1. General Provisions
The policy has been developed for the purpose of protecting the rights and freedoms of the personal data subject (PD) when processing its PD. PD shall be the confidential information.
Providing necessary and sufficient level of security for PD and other confidential information shall be an essential condition for the Operator’s activity.
2. Personal Data Processing Principles
2.1. The Operator shall process the PD on a lawful and fair basis to perform the functions, powers and obligations conferred by the law, to exercise the rights and legal interests of the Operator, the ones of the Operator’s employees and third parties.
2.2. When processing the PD, the Operator shall comply with the following principles:
- legitimacy of the objectives and methods of PD processing;
- good faith;
- compliance of the objectives of the PD processing with the objectives, predetermined and claimed in the collection of the personal data, as well as the powers of the Operator;
- PD processing not compatible with PD collection objectives shall not be allowed;
- It shall not be allowed to combine databases containing PD, the processing thereof is made for purposes incompatible with each other;
- the content and volume of the processed PD correspond to the stated processing objectives;
- the redundancy of the processed PD in relation to the stated purposes of their processing shall not be allowed;
- PD processing shall ensure the accuracy of PD, their sufficiency, and, if necessary, the relevance to the objectives of the PD processing;
- the necessary measures shall be taken to remove or clarify incomplete or inaccurate data;
- PD shall be stored in a form that allows PD subject to be determined no longer than PD processing purposes require if the PD storage period is not established by a federal law, a contract to which the subject PD is a party whose beneficiary or guarantor is the subject. The processed PD shall be destroyed or depersonalized upon achievement of treatment objectives or in case of loss of the need to achieve these objectives, unless otherwise provided for by the federal law.
3. PD Processing Objectives
The Operator shall process the PD for the following purposes:
1) implementation and performance of the functions, powers and obligations, imposed by the legislation of the Russian Federation on the Operator, in particular:
- compliance with the requirements of the legislation in the field of labor and taxation;
- maintenance of the current accounting and tax accounting, formation, production and timely submission of accounting, tax and statistical reporting;
- compliance with the requirements of the legislation to determine the procedure for processing and protecting the PD of the citizens who are customers or contractors of the Global Energy Association (hereinafter - the personal data subjects).
2) implementation of the rights and legitimate interests of the Global Energy Association within the framework of carrying out the activities specified in the Articles of Association and other local regulatory acts of the Global Energy Association or third parties or achieving socially significant goals;
3) for other legitimate purposes.
5. List of the Actions with PD
When processing the PD, the Operator shall perform the following actions with the PD: collection, recording, systematization, accumulation, storage, clarification (updating, changing), retrieving, using, transferring (distributing, granting, accessing), depersonalizing, blocking, deleting, and destroying PD.
6. Processed Personal Data Composition
6.1. The Operator shall process the following PD subjects:
- Operator’s employees;
- Operator’s clients;
- Operator’s counterparties;
- Operator’s partners;
- Members of the International Committee;
- Members of the Board of Trustees;
- Operator’s founders/members;
- Individuals, who apply to the Operator.
6.2. The basis for processing a PD subject is its consent to an automated, as well as non-automated, PD processing and use.
6.3 The PD subject shall decide to grant his/her/its PD and agrees to their processing freely, by his/her/its own will and in his interest.
6.4 The content and volume of PDs to be processed shall comply with the stated processing objectives. The PDs to be processed shall not be redundant with respect to the stated processing objectives.
7. Personal Data Processing
7.1. PD of PD subjects shall be processed by the Operator in a mixed order both ‘with’ and ‘without’ the use of automation facilities, including in information and telecommunication networks, and/or without using such means, with PD fixed on a tangible medium.
7.2. Employees’ PD shall be processed by the Operator in a mixed order, both "‘with’ and ‘without’ the use of automation facilities, including in information and telecommunications networks, and/or without using such means, with the PD fixed on a tangible medium.
8. Ensuring the Personal Data Protection when processed by the Operator
8.1. The Operator shall take measures necessary and sufficient to ensure the fulfillment of the obligation, provided for by Federal Law No. 152 dated 27.07.2006 ‘On Personal Data’ and regulatory legal acts adopted in accordance therewith. The Operator shall independently determines the composition and the list of measures necessary and sufficient to ensure the fulfillment of the obligations, stipulated by the Federal Law No. 152 dated 27.07.2006 ‘On Personal Data’, Government Decree No. 687 dated 15.09.2008 ‘On Approval of the Regulation on the Specifics of Processing Personal Data Performed without the Use of Automation Tools’, Order FSTEC (Federal Service for Technical and Export Control) dated 18.02.2013 No.21 ‘On Approval of the Composition and Content of the Organizational and Technology Measures to Ensure the Safety of the Personal Data when processing them in information systems of personal data’ and other regulatory legal acts, unless otherwise provided for by the federal laws. Such measures may include, in particular:
- appointment by the Operator responsible for organizing the PD processing;
- the Operator’s issuance of the documents defining the Operator’s policy regarding the PD processing, local acts on the PD processing, as well as local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, eliminating the consequences of such violations;
- application of legal, organizational and technical measures to ensure the PD safety;
- exercising the internal control and (or) audit compliance of PD processing with the Federal Law ‘On Personal Data’ and the regulatory legal acts adopted in accordance therewith, the requirements for PD protection, the Operator’s policy regarding PD processing, local operator acts;
- an assessment of the harm that may be caused to the PD subjects in case of a violation of the Federal Law ‘On Personal Data’, the ratio of the harm indicated and the measures taken by the operator aimed at ensuring the fulfillment of obligations stipulated by the Federal Law ‘On Personal Data’;
- review of the Operator’ employees directly process the PD providing the legislation of the Russian Federation on PD, including requirements for the PD protection, documents specifying the Operator’s policy regarding PD processing, local acts on PD processing, and (or) training specified employees.
8.2. When processing the PD, the Operator shall take the necessary legal, organizational and technical measures or shall ensure their adoption to protect the PD from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of PD, as well as from other illegal actions against PD.
8.3. For the purpose of ensuring the fulfillment of the obligations, stipulated by the Federal Law No. 152- FZ dated July 27, 2006 ‘On Personal Data’ and regulatory legal acts adopted in accordance therewith, the Operator has taken the following measures:
- the legal, organizational and technical measures established by the legislation of the Russian Federation in the field of PD on ensuring the safety of the processed PD have been taken;
- the person responsible for organizing PD processing has been appointed;
- According to the Order of the President of the Global Energy Association the following documents have been approved:
- The present Policy of the Global Energy Association on development of international research and projects in the field of energy (The Global Energy Association) regarding the personal data processing;
- Regulations on the processing and protection of personal data of visitors to the site and official pages on the Facebook social network of the Global Energy Association on development of international research and projects in the field of energy (The Global Energy Association);
- User’s Agreement;
- List of Operator’s employees admitted to the PD processing;
- the requirements for the PD processing performed without the use of automation tools have been complied with;
- for the purpose of the internal control over the compliance of the PD processing with mandatory requirements, the Operator shall organize the periodic inspections of PD processing conditions by the Operator’s employees admitted to the PD processing;
- the Operator’s employees who is directly engaged in the PD processing know the provisions of the legislation of the Russian Federation on PD (including requirements for the PD protection), and local acts on PD processing.
8.4. The Operator has developed a private model of PD security threats, based on which a PD security system was made. At the same time, the following basic principles of construction of the PD security system were used: legality; systematic, integrated approach; continuity of protection; timeliness; continuity and improvement; reasonable sufficiency (economic feasibility); minimization of authority; personal responsibility; flexibility of the protection system; use only certified means of information protection; validity and feasibility; specialization and professionalism of the staff; mandatory control.
8.5. Objects of protection shall be as follows:
- PD, processed and stored on servers, on automated workstations of users (hereinafter - AWP), on alienated (removable) data carriers, on remote terminals, monitors, in sound recording, sound reproduction;
- PD, transmitted through channels and communication lines;
- PD, stored in a documented form in hard copy;
- application and system software of servers, workstations used for PD processing;
- hardware of software and hardware systems, server equipment, AWP, communication equipment;
- means of information protection of information systems PD;
- removable (alienable) computer storage media - drives on flexible and hard magnetic disks, flash drives, optical disks (CD-R, CD-RW, DVD-R, DVD-RW), audio, video tapes, magnetic tapes, etc..
8.6. Access of visitors to the office premises of the Operator, where the PD is processed, shall be allowed only upon agreement with the President of the Global Energy Association.
8.7. The components of the information systems of the Operator’s PD are located in the premises excluding the possibility of uncontrolled penetration into the premises of unauthorized persons and ensuring the physical safety of the protected resources in the room (documents, workstations, etc.). At the end of the working day, the office space shall be locked.
9. Right of the Subject of the Personal Data to Access his/her/its Personal Data
9.1. The PD subject shall be entitled to require from the Operator to clarify the PD, blocking or destroying it in case if the PDs are incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, and shall also take legal measures to protect their rights.
9.2. The information shall provide to the PD entity or its representative by the Operator upon request or upon receipt of a request from the PD entity or its representative. The request shall contain the number of the main document certifying the identity of the subject of the PD or his/her/its representative, information on the date of issuance of the specified document and the issuing body, information confirming the participation of the subject of PD in relations with the Operator (agreement number, contract date, conditional verbal designation and (or) other information) or information otherwise confirming the fact of the PD processing by the Operator, the signature of the PD subject or its representative. The request can be sent in the form of an electronic document and signed by an electronic signature in accordance with the legislation of the Russian Federation.
9.3. The Operator shall be entitled to refuse the subject PD in the execution of the repeated request. Such a refusal shall be motivated. The obligation to provide evidence of the reasonableness of refusal to perform a repeated request shall be imposed on the Operator.
9.4. The PD subject shall be entitled to receive information regarding the PD processing, including:
- confirmation of the fact of PD processing by the Operator;
- legal grounds and objectives for the PD processing;
- objectives and methods of the PD processing used by the Operator;
- name and location of the Operator, information about the persons (except for the Operator’s employees) who have access to the PD or who can be disclosed by the PD on the basis of a contract with the operator or on the basis of the federal law;
- processed PDs related to the relevant PD subject, the source of their receipt, unless another procedure for submitting such data is provided for by the federal law;
- PD processing time, including the terms of their storage;
- the procedure for the subject of PD to exercise the rights provided for by the Federal Law ‘On Personal Data’;
- information on the carried out or expected trans-boundary data transfer;
- name or surname, name, patronymic and address of the person carrying out the processing of the PD on behalf of the Operator, if the processing is entrusted or shall be entrusted to such a person/entity.
9.5. If the PD subject believes that the Operator is processing his PD in violation of the requirements of the Federal Law ‘On Personal Data’ or otherwise violates his rights and freedoms, the subject of the PD is entitled to appeal against the actions or omissions of the operator to the authorized body for the protection of the rights of PD subjects or judicially.
9.6. The PD entity shall be entitled to protect its rights and legitimate interests, including compensation for damages and (or) compensation for moral harm by the courts.
10. Person responsible for the Personal Data Processing
The President and/or other person appointed by the Order shall be responsible for the PD processing in the Global Energy Association.