on the User's access to the Website without logging on.
7.11. The collection of cookies shall start since the User gains access to the Website. Cookies shall be stored locally on the User's computer or mobile device, as well as on the Operator's Website. Cookies streamline the User's experience with the Website, allow determining the User's preferences (for example, for the formation of targeted offers of goods and services based on the advertisements viewed by the User), the date and time of the User's visits to the Website, etc.
7.12. The Operator shall process technical data obtained on the basis of cookies using external web analytics services Mail.ru Rating, Yandex.Metrika and internal services of the Website to conduct analytical and statistical research of the Website attendance, geolocation of Users, their number, time spent on the Website, preferences, etc.
7.13. The User shall be entitled to opt out of cookies on the Website by making additional browser settings on their computer or mobile device, but in this case not all functions and services within the Website will be available to the User and/or displayed correctly.
8. Personal data processing, transfer and storage procedure
8.1. The User's personal data shall be collected since the User logs on the Website and fill in the data in the registration form.
8.2. The User shall grant its consents to the personal data processing by filling in the registration form and ticking the checkbox "Personal Data Processing Policy reviewed and the personal data processing authorized".
8.3. The User agrees that ticking the checkbox in the webforms shall signify a full and informed consent of the User to provide personal data to the Operator in accordance with the Federal Law No. 152-FZ.
8.4. By filling in the appropriate forms during registration and providing their personal data to the Operator, the User expresses their full consent to this Policy.
8.5. In all cases, the personal data of the Website Users shall be processed by the Operator only for the purposes set forth in Section 3 hereof.
8.6. Personal data of the Users shall not be transferred to the third parties, except for the cases expressly provided for by this Policy and federal laws applicable to personal data.
8.7. The Operator shall be entitled to transfer the User's Personal Data to the other Operator's partners for the purposes and on the terms and conditions set forth herein.
8.8. Personal data shall be processed on behalf of the Operator by a third party (Operator's partner) on the basis of an agreement concluded between the Operator and the third party only, which shall specify:
- a list of actions (operations) with personal data to be performed by a third party processing personal data;
- personal data processing purposes;
- obligations of the third party to observe the personal data confidentiality requirements and ensure their security during processing, as well as comply with the requirements for protection of personal data being processed.
8.9. The Operator shall be entitled to transfer the personal data to a third party in order to protect the rights and legitimate interests of the Operator in case the User violates this Policy or the terms and conditions of contracts concluded with other Operators, or where there is a threat of such violation.
8.10. Personal data of the Website Users may be transferred at the request of governmental bodies (local self-administration bodies) in the manner stipulated by the federal laws.
8.11. Personal data processing shall be terminated when the purposes of such processing are achieved, as well as upon expiration of the term provided for by law, contract, or the consent of the Personal Data subject to the processing of their Personal Data. When the purposes of personal data processing are achieved, the Operator shall cease processing of the User's data in the manner provided for by Federal Law No. 152-FZ.
8.12. Personal data shall be stored on electronic media (machine data carriers) and processed using automated personal data systems, except for the cases when a different personal data processing method is required in connection with the fulfillment of the Operator's contractual obligations towards the User, as well as in cases directly related to the fulfillment of federal law requirements, including the cases when personal data is provided to state (municipal) authorities upon request of the Operator, and in cases when the Operator's obligations to the User are fulfilled.
8.13. Personal data shall be stored until their processing purposes are achieved. In accordance with Part 7 of Article 5 of Federal Law No. 152-FZ, personal data shall be stored in a form allowing for identification of the personal data subject for no longer than required by the personal data processing purposes, unless the period of the personal data storage is established by federal law, a contract to which the personal data subject is a party, beneficiary or guarantor. The personal data being processed shall be destroyed or depersonalized upon achievement of the processing purposes or when the achievement of these purposes is no longer needed, unless otherwise provided for by federal law.
8.14. The User agrees that the consent grated by them to the personal data processing, which they indicated when logging on the Website, shall be valid until its revocation in the manner specified in Section 9 hereof.
8.15. When collecting personal data via the Website, the Operator shall ensure the processing of personal data received from the User using the databases located in the territory of the Russian Federation.
9. Rights of the personal data subject
The personal data subject shall be entitled to:
- receive information regarding the processing of their personal data on the Website in the manner, form and on the terms and conditions established in Federal Law No. 152-FZ;
- request that the Operator clarify their personal data, block or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not required for the stated processing purposes, as well as to take actions provided for by law to protect their rights;
- obtain free access to the personal data about themselves;
- challenge the Operator’s actions or omissions to Roskomnadzor or in court;
- protect their rights and legitimate interests in the field of personal data protection, including seeking the compensation for losses and (or) moral damage in court;
- withdraw consent to the processing of their personal data by sending a request in writing to the Operator at the Operator's address specified in Section 1 hereof. The withdrawal of consent to the personal data processing shall contain the number of the main document certifying the personal data subject or their legal representative, information on the date of issue of the said document and the issuing authority, information confirming the personal data subject's relations with the Operator (contract number, date of contract conclusion, conventional verbal designation and/or other information), or information otherwise confirming the fact of personal data processing by the Operator, and the signature of the personal data subject or its legal representative.
10. Rights of the Personal Data Operator
The Personal Data Operator shall have the following basic rights:
- process the personal data of the personal data subject in accordance with the information and consents obtained from them, as well as for the declared purposes;
- entrust the personal data processing to another person subject to the consent of the personal data subject on the basis of an agreement or contract concluded with this person (operator's instruction);
- refuse to provide personal data subject with their personal data in cases stipulated by Federal Law No. 152-FZ;
- hold the Operator's employees liable for violation of the requirements related to the processing and protection of personal data, whose job descriptions stipulate respective functions for the processing and protection of personal data.
11. The consent of the personal data subject to receive informational
and advertising messages.
11.1. Using the Website and leaving data about themselves, the User of the Website shall freely, of their own free will and for their sole benefit, hereby express their consent to receiving the information messages from the Operator to the e-mail address and (or) subscriber phone number of the User specified by the User when using the Website.
11.2. When using the Website, the User shall also, in accordance with Part 1 of Article 18 of the Federal Law on Advertising, grant their consent to the receipt of advertising messages by them and persons represented by them (when an appropriate check-box was ticked when registering a personal account).
11.3. The User shall be entitled to opt out of advertising messages by clicking on the corresponding link of the incoming mail (the "Unsubscribe" tab), or to send a message to the Operator at info@startin.moscow from the User's e-mail address specified by the User when logging on the Website refusing to receive advertisements.
12. Confidentiality of the personal data
The Operator and other persons who have obtained access to personal data of the Website Users shall not disclose the same to the third parties or distribute the personal data without the consent of the personal data subject, unless otherwise provided for by Federal Law No. 152-FZ.
13. Personal data security
13.1. All the Operator's employees shall comply with the personal data security requirements stipulated by the federal laws applicable to personal data, as well as the Operator's internal regulations and procedures governing the personal data processing and protection.
13.2. The security of personal data shall be ensured by the Operator by taking legal, organizational and technical measures required to comply with federal laws applicable to personal data.
13.3. The list of measures aimed at ensuring the Operator’s fulfillment of the obligations stipulated by Federal Law No. 152-FZ shall include, but not limited to:
- appointment of persons in charge of the arrangement of the personal data processing;
- Operator’s issuance of documents defining the personal data processing policy, local regulations on personal data processing, as well as local regulations establishing the procedures aimed at preventing and detecting violations of personal data laws;
- internal control (audit) of conformity of the personal data processed by the Operator to Federal Law No. 152-FZ and regulations of governmental regulators (FSTEC, FSS, Roskomnadzor), personal data protection requirements, Operator's personal data processing policy, and Operator’s local regulations;
- assessment of the damage that may be caused to personal data subjects in case of violation of Federal Law No. 152-FZ, the correlation between this damage and the measures taken to ensure the fulfillment of the Operator's obligations;
- review of the provisions of the federal laws on personal data, including requirements for their protection, as well as the Operator's documents defining its policy on personal data processing and local regulations on personal data processing by the Operator's employees processing the personal data, as well as training of the said employees.
13.4. The list of legal, organizational and technical measures taken by the Operator to ensure security and protection of personal data during their processing shall include, but not limited to:
- identification of security threats to personal data during their processing on the Website;
- application of organizational and technical measures to ensure the security of personal data during their processing on the Website, required to comply with the personal data protection requirements, the fulfillment of which ensures the personal data security levels established by the Government of the Russian Federation;
- application of information protection means that have passed the conformity assessment in accordance with the established procedure;
- evaluation of the effectiveness of measures taken to ensure the security of personal data prior to the Website commissioning;
- accounting for machine-readable personal data carriers;
- detection of the cases of unauthorized access to personal data and taking of measures, including measures to detect, prevent and eliminate the consequences of computer attacks on the Website and to respond to computer incidents with the Website;
- recovery of personal data modified or destroyed as a result of unauthorized access to them;
- establishing the rules of access to personal data processed on the Website, as well as ensuring the registration and accounting for all actions performed with personal data of the Website Users;
- monitor the measures taken to ensure the security of personal data and the Website security level.
13.5. The Operator shall take the required and sufficient organizational and technical measures to ensure the security of personal data of the Website Users compliant with the federal laws applicable to personal data and regulations of governmental regulators (FSTEC, FSS, Roskomnadzor) in relation to the processing and protection of personal data:
- the persons in charge of arranging the personal data processing and ensuring the information security (security administrators) were appointed by orders;
- the local regulations on the issues of personal data processing and information security were issued;
- physical security of premises and means used to process the data is ensured, control of access to personal data, security and video surveillance is arranged;
- the access of employees and other persons to personal data and means of processing is segregated; the Users' actions with personal data are monitoring;
- threats to the security of personal data during their processing in the Operator's personal data information systems and on the Website;
- security-certified information protection means (anti-virus protection means, firewalls, unauthorized access protection means, information cryptographic protection means) are in place;
- accounting for and storage of machine carriers of personal data (machine data carriers), preventing their theft, substitution, unauthorized copying and destruction, is organized;
- backup of information for restoration needs is provided;
- internal control over compliance with the established procedure for verifying the effectiveness of the adopted personal data protection measures and response to information security incidents is organized;
- the contracts with counterparties are checked for the clauses obliging the counterparties to comply with the federal laws to ensure the confidentiality of personal data, its protection and security during processing and where such clauses were found missing, they were included;
- the measures to improve the Operator's information infrastructure, including in view of the information security requirements, are planned and implemented.
14. Operator’s liability
14.1. The Operator shall be liable to the personal data subject for the actions of the persons to whom the Operator delegates the processing of the personal data of the personal data subject.
14.2. Access to processed personal data shall be granted only to those employees of the Operator who need it in connection with the performance of their job duties and in compliance with the principle of personal responsibility.
14.3. The Operator's officials guilty of violating the requirements governing the processing and protection of personal data shall bear material, disciplinary, administrative, civil or criminal liability in accordance with the procedure established by the federal legislation.
14.4. The Operator shall not be liable for disclosure and distribution of the User's personal data by other Users of the Website or other persons in case such persons got access to the User's personal data as a result of the User's violation of confidentiality of his/her personal data.
14.5. The Operator shall not be liable for disclosure and distribution of the User's Personal Data, access to which is provided by the User (personal data subject) or at the User's request (will), including in case the User posts on the Website public reviews of the Operator's partners and (or) services provided by them.
15. Appeals of Users
15.1. Information about the User's personal data processed by the Operator shall be provided to the User or his/her legal representative in accordance with the procedure established by Federal Law No. 152-FZ.
15.2. Inquiries in respect of the personal data processed by the Operator shall be submitted by the User and/or their legal representative in writing to the Operator's address.
16. Amendments to the Policy
16.1. The Operator shall be entitled to amend this Policy unilaterally and at its sole discretion, including, but not limited to, in cases when the relevant changes are related to amendment of federal laws, as well as in cases of changes in the Website operation.
16.2. The Policy shall be amended by the Operator by posting a new version hereof on the Website. The Policy amended by the Operator shall become effective since a new version of such Policy is posting on the Website.
16.3. The User shall check this Policy for any amendments on their own. The User’s failure to review the said amendments may not serve as a basis for the User to make any demands and/or claims against the Operator.
16.4. The User may reject the amendments to this Policy by exercising the right provided for in Section 9 hereof.
17. Final provisions
The other rights and obligations of HCD ANPO as a Personal Data Operator shall be determined by laws of the Russian Federation applicable to the personal data.