Privacy Policy
Revision effective as of 1 April 2020
1. General Terms
1.1. This policy with respect to processing and protection of personal data (hereinafter, the "Policy") is approved by the Naked Heart Foundation for Children and Youth (registered in the Russian Federation, main state registration number 1055238047072 dated April 20, 2005, location address: 603005, Russian Federation, Nizhny Novgorod region, Nizhny Novgorod city, 10 Piskunov street) (hereinafter - "the Foundation") and determines main principles, objectives, terms and methods of personal data processing, lists of subjects and personal data processed by the Foundation, functions of the Foundation during personal data processing, rights of subjects of personal data
1.2. This Policy is developed in accordance with the requirements of the Constitution of the Russian Federation, the Federal Law of 27.07.2006 N 152-FZ "On Personal Data", as well as other legislative and regulatory acts of the Russian Federation in the field of personal data.
1.3. This Policy is the basis for the development of local regulations and other documents governing the processing of personal data at the Foundation.
1.4. The Foundation, as the Personal Data Operator, shall process personal data of individuals (hereinafter referred to as "Personal Data Subject" or "Subject"), whether or not in an employment relationship with the Foundation, in particular, but not limited to:
- individuals who are candidates to fill vacant positions in the Foundation or who have entered into an employment contract with the Foundation (hereinafter referred to as "Employee" or "Employees");
- individuals who are candidates for or have entered into a civil law contract with the Foundation to perform volunteer activities (the "Volunteer" or "Volunteers");
- individuals (including individuals - representatives/employees of legal entities) who are candidates to enter into or have entered into a civil-law contract with the Foundation, except for a civil-law contract for volunteer activities;
- other individuals (including individuals - representatives/employees of legal entities), whose personal data are processed by the Foundation in connection with the implementation of its statutory activities, in particular, but not limited to, individuals participating in the Foundation events; individuals who send proposals, applications, complaints to the Foundation in accordance with the Regulations on the procedure for acceptance, registration and processing of incoming applications from third parties to the Foundation; other individuals who provide their personal data to the Foundation during the course of its activities.
1.5. The legal basis for the Foundation's processing of personal data includes, in particular, local normative acts of the Foundation, employment and civil law contracts concluded with the subjects of personal data, as well as the Subjects' consent to process their personal data.
1.6. The Policy shall also be adopted by the Foundation in order to ensure protection of human and civil rights and freedoms in the processing of their personal data, including protection of rights to privacy, personal and family secrets.
2. Key Terms and Definitions
2.1. For the purposes of this Policy, the following basic terms and definitions will be used:
2.1.1. Personal data - any information relating to a directly or indirectly defined or identifiable individual - the Subject of personal data;
2.1.2. Operator - a state body, municipal authority, legal entity or individual, individually or jointly with other persons, arranging and (or) implementing the Processing of personal data, as well as determining the purpose of the Processing of personal data, composition of personal data to be processed, actions (operations) peRussian Federationormed with personal data;
2.1.3. Processing of personal data - any action (operation) or a set of actions (operations) peRussian Federationormed with personal data with or without use of automation means, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (Distribution, Provision, access), depersonalization, Blocking, deletion, destruction of personal data;
2.1.4. Processor in charge - a person appointed by an order to be in charge of the organisation of the Processing of Personal Data;
2.1.5. Automated Processing of Personal Data - Processing of Personal Data by means of computer technology;
2.1.6. Dissemination of personal data - actions aimed at disclosure of personal data to an indefinite range of persons;
2.1.7. Provision of personal data - actions aimed at disclosure of personal data to a certain person or a certain circle of persons;
2.1.8. Blocking of personal data - temporary suspension of Processing of personal data (except in cases where Processing is necessary for clarification of personal data);
2.1.9. Destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which tangible carriers of personal data are destroyed;
2.1.10. De-identification of personal data - actions as a result of which it becomes impossible, without the use of additional information, to determine the attribution of personal data to a particular Personal Data Subject;
2.1.11. Cross-border transfer of personal data - transfer of personal data to the territory of a foreign state to a foreign state authority, foreign natural person or foreign legal entity.
3. Legal basis for processing of personal data by the Foundation
3.1. The Foundation processes Personal Data on the basis of the following laws and regulations:
3.1.1. Constitution of the Russian Federation;
3.1.2. Labour Code of the Russian Federation;
3.1.3. Civil Code of the Russian Federation;
3.1.4. Federal Law No. 7-FZ of January 12, 1996 "On Non-Profit Organizations";
3.1.5. Federal Law No. 149-FZ of 27 July 2006 'On Information, Information Technologies and Information Protection';
3.1.6. Regulation on peculiarities of personal data processing, carried out without the use of automation equipment, approved by Decision of the Government of the Russian Federation of September 15, 2008, № 687;
3.1.7. Requirements for material media of biometric personal data and technology for storing such data outside personal data information systems, approved by the Decision of the Government of the Russian Federation of July 6, 2008, No. 512
3.1.8. Requirements for the protection of personal data during their processing in personal data information systems, approved by the Decision of the Government of the Russian Federation of November 1, 2012, No. 1119
3.1.9. other applicable laws and regulations of the Russian Federation.
3.2. The Foundation shall process Personal Data in accordance with also:
3.2.1. the provisions of the Articles of Association of the Foundation;
3.2.2. local acts of the Foundation regulating Personal Data Processing issues;
3.2.3. agreements concluded by the Foundation with Personal Data Subjects;
3.2.4. consents of Personal Data Subjects to Processing of their Personal Data.
4. Principles of Personal Data Processing by the Foundation
4.1. Processing of Personal Data by the Foundation shall be carried out with respect to the need to ensure protection of rights and freedoms of employees of the Foundation and other Personal Data Subjects, including protection of the right to privacy, personal and family secrets, based on the following principles:
4.1.1. Processing of personal data shall be carried out by the Foundation on a lawful and fair basis;
4.1.2. Processing of personal data shall be limited to achieving specific, predetermined and legitimate objectives;
4.1.3. Processing of personal data incompatible with the purposes of personal data collection shall not be permitted;
4.1.4. databases containing personal data, the Processing of which is incompatible with one another, shall not be merged;
4.1.5. only personal data which meet the purposes of Processing shall be processed;
4.1.6. the content and scope of Processed Personal Data shall be consistent with the stated purposes of Processing. The processed Personal Data shall not be excessive in relation to the stated purposes of Processing;
4.1.7. when processing personal data, the accuracy of personal data, its sufficiency and, where necessary, relevance in relation to the purpose of personal data processing shall be ensured. The Foundation shall take the necessary measures or ensure that such measures are taken to delete or clarify incomplete or inaccurate personal data;
4.1.8. storage of personal data is carried out in a form enabling identification of the Personal Data Subject, not longer than required by the purposes of Personal Data Processing, unless the period of storage of personal data is established by federal law, local regulatory acts of the Foundation or the contract, a party to which, a beneficiary or a guarantor under which the Personal Data Subject is a beneficiary;
4.1.9. processed personal data shall be destroyed or depersonalized upon attainment of the objectives of Processing or in case of loss of necessity for attainment of such objectives, unless otherwise provided by the federal law.
5. Purposes of processing of personal data
5.1. The Foundation shall process personal data solely for the purposes for which it was provided, including
5.1.1. ensuring compliance with the Constitution of the Russian Federation, legislative and other regulatory acts of the Russian Federation, local regulatory acts of the Foundation;
5.1.2. exercise the rights and lawful interests of the Foundation within the framework of the activities provided by the Articles of Association and other local regulations of the Foundation or third parties or to achieve socially important goals;
5.1.3. protection of life, health or other vital interests of the Personal Data Subjects
5.1.4. performance of functions, powers and duties assigned to the Foundation by the legislation of the Russian Federation, including the provision of personal data to the state authorities, the Pension Foundation of the Russian Federation, the Social Insurance Foundation of the Russian Federation, the Federal Compulsory Medical Insurance Foundation, as well as to other state authorities
5.1.5. execution of judicial acts, acts of other authorities and officials enforceable by the Foundation in accordance with the applicable laws of the Russian Federation;
5.1.6. regulation of relations with candidates for vacant positions in the Foundation and labour relations with employees of the Foundation;
5.1.7. regulation of relations with individuals who are candidates for or individuals who have entered into a civil law contract with the Foundation to carry out volunteer activities;
5.1.8. regulate the relations between the Foundation and individuals/legal entities regarding the preparation, conclusion, execution and termination of civil law contracts between the Foundation and such individuals, except for civil law contracts for volunteer activities;
5.1.9. regulate relations between the Foundation and other natural persons (including natural persons - representatives/employees of legal entities) on any issues related to the activities of the Foundation and the achievement of the objectives for which it was established;
5.1.10. form reference materials for internal and external information support of the Foundation's activities;
5.1.11. for other lawful purposes with the consent of the Personal Data Subject.
6. List of processed personal data
6.1. The list of personal data processed by the Foundation shall be determined in accordance with the legislation of the Russian Federation and local regulations of the Foundation, taking into account the purposes of Processing of personal data specified in Section 4 of the Policy.
6.2. List of personal data of individuals - candidates to fill vacant positions in the Foundation, processed by the Foundation:
- surname, first name, patronymic (including former ones), date and place of birth;
- passport details or other identity document details (series, number, date of issue, name of issuing authority, subdivision code) and citizenship;
- residence address (address of registration and address of actual residence) and date of registration at residence or place of stay;
- telephone numbers (mobile and home), in case of their registration to the subject of personal data or to the address of his/her registration;
- e-mail address;
- information about education, qualification and special knowledge or training (series, number, date of diploma, certificate, certificate or other document on graduation from educational institution, name and location of educational institution, date of start and completion of education, faculty or department, qualification and specialization upon graduation from educational institution, academic degree, academic rank, foreign language skills and other information);
- information about professional development and retraining (series, number, date of issue of the document about professional development or retraining, name and location of the educational institution, date of the beginning and completion of education, qualification and speciality upon graduation from the educational institution and other information);
- employment details (data on current employment with full indication of position, unit, name, address and telephone number of the organization, as well as details of other organizations with full name of positions previously held in them and the time of work in these organizations, as well as other information), including the number, series and date of issue of the work record book (insert) and records in it, as well as characteristics and recommendations from previous jobs;
- information on military registration of persons liable for military duty or conscription (series, number, date of issue, name of the issuing authority, military registration specialization, military rank, data on registration and deregistration, and other information);
- information on marital status (marital status, data from the marriage certificate, name, patronymic of the spouse, passport data of the spouse, marriage contract data, data from the certificate on the form 2NDFL of the spouse, the document data on debt obligations, degree of kinship, names, patronymics and dates of birth of other family members, dependents and other information);
- information on property (property status): motor vehicles (state numbers and other data from registration certificates of motor vehicles and vehicle passports); real estate (type, type, method of obtaining, general characteristics, value, full addresses of the property and other information); bank deposits (account numbers, type, term of placement, amount, terms of deposit and other information); loans, bank accounts (including bank card accounts), cash and securities;
- criminal record (or absence of it);
- information on number and series of state pension insurance certificate information on number and series of state pension insurance certificate;
- information on taxpayer identification number;
- information from mandatory (voluntary) health insurance policies (including information from respective health insurance cards);
- information on the state of health, as well as medical reports submitted by the employee on passing the mandatory preliminary and periodic medical examinations;
- information on bank accounts (deposits) of the employees (numbers of individual personal accounts or other accounts and other bank details) for the settlements with the employees
- other information about the Employee, which may be required by the Foundation, obtained with the consent of the relevant Subject.
6.3. The list of personal data of the Foundation employees processed and subject to storage in the Foundation in the manner prescribed by Russian law includes:
- surname, first name, patronymic (including former ones), date and place of birth;
- passport details or other identity document details (series, number, date of issue, name of issuing authority, subdivision code) and citizenship;
- details of a passport proving identity outside the territory of the Russian Federation (series, number, date of issue, name of issuing authority, subdivision code), including other information contained in this document;
- residence address (address of registration and address of actual residence) and date of registration at the place of residence or place of stay;
- telephone numbers (mobile and home), in case of their registration to the subject of personal data or to the address of his/her registration
- e-mail address;
- information about education, qualification and special knowledge or training (series, number, date of diploma, certificate, certificate or other document on graduation from educational institution, name and location of educational institution, date of start and completion of education, faculty or department, qualification and specialization upon graduation from educational institution, academic degree, academic rank, foreign language skills and other information);
- the information about professional development and retraining (series, number, date of issue of the document about professional development or retraining, name and location of the educational institution, date of the beginning and completion of education, qualification and speciality upon graduation from the educational institution and other information);
- employment details (data on current employment with full indication of position, unit, name, address and telephone number of the organization, as well as details of other organizations with full name of positions previously held in them and the time of work in these organizations, as well as other information), including the number, series and date of issue of the work record book and records in it, as well as characteristics and recommendations from previous jobs;
- information on military registration of persons liable for military duty or conscription (series, number, date of issue, name of the issuing authority, military registration specialization, military rank, data on registration and deregistration, and other information);
- information on marital status (marital status, data from the marriage certificate, name, patronymic of the spouse, passport data of the spouse, marriage contract data, data from the certificate on the form 2NDFL of the spouse, the document data on debt obligations, degree of kinship, names, patronymics and dates of birth of other family members, dependents and other information);
- information on property (property status): motor vehicles (state numbers and other data from registration certificates of motor vehicles and vehicle passports); real estate (type, type, method of obtaining, general characteristics, value, full addresses of the property and other information); bank deposits (account numbers, type, term of placement, amount, terms of deposit and other information); loans, bank accounts (including bank card accounts), cash and securities;
- criminal record (or absence of it);
- information on number and series of state pension insurance certificate information on number and series of state pension insurance certificate;
- information on taxpayer identification number;
- information from mandatory (voluntary) health insurance policies (including information from respective health insurance cards).
- information on the state of health, as well as medical reports submitted by the employee on passing the mandatory preliminary and periodic medical examinations;
- information on bank accounts (deposits) of the employees (numbers of individual personal accounts or other accounts and other bank details) for the settlements with the employees;
- other information about the Employee, which may be required by the Foundation, obtained with the consent of the relevant Subject.
6.4. List of personal data of individuals who are candidates to enter into or have entered into a civil law contract with the Foundation for volunteering activities processed and to be stored by the Foundation in the manner prescribed by Russian law:
- surname, first name, patronymic (including former ones), date and place of birth;
- passport details or other identity document details (series, number, date of issue, name of issuing authority, subdivision code) and citizenship;
- residence address (address of registration and address of actual residence) and date of registration at residence or place of stay;
- telephone numbers (mobile and home), in case of their registration to the subject of personal data or to the address of his/her registration;
- e-mail address;
- information about education, qualification and special knowledge or training (series, number, date of diploma, certificate, certificate or other document on graduation from educational institution, name and location of educational institution, date of start and completion of education, faculty or department, qualification and specialization upon graduation from educational institution, academic degree, academic rank, foreign language skills and other information);
- employment details (data on current employment with full indication of position, unit, name, address and telephone number of the organization, as well as details of other organizations with full name of positions previously held in them and the time of work in these organizations, as well as other information), including the number, series and date of issue of the work record book and records in it, as well as characteristics and recommendations from previous jobs and volunteering activities;
- criminal record (or absence of it);
- information on health status;
- other information about an individual who is a candidate for or has entered into a civil law contract with the Foundation for the implementation of volunteer activities, obtained with the consent of the relevant Subject.
6.5. List of personal data of individuals (including representatives/employees of legal entities) processed by the Foundation for the purposes of preparation, conclusion, execution and termination of civil-law contracts between the Foundation and individuals/legal entities, except for civil-law contracts for volunteering activities:
- surname, first name, patronymic (including former ones), date and place of birth;
- the main state number of an individual entrepreneur and details of the relevant certificate of state registration of an individual as an individual entrepreneur or a record sheet in the Unified State Register of Individual Entrepreneurs;
- information on the taxpayer identification number;
- passport data or other identification document data (series, number, date of issue, name of the issuing authority, subdivision code) and nationality;
- residence address (address of registration and address of actual residence) and date of registration at the place of residence or at the place of stay;
- telephone numbers (mobile and home), in case of their registration to the subject of personal data or to the address of his/her registration;
- e-mail address;
- information about education, qualification and special knowledge or training (series, number, date of diploma, certificate, certificate or other document about graduation from educational institution, name and location of educational institution, date of start and completion of education, faculty or department, qualification and specialty upon graduation from educational institution, academic degree, academic rank, foreign language skills and other information);
- information on criminal record (or lack thereof);
- information on the document certifying the authority of a natural person as a representative of a legal entity;
- other information about the above-mentioned individuals (including representatives/employees of legal entities), obtained with the consent of the relevant Subject.
6.6. List of personal data of natural persons (including representatives/employees of legal entities) processed by the Foundation regarding any matters related to the activities of the Foundation and the achievement of the objectives for which it was established:
- surname, first name, patronymic (including former ones), date and place of birth;
- passport or other identity document details (series, number, date of issue, name of issuing authority, subdivision code) and nationality;
- residence address (address of registration and address of actual residence) and date of registration at residence or place of stay;
- telephone numbers (mobile and home), in case of their registration to the subject of personal data or to the address of his/her registration;
- e-mail address;
- other information about the aforementioned individuals (including representatives/employees of legal entities) obtained with the consent of the relevant Data Subject.
6.7. When processing the aforementioned Personal Data, the Foundation shall be entitled to request and receive from the Personal Data Subject original/copies of documents containing the aforementioned Personal Data of the Subject. If the Personal Data Subject provides the above originals/copies of documents to the Foundation, the Foundation shall duly process the relevant Personal Data, namely any information/data contained in the above documents.
6.8. The Foundation shall not process special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, intimate life.
7. Terms of processing of personal data at the Foundation
7.1. In accordance with this Policy, the Foundation shall process the Subject's personal data solely for the purposes specified in this Policy and on the basis of the consent to the processing of personal data received from the Subject of personal data (hereinafter, the "Consent").
7.2. The Personal Data Subject decides to provide his or her Personal Data and consents to the Processing thereof freely, willingly and in his or her own interest.
7.3. Consent to the Processing of Personal Data may be given by the Subject of Personal Data in the following forms:
- in writing, executed by the Personal Data Subject in person in the presence of an authorised representative of the Foundation. The Subject's written consent to the processing of his or her personal data shall include, in particular, the information specified in clauses 1-9 of paragraphs 1. 1 - 9 ч. Article 9(4) of the Federal Law dated 27.07.2006 N 152-ФЗ "On Personal Data".
Subject's consent to processing of his/her personal data shall be deemed executed in written form in case the Subject agrees with the terms of this Policy and "User Agreement on the use of nakedheart.ru website, posted on the Foundation website nakedheart.ru, by filling a separate field opposite the entry "I agree with the Foundation Policy on Personal Data Protection Processing and User Agreement", contained in the web form, filled by the Subject while using the services of the Foundation website;
- verbally in case of individual verbal communication of the Subject with representatives of the Foundation via telephone line using technical means, which allow to record telephone calls in automated mode, as well as (with consent of the Subject of personal data) to make audio recording of negotiations. In this situation, the audio recording of the verbal consent obtained by the Subject in relation to the Processing of his/her Personal Data shall constitute proper evidence of receipt of Consent.
7.4. Consent to the Processing of Personal Data shall be valid until revoked by the Personal Data Subject. Withdrawal of the Consent shall be made in a free form and shall be sent to the Foundation in accordance with the above procedure for sending the Consent.
7.5. The Foundation shall not disclose or distribute personal data to third parties without the consent of the Personal Data Subject, unless otherwise provided by federal law and this Policy.
7.6. The Foundation may entrust the Processing of Personal Data to another person with the consent of the Data Subject on the basis of a contract to be concluded with that person. Such an agreement must contain a list of operations (activities) with personal data, which will be peRussian Federationormed by a person processing personal data, purpose of processing, obligation of such person to ensure confidentiality of personal data and ensure security of personal data during their processing, as well as requirements to protection of processed personal data in accordance with the provisions of the Federal Law dated 27.07.2006 N 152-FZ "On Personal Data".
7.7. For information purposes, the Foundation may create reference materials which, with the Subject's written consent, unless otherwise provided by Russian law, may include his or her surname, name, patronymic, age, date and place of birth, position and place of work, residence address, email address and other personal data provided by the Subject.
8. Personal data processing, processing methods and rules
8.1. The Foundation collects, records, systematizes, accumulates, stores, clarifies (updates, changes), extracts, uses, transfers (Dissemination, Provision, Access), Deletes, blocks, deletes and destroys personal data.
The Processing of Personal Data shall be carried out solely for the purposes specified in this Policy.
8.2. Personal Data shall be processed by the Foundation in the following ways:
- Non-automated Processing of Personal Data;
- Automated Processing of personal data with or without transmission of received information via information and telecommunication networks;
- Mixed Processing of Personal Data.
8.3. The right of access to personal data of the Subjects shall be vested in:
- The President of the Foundation and the Acting President of the Foundation;
- The Chief Accountant of the Foundation;
- Individual employees of the Foundation (name, surname, patronymic, information about actual place of residence, contact telephone numbers and e-mail addresses of the Subjects).
8.4. The source of information regarding all personal data of the Subjects shall be the Subject himself/herself.
If personal data can only be obtained from a third party, the Subject must be notified in advance in writing and their written consent must be obtained. The Foundation shall inform the Subject of the purpose, intended sources and means of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the Subject's refusal to give written consent to obtain it.
8.5. The Foundation, when processing Personal Data:
- takes necessary and sufficient measures to ensure compliance with the requirements of the legislation of the Russian Federation and local regulatory acts of the Foundation in the field of personal data;
- takes legal, organizational and technical measures for protection of personal data from unauthorized or accidental access to it, destruction, change, Blocking, copying, Provision, Distribution of personal data, as well as from other unlawful actions in relation to personal data;
- appoints a person responsible for the organization of personal data processing at the Foundation;
- issue local regulatory acts, determining the policy and issues related to the Processing and protection of personal data at the Foundation;
- ensures familiarization of the Foundation's employees, directly engaged in personal data processing, with provisions of the legislation of the Russian Federation and local regulatory acts of the Foundation in the field of personal data, including requirements to protection of personal data, and training of such employees;
- publish or otherwise ensure unrestricted access to this Policy;
- informs Personal Data Subjects or their representatives in the prescribed manner about availability of personal data pertaining to relevant Subjects, provides opportunity for familiarization with such personal data upon application and (or) receipt of requests of such Personal Data Subjects or their representatives, unless otherwise provided by the legislation of the Russian Federation;
- terminate the Processing and destroy the personal data in cases provided by the legislation of the Russian Federation in the field of personal data, including in cases of achievement of the objectives of personal data processing, expiry of the Consent or its revocation by the Subject of personal data, detection of unlawful Processing of personal data;
- performs other actions stipulated by the legislation of the Russian Federation in the field of personal data.
8.6. The Foundation shall transfer (including cross-border) personal data to third parties (hereinafter jointly referred to as the "Receiving Parties" and individually referred to as the "Receiving Party"):
- The Foundation for Children and Youth "Obnazhennoe serdtse", registered in the Russian Federation, main state registration number 1107799035190 dated 06.12.2010, registered address: 123242, Moscow, Bulvar Novinsky 25-27, build. 10,
- THE NAKED HEART FOUNDATION, a company incorporated on 26.06.2007 under the laws of the United Kingdom with registered number 6293334 and having its registered address at 59-60 Russell Square, London, WC1B 4HP, United Kingdom
- NAKED HEART FRANCE, a company registered at 10, Place Vendôme, 75001, Paris, France (10 Place Vendôme, 75001)
The transfer (including cross-border) of personal data by the Foundation to third parties is subject to the following conditions:
8.6.1. The Foundation confirms that it has first ensured that the foreign countries to which personal data is transferred ensure a level of protection of personal data subjects' rights no lower than in the Russian Federation.
8.6.2. The transfer of personal data is free of charge. No guarantee or liability in respect of fidelity, absence of errors, protection rights of third parties, completeness and/or usability of information of a confidential nature shall be excluded.
8.6.3. Personal Data of Subjects shall be transferred under the Consent solely for the purpose of optimising the Processing of Personal Data by the Foundation and the Processing of the transferred Personal Data by the Receiving Parties for the purposes set out in Section 4 of this Policy.
8.6.4. The Foundation shall transfer Personal Data to the Receiving Parties in accordance with the lists set out in Section 5 of this Policy.
8.6.5. In connection with the transfer of information containing personal data, the Foundation undertakes to enter into agreements with the Receiving Persons on the transfer and processing of personal data, which include the Receiving Persons' obligations (including, but not limited to):
- comply with the personal data protection regime established by applicable law and not disclose it, in whole or in part, to any person at any time without the prior written consent of the Foundation;
- process personal data, namely collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (Dissemination, Provision, access), Depersonalization, Blocking, deletion and destruction of personal data, according to the purposes for which they were transmitted;
- process personal data in any of the following ways: Non-automated Processing of personal data; Automated Processing of personal data with or without transmission of received information via information and telecommunication networks; mixed Processing of personal data;
- store personal data in a form enabling identification of the personal data subject, for no longer than the purpose of personal data processing requires;
- allow access to personal data only to its employees who need such information and only after notifying such employees of the requirements of this Policy and the agreement concluded by the Foundation with the Receiving Person and obtaining their consent to comply with their terms. Each employee of the Receiving Person who has access to personal data agrees to comply with the terms of the latter by signing the information disclosure sheet with the relevant local act of the Receiving Person;
- take measures necessary in accordance with the legislation on personal data in order to ensure the safety of personal data received. In the event of discovery of disclosure of personal data to third parties, the Receiving Party shall promptly inform the Foundation of such facts and measures taken to mitigate the possible damage;
- in the event of detection of unauthorised Processing of personal data, terminate the unauthorised Processing of personal data within a period not exceeding 3 (three) working days from the date of such detection;
- in case the purpose of personal data processing is achieved, to cease personal data processing and destroy or anonymise personal data within a period not exceeding 30 (thirty) days from the date of achievement of the purpose of personal data processing
- in case of revocation by the Personal Data Subject of their consent to Processing of their personal data, to cease Processing of personal data and, in case preservation of personal data is no longer required for the purposes of Processing of personal data, to destroy or anonymize personal data within a period not exceeding 30 (thirty) days from the date of receipt of the said revocation.
8.6.6. Personal Data transferred by the Foundation to the Receiving Parties shall be protected from access by third parties at the time of transfer by appropriate and adequate means of protection: packaging, delivery by courier or technical means of information security (cryptography, etc.) and by other means established by the legislation on personal data.
8.6.7. When transferring personal data, the Foundation shall, in accordance with this Policy, take necessary legal, organisational and technical measures or ensure that they are taken to protect personal data against unauthorised or accidental access, destruction, modification, blocking, copying, sharing, dissemination of personal data, and other unlawful acts in relation to personal data.
8.7. All personal data processed by the Foundation shall be confidential, strictly protected information in accordance with the legislation of the Russian Federation and local regulations of the Foundation.
9. Rights of the subject of personal data
9.1. The subject of personal data has the right to:
- have access to his or her personal data, including the right to obtain a copy of any record containing his or her personal data free of charge;
- receive information regarding the processing of their personal data by the Foundation;
- demand that the Foundation clarify his/her personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of the Processing;
- require that all persons to whom incorrect or incomplete personal data have previously been communicated be notified of all deletions, corrections or additions made thereto;
- withdraw Consent to Personal Data Processing;
- exercise other rights provided by the legislation of the Russian Federation.
9.2. Information regarding Personal Data Processing shall include, inter alia, information containing:
- confirmation of the fact of processing of personal data by the Foundation;
- legal grounds and purposes of personal data processing by the Foundation;
- purposes and methods of Personal Data Processing used by the Foundation;
- name and location of the Foundation, information about persons who have access to personal data or to whom personal data may be disclosed on the basis of a contract with the Foundation or on the basis of the law;
- processed personal data pertaining to the relevant personal data subject, its source;
- terms of processing of personal data, including the terms of its storage;
- procedure for exercising the rights provided by this Policy and the legislation of the Russian Federation by the Subject of personal data;
- information about the cross-border transfer of data that has taken place or is proposed to take place;
- first name, patronymic, surname and address of the person processing personal data on behalf of the Foundation, if the Processing is or will be entrusted to such person;
- other information as required by the laws of the Russian Federation.
10. Rights of the Foundation as a personal data processor
10.1. The Foundation, as a personal data operator, has the right to:
- to defend its interests in court;
- to provide subjects' personal data to third parties, if it is provided by the current legislation of the Russian Federation;
- to refuse to provide personal data in cases stipulated by the legislation of the Russian Federation;
- use personal data of the Subject without his/her consent in cases provided by the legislation of the Russian Federation.
10.2. The Foundation shall not receive and process the Subject's personal data on his or her race, nationality, political views, religious and philosophical beliefs, state of health, intimate life, except in cases provided for by the laws of the Russian Federation.
10.3. The Foundation shall not be entitled to receive and process the Employee's personal data on his/her membership in public associations or his/her trade union activities, except in cases provided for by the legislation of the Russian Federation.
11. Measures to ensure the security of personal data during the processing of personal data
11.1. When processing personal data, the Foundation shall take necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to it, destruction, modification, blocking, copying, distribution of personal data, as well as from other unlawful actions in relation to personal data.
11.2. Measures necessary and sufficient to ensure the Foundation's fulfilment of the Operator's obligations under Russian law in the field of personal data shall include:
- appointment of a person responsible for the organization of Personal Data Processing at the Foundation;
- adoption of local regulations and other documents in the field of processing and protection of personal data and control over compliance therewith;
- obtaining of necessary consents of Personal Data Subjects for Processing of their personal data;
- familiarization of the Foundation's Employees with applicable regulations in the field of personal data protection and local acts;
- conducting systematic checks of the relevant knowledge of the Employees, who process personal data, and their compliance with the requirements of regulatory documents
- limitation of the number of Employees, to whom access to personal data shall be granted;
- delimitation of Employees' access rights to personal data;
- management of Employees' access to personal data;
- rational placement of workplaces to exclude unauthorized use of protected information;
- detection and elimination of violations of requirements to protection of personal data;
- preventive work with Employees on prevention of disclosure of personal data;
- separation of personal data, processed without use of automation means, from other information, in particular by fixing them on separate tangible media of personal data, in special sections;
- storage of material media of personal data in compliance with conditions ensuring safety of personal data and excluding unauthorized access to such data;
- taking technical measures for protection of personal data during its processing in information systems, including: identification and authentication of subjects of access and access objects; protection of computer media of personal data; ensuring integrity of information system; ensuring accessibility of personal data; ensuring software protection of information system; antivirus protection; intrusion detection (prevention);
- maintaining internal control over compliance of Personal Data Processing with Federal Law of 27.07.2006 N 152-FZ "On Personal Data" and Statutory Acts adopted in accordance therewith, requirements to protection of personal data, this Policy, local statutory acts of the Foundation;
- other measures provided by the legislation of the Russian Federation in the field of protection of personal data.
12. Consideration of appeals and requests of subjects of personal data or their representatives
12.1. Personal data subjects within the framework of implementation of their right to Information about their Personal data processed at the Foundation shall have the right to request information, provision of which by the Foundation is required by the legislation of the Russian Federation.
12.2. The above information shall be made available to the Personal Data Subject in an accessible form and shall not include Personal Data relating to other Personal Data Subjects, unless there is a legitimate reason for the disclosure of such Personal Data.
12.3. This information shall be provided to the Personal Data Subject or his/her legal representative by the Processor responsible for arranging the Processing on the basis of an Application or request from the Personal Data Subject (his/her representative) that complies with the requirements set out in the laws of the Russian Federation.
12.4. Appeals and requests may be submitted by the Personal Data Subjects or their legal representatives to the Foundation personally or sent by post to the address: 10 Piskunova Street, Nizhny Novgorod, 603005, Russia, or sent by e-mail to info@nakedheart.ru, indicating the desired method of receipt of a response from the Foundation: personally at the location of the Foundation, by post or by e-mail to the address of the Personal Data Subject or his/her legal representative, indicated in the Appeal or request.
12.5. The response to an Application or request shall be provided by the Foundation upon receipt of the relevant Application or request or within 30 days of its receipt.
12.6. If specified information, as well as processed Personal Data, was made available to the Personal Data Subject for familiarization at his/her request, the Personal Data Subject shall have the right to apply again to the Foundation or send a repeated request to obtain such information and familiarization with such Personal Data not earlier than 30 days after the initial Application or initial request, unless a shorter period is established by federal law, regulatory legal act adopted in accordance with the above.
12.7. The Personally Identifiable Information Subject shall have the right to re-apply to the Foundation or submit a repeated request to obtain the specified information and to become acquainted with the processed Personal Data before the expiry of the 30-day period, if such information and/or processed Personal Data have not been made available to him/her in full upon review of the initial request. The repeated request shall contain a justification for sending the repeated request.
12.8. The Foundation shall have the right to refuse to make a repeated request to the Subject of Personal Data that does not comply with the conditions set out above. Such refusal must be reasoned.
13. Final provisions
13.1. This Policy shall be amended as necessary, including in the event of new laws and regulations on the Processing and Protection of Personal Data.
13.2. This Policy shall be an internal document of the Foundation, and shall be posted on the Foundation's official Web site. In the event of changes, communication of such changes to the general public shall be made by posting the Policy on the Foundation's official website, taking into account such changes.
13.3. Compliance with the requirements of this Policy shall be monitored by the person responsible for the organisation of personal data processing at the Foundation.