PERSONAL DATA PROCESSING POLICY AT KAZAN EXPO ANO

1. GENERAL PROVISIONS

The personal data processing policy at Kazan Expo ANO (hereinafter referred to as the Policy) has been developed in accordance with the requirements of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”.
This Policy defines the procedure for processing personal data and measures to ensure their security at Kazan Expo ANO (hereinafter referred to as the Company, operator) in order to protect the rights of personal data subjects during processing of their personal data.

This Policy uses the following terms and definitions:
automated processing of personal data—processing of personal data using computer technology;
blocking of personal data—temporary suspension of the processing of personal data (unless the processing is necessary to clarify personal data);
personal data information system—a set of personal data contained in personal data databases and information technologies and technical means that ensure their processing;
depersonalization of personal data—actions, as a result of which it is impossible to determine, without the use of additional information, the ownership of personal data by a specific personal data subject;
personal data processing—any action (operation) or set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
operator—the Company that processes personal data, as well as determines the purposes of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data;
personal data—any information relating directly or indirectly to a specific or identifiable natural person (personal data subject);
provision of personal data—actions aimed at disclosing personal data to a certain person or a certain circle of persons;
distribution of personal data—actions aimed at the disclosure of personal data to an indefinite circle of persons (transfer of personal data) or to familiarization with personal data by an unlimited number of persons, including the disclosure of personal data in the media, placement in information and telecommunication networks or providing access to personal data in any other way;
cross-border transfer of personal data—transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign natural person or a foreign legal entity;
destruction of personal data—actions as a result of which it is impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;
Company employee—a natural person who is or was in an employment relationship with the Company;
Kazan Expo ANO—Autonomous non-profit organization “Center for the development and support of congress and exhibition, cultural, entertainment, sports and social events ‘Kazan Expo’.”

2. PRINCIPLES OF PERSONAL DATA PROCESSING

The processing of personal data in the Company is carried out based on the following principles:
– the processing of personal data is carried out on a legal and fair basis;
– the processing of personal data is limited to achieving specific, pre-defined
and legitimate purposes. It is not allowed to process personal data in a way incompatible with the purposes of personal data collection;
– it is not allowed to combine databases containing personal data, the processing
of which is carried out for purposes incompatible with each other;
– only personal data that meet the purposes of their processing are subject to
processing;
– the content and scope of the processed personal data correspond to
the stated purposes of processing. The processed personal data are not redundant against the stated purposes of their processing;
– when processing personal data, the accuracy of personal data,
their sufficiency, and, if necessary, relevance in relation to the purposes of processing personal data shall be ensured. The Company takes necessary measures to remove or clarify incomplete or inaccurate data or ensures adoption of such measures;
– storage of personal data is carried out in a form that allows determination of the
subject of personal data, no longer than required by the purposes of processing personal data, if the period of personal data storage is not established by federal law or an agreement to which the subject of personal data is a party, beneficiary or guarantor;
– processed personal data are subject to destruction or depersonalization
upon reaching the purposes of processing or in case in case the need to achieve these purposes is lost, unless otherwise provided by federal law.

3. PURPOSES OF COLLECTION AND PROCESSING OF PERSONAL DATA

The Company processes personal data of the following categories of personal data subjects:
– persons applying for a job—natural persons applying for vacancy
filling in the Company (hereinafter referred to as applicants);
– employees—natural persons who are or were in employment relationships with
the Company;
– employees’ family members (in their absence—close relatives)—natural
persons who are in family or related relations with the employees of the Company (hereinafter referred to as family members);
– shareholders—physical persons who are owners of the Company's shares;
– persons who are members of the management and control bodies of the Company—natural persons,
members of the Board of Directors, the Management Board and the Audit Commission of the Company;
– contractors—natural persons providing services to the Company and performing
work under civil law contracts;
– counterparties’ employees—natural persons who are employees of third party
organizations-counterparties with whom the Company has contractual relations or is going to establish them;
– the Company’s guests—natural persons who have or had access to
the territory of the administrative premises of the Company with a temporary or once-only pass;
– guests of Kazan Expo ANO—natural persons who are or have been
guests to exhibitions, as well as participants in non-exhibition events, as well as those who expressed a desire to visit them.

For each category of personal data subjects, the Company has determined the purposes of processing personal data:
1) applicants:
– the personal data of the applicant are processed solely for the purpose of his/her selection
for a position in the Company.
2) employees:
– the employee’s personal data are processed for the purpose of his/her training, transfer to
another work, labor protection and personal safety, quality control of the work performed, remuneration in accordance with the requirements of laws and other regulatory legal acts, as well as ensuring the safety of the Company's property.
3) family members:
– personal data of the employee’s family member (close relative) are processed
in order to comply with labor legislation in relation to the Company’s employee, as well as in cases of voluntary medical insurance of a family member (close relative).
4) shareholders:
– exercise of powers to manage the Company (implementation of the provisions of the
Articles of Association);
– making financial payments.
5) persons who are members of the management and control bodies of the Company:
– fulfillment of the requirements of the legislation of the Russian Federation (Federal Law
No. 129-FZ dated August 08, 2001 “On State Registration of Legal Entities and Individual Entrepreneurs”, Federal Law No. 208-FZ dated December 26, 1995 “On Joint-Stock Companies”, Federal Law No. 39-FZ dated April 22, 1996 “On securities market”, “Regulations on the disclosure of information by issuers of equity securities”, approved by the Bank of Russia on December 30, 2014 under No. 454-P, registered with the Ministry of Justice of Russia on February 12, 2015 under No. 35989).
6) contractors:
– the contractor's personal data are processed by the Company for the purpose of concluding a contract and
fulfillment of the terms of a civil law contract to provide services and perform work.
7) counterparties’ employees:
– personal data of the counterparty’s employee are processed for the purpose of concluding a contract and
fulfillment of the terms of the contract (agreement) between the Company and a third-party counterparty organization.
8) the Company’s guests:
– the personal data of the Company’s guest are processed in order to ensure his/her
registration and availability of the pass to the territory of the Company.
9) guests of Kazan Expo ANO:
– personal data of the guest of Kazan Expo ANO are processed by the Company
in order to ensure the participation of guests in exhibition and non-exhibition events, as well as their information support.
When determining the scope and content of the processed personal data of PD subjects, the Company is guided by the purposes of collection and processing of personal data.
The list of personal data processed by the Company is approved by the Order of the General Director of the Company.

4. TERMS OF PERSONAL DATA PROCESSING

The Company processes personal data in the presence of at least one of the following conditions:
– processing of personal data is carried out with the consent of the personal data subject
for processing of his/her personal data;
– the processing of personal data is necessary for the performance of the contract, the party to which
or the beneficiary or guarantor to which is the personal data subject, as well as for the conclusion of a contract on the initiative of the personal data subject or a contract under which the personal data subject will be the beneficiary or guarantor;
– the processing of personal data is necessary to exercise rights and legal
interests of the operator or third parties, provided that this does not violate the rights and freedoms of the personal data subject;
– the processing of personal data is carried out for statistical or other
research purposes, subject to mandatory anonymization of personal data.

5. PRIVACY OF PERSONAL DATA

The Company and other persons who have gained access to personal data are obliged not to disclose to third parties and not to distribute personal data without the consent of the personal data subject, unless otherwise provided by the legislation of the Russian Federation.

6. PUBLICLY AVAILABLE SOURCES OF PERSONAL DATA

For the purpose of information support, the Company creates publicly available sources of personal data, including information about the Company's management, namely the official website of the Company, located at: http://www.kazanexpo.ru/. Publicly available sources of personal data, with the written consent of the subject of personal data, include: last name, first name, patronymic, position, information about previous jobs, information about education.
Information about the personal data subject must be excluded from publicly available sources of personal data at the request of the personal data subject or by decision of a court or other authorized state bodies.

7. SPECIAL CATEGORIES OF PERSONAL DATA

The Company processes special categories of personal data subject to written consent to the processing of such personal data.
The processing of special categories of personal data is immediately terminated if the reasons for which they were processed have been eliminated, unless otherwise provided by the legislation of the Russian Federation.

8. ORDERING PROCESSING OF PERSONAL DATA TO ANOTHER PERSON

The Company has the right to entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”, on the basis of an agreement concluded with this person. A person who processes personal data on behalf of the Company is obliged to comply with the principles and rules for the processing of personal data provided for by Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”. The processing order defines a list of actions (operations) with personal data that will be performed by the person processing personal data and the purposes of processing, establishes the obligation of such a person to maintain the privacy of personal data and ensure the security of personal data during their processing, as well as specifies the requirements for protection of processed personal data.

9. CROSS-BORDER TRANSFER OF PERSONAL DATA

The Company has the right to carry out cross-border transfer of personal data on the territory of foreign states that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as other foreign states that ensure adequate protection of the rights of personal data subjects in accordance with contracts concluded with the organizers of the exhibition and congress events.

10. RIGHTS OF THE PERSONAL DATA SUBJECT

10.1 Consent of the personal data subject to the processing of his/her personal data
The personal data subject decides to provide his/her personal data and agrees to their processing freely, by his/her own will and in his/her own interest. Consent to the processing of personal data may be given by the personal data subject or his/her representative in any form allowing to confirm the fact of its receipt, unless otherwise established by Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”.
The obligation to provide proof of obtaining the consent from the subject to the processing of his/her personal data or proof of the existence of the grounds specified in the Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” lays upon the Company.
A person who processes personal data on behalf of the Company is not obliged to obtain the consent from the personal data subject to the processing of his/her personal data.

10.2 Rights of the personal data subject
In pursuance of the requirements of Federal Law No. 152-FZ “On Personal Data”, that ensures the observance of the rights of a personal data subject to access personal data, the Company has developed and introduced a procedure for handling requests and appeals from personal data subjects. This procedure ensures compliance with the following rights of personal data subjects:
– a personal data subject has the right to receive information concerning
processing his/her personal data, within the time limits provided for by Federal Law No. 152-FZ “On Personal Data”;
– a personal data subject has the right to require that the Company clarifies his/her
personal data, their blocking or destruction in the event that personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures to protect his/her right in accordance with the provisions of Federal Law No. 152-FZ “On
personal data”;
– a personal data subject has the right to demand clarification from the Company on the procedure of
making a decision on the basis of exclusively automated processing of personal data of the personal data subject and the possible legal consequences of such a decision;
– a personal data subject has the right to appeal against the actions or inaction of the Company
to the Authorized body for the protection of the rights of personal data subjects (hereinafter referred to as Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications) or in a judicial proceeding;
– a personal data subject has the right to protect his/her rights and legal
interests, including compensation for damages and (or) compensation for moral injury in a judicial proceeding.
The right of a personal data subject to access his/her personal data may be limited in accordance with federal laws.

11. PERSONAL DATA SECURITY

The security of personal data processed by the Company is ensured by the implementation of legal, organizational and technical measures necessary to meet the requirements of federal legislation in the field of personal data protection.
To prevent unauthorized access to personal data, the Company applies the following organizational and technical measures:
– appointment of an official responsible for the organization of personal
data processing;
– appointment of an official responsible for ensuring personal
data security;
– accounting for the Company's employees admitted to the processing of personal
data is carried out;
– familiarization of the Company's employees with the requirements of the legislation of the Russian Federation and
the Company’s internal regulatory documents on personal data processing and security;
– organization of accounting, storage and control of the circulation of personal data carriers;
– identification of threats to the security of personal data during their processing in
personal data information systems, the formation of the Threat Model and the Model of the violator of personal data security on their basis; the use of information security tools necessary to ensure the personal data security, including cryptographic information protection tools;
– ensuring the recovery of personal data destroyed or
modified due to unauthorized access to them;
– determination of the places of personal data storage;
– evaluation of the effectiveness of the measures taken to ensure the security of personal
data;
– ensuring control over the measures taken to ensure personal data security
and over the level of personal data protection;
– organization of access control to the territory of the Company, and security of premises with
technical means of processing personal data.

12. ORGANIZATION OF PROCESSING OF APPEALS AND REQUESTS
12.1 List of appeals and requests
When carrying out the Company’s activities for the processing of personal data, the following requests and appeals of the personal data subject or his/her legal representative are possible:
– request for information on the processing of personal data of the
personal data subject;
– request for information on the processing of personal data of the
personal data subject in order to promote goods, works, services on the market;
– request for information on the processing of personal data of the
personal data subject with decision-making based solely on automated processing of personal data;
– request for information on the processing of personal data of the
personal data subject in public sources;

– request for information on the transfer of personal data of the
personal data subject to third parties;
– request for information on the cross-border transfer of personal data of the
personal data subject;
– an appeal to revoke the consent of the personal data subject to the processing of his/her
personal data;
– the requirement to clarify the personal data of the personal data subject;
– the requirement of the personal data subject to block his/her personal data;
– the requirement of the personal data subject to destroy his/her personal data.

12.2 Reception of requests, appeals and instructions
The organization of processing of appeals and requests of personal data subjects or their representatives is carried out by the Responsible for organizing the processing of personal data (hereinafter referred to as the Responsible).
The responsible person is appointed by Order of the General Director of the Company.
In order to register appeals and requests regarding the processing of personal data, as well as responses to them, the Responsible person keeps a Register of Requests and Appeals on Personal Data Issues.
The request (appeal) of the personal data subject must contain:
– last name, first name and patronymic of the personal data subject;
– passport details of the personal data subject (his/her representative);
– information confirming the participation of the personal data subject in relations with
the Company (contract number, date of conclusion of the contract, conventional verbal designation and (or) other information), or information otherwise confirming the fact that the personal data of the personal data subject is being processed by the Company;
– text of the content of the request (appeal);
– address for receiving a response to the request (appeal);
– signature of the personal data subject (his/her representative).
In the presence of the above mandatory details, the request (appeal) must be recorded in the Register of Requests and Appeals on Personal Data Issues (hereinafter referred to as the Register). If the details specified in the request (appeal) are incomplete or contain incorrect information, it is necessary to indicate in the response to this request (appeal) what data need to be clarified.

12.3 Responding to appeals, requests and instructions
The person responsible for the compilation of a response to a request (appeal) for the processing of personal data of personal data subjects is obliged to request and receive the necessary information from the relevant department of the Company that processes personal data of the personal data subject. Organization departments in which the personal data specified in the request (appeal) are processed ensure the provision of information to the Responsible person within 3 (three) working days.
In the process of responding to requests (appeals) of the personal data subject (his/her representative), the Responsible organizes and ensures the implementation of the following activities:
– collection, analysis and recording of information on the availability, basis, conditions of processing
personal data relating to the personal data subject, including publicly available personal data;
– collection of information on the basis for the processing of personal data in order to promote
goods, work, services on the market;
– collection, analysis and recording of information about the transfer of personal data of the
personal data subject to third parties, as well as cross-border transfer;
– collection, analysis and recording of information on decision-making that give rise to legal
consequences in relation to the personal data subject, based solely on automated processing of personal data;
– providing the personal data subject with the opportunity to get acquainted with his/her
personal data, as well as making the necessary changes to them, destroying or blocking of the relevant personal data upon the provision by the subject of personal data of information confirming that his/her personal data are incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
– development of instructions to third parties to which the subject personal data were transferred
on the need to make changes and take measures in relation to the personal data of the personal data subject;
– in case of refusal to provide the subject (his/her representative) with the personal data
upon his/her request (appeal) for information on the processing of personal data—a reasoned response containing a link to the relevant norm of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” shall be developed.
To respond to requests (appeals) of the personal data subject (his/her representative), the following terms are provided:
– provision of information (refusal to provide it) to the personal data subject
(his/her representative) on the processing of personal data, as well as provision of the opportunity to get acquainted with personal data shall take place within 30 (thirty) days from the date of receipt of the request (appeal);
– making changes to personal data if they are incomplete,
inaccurate or outdated shall be implemented within no more than 7 (seven) business days from the date of receipt of the request (appeal);
– destruction of personal data in the event that they are obtained illegally or are not
necessary for the stated purpose of processing shall take place within no more than 7 (seven) working days from the date of receipt of the request (appeal).
Requests (appeals, instructions) received on personal data issues, as well as responses to them, must not violate the constitutional rights and freedoms of other persons.

13. FINAL PROVISIONS

This Policy is reviewed as necessary, based on an assessment of the effectiveness of the measures implemented within the framework of the personal protection system to ensure the personal data security (the specified assessment is carried out at least once every 3 years) or in case of changes in the requirements of the legislation of the Russian Federation in the field of personal data processing and protection.
Changes to this Policy are made by Order of the General Director of the Company.
The Company provides unlimited access to this Policy by publishing this Policy on the official website of the Company located at: http://www.kazanexpo.ru/.
Other rights and obligations of the Company are determined by the legislation of the Russian Federation in the field of personal data.

14. LIABILITY
The Company’s employees who are guilty of violating the requirements of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” shall bear responsibility under the legislation of the Russian Federation.