Personal Data Processing Policy

GENERAL PROVISIONS

1.1. This Policy regarding the processing of personal data (hereinafter – the Policy) is developed based on the Constitution of the Russian Federation, the Civil Code of the Russian Federation, the Labor Code of the Russian Federation, and in accordance with Article 18.1 of the Federal Law of the Russian Federation No. 152-FZ dated July 27, 2006 "On Personal Data", Decree of the Government of the Russian Federation No. 687 dated September 15, 2008 "On Approval of the Regulation on the Features of Processing Personal Data Carried Out Without Using Automation Means", Decree of the Government of the Russian Federation No. 781 dated November 17, 2007 "On Approval of the Regulation on Ensuring the Security of Personal Data during Their Processing in Personal Data Information Systems", Decree of the Government of the Russian Federation No. 211 dated March 21, 2012 "On Approval of the List of Measures Aimed at Ensuring the Fulfillment of Obligations Provided for by the Federal Law 'On Personal Data' and the Adopted Regulatory Legal Acts in Accordance with It, by Operators that are State or Municipal Bodies", and the regulatory legal acts adopted in accordance with them by the operators.

The Policy is the fundamental internal regulatory document defining the key areas of activity in the field of processing and protection of personal data, the operator of which is the individual entrepreneur Snezana Valentinovna Onishchenko (Taxpayer Identification Number (INN) 222207125142, Primary State Registration Number of Individual Entrepreneur (OGRNIP) 309222333600020) (hereinafter – the Operator).

1.2. The purpose of this Policy is to ensure the rights of citizens during the processing of their personal data and to take measures against unlawful or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as against other unlawful actions regarding the personal data of subjects.

1.3. Personal data may be processed only for purposes directly related to the Operator's activities, in particular for concluding contracts, fulfilling contractual obligations for the provision of services, accepting applications for the provision of services, conducting settlements with customers and service providers, issuing documents on training and level of foreign language proficiency, issuing documents on exam participation results, ensuring compliance with laws and other regulatory legal acts.

1.4. The Operator collects data only to the extent necessary to achieve the aforementioned purposes.

1.5. The transfer of personal data to third parties without written consent is not permitted. The confidentiality regime for personal data is lifted in cases of anonymization or inclusion of personal data in publicly available sources of personal data, unless otherwise stipulated by law.

1.6. Personal data cannot be used for the purpose of causing property and moral harm to citizens, hindering the realization of rights and freedoms of citizens of the Russian Federation. Restricting the rights of citizens of the Russian Federation based on the use of information about their social origin, racial, ethnic, linguistic, religious, and party affiliation is prohibited and punishable under the law.

1.7. The Operator has the right to make changes to this Policy. When changes are made, the date of the last update of the version is indicated in the title of the Policy.

1.8. The current version of the Policy is stored at the address: 656031, Barnaul, Stroitely Ave., 117, office 215.

TERMS AND ACCEPTED ABBREVIATIONS

• Personal Data (PD)– any information relating to a personal data subject.
• Processing of Personal Data– any action (operation) or set of actions (operations) performed with or without the use of automation tools with PD, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction of PD.
• Cross-border Transfer of Personal Data– transfer of PD to the territory of a foreign state to a foreign state authority, a foreign individual, or a foreign legal entity.
• Personal Data Subject– an individual whose personal data is processed by the Operator.
• Operator– a legal entity or an individual organizing and/or carrying out the processing of PD, as well as determining the purposes and content of PD processing.

LIST OF SUBJECTS WHOSE PERSONAL DATA IS PROCESSED BY THE OPERATOR, AND CATEGORIES OF PERSONAL DATA

3.1. The Operator processes the PD of the following categories of subjects: 1) service providers and employees; 2) students, consumers, and service customers; 3) users of the Operator's website, whose personal data became known when filling out feedback forms on the website.

3.2. The personal data of service providers and employees processed by the Operator include: surname, first name, patronymic; date and place of birth; address; citizenship; gender; data of identity document; number of the compulsory pension insurance certificate; Taxpayer Identification Number (INN); data of education and professional development documents; position; information about work activity; bank account details for transferring funds for services rendered; contact phone number, email address; military registration information; information about criminal convictions; facial photograph.

3.3. The Operator processes the following categories of PD of students, consumers, and service customers: surname, first name, patronymic; year of birth, month of birth, date of birth, place of birth; citizenship; address; education; profession; data of identity document; Taxpayer Identification Number (INN); contact phone number; email address; data of documents confirming participation in language courses and level of foreign language proficiency; facial photograph; information about the document received based on exam results; other information necessary for the Operator for the purpose of providing services.

TERMS AND BASIC PRINCIPLES OF PROCESSING, TRANSFER, AND STORAGE OF PERSONAL DATA

4.1. The Operator processes the subject's PD using automation means (automated processing) and without using such means (non-automated processing).

4.2. The processing of PD must be based on the following principles: legality of the purposes and methods of PD processing and good faith; compliance of the purposes of PD processing with the purposes previously determined and declared during PD collection, as well as with the Operator's authority; compliance of the volume and nature of processed PD, methods of PD processing with the purposes of PD processing; reliability of PD, their sufficiency for the purposes of processing, inadmissibility of processing PD excessive in relation to the purposes declared during PD collection; inadmissibility of combining databases of PD information systems created for incompatible purposes; destruction of PD after achieving the processing purposes or in case of losing the necessity to achieve them; personal responsibility of the Operator's employees for the safety and confidentiality of PD, as well as the media containing this information.

4.3. The Operator must inform the subject about the purposes of PD processing, categories of processed PD, list of actions with PD, the term for which the consent is valid, and the procedure for its withdrawal.

4.4. Documents containing PD are created by: copying original documents (passport, education document, INN certificate, etc.); entering information into registration forms; obtaining originals of necessary documents.

4.5. Processing of PD is carried out: with the consent of the PD subject to the processing of their PD; in cases where the processing of PD is necessary for the implementation and performance of functions, powers, and duties imposed by the legislation of the Russian Federation; in cases where the processing of PD permitted by the PD subject for dissemination is carried out, with separately formalized consent from the PD subject.

4.6. Processing of PD with the consent of the PD subject for the processing of their PD is carried out using software for electronic computers "Alpha-CRM".

INFORMATION ABOUT THIRD PARTIES PARTICIPATING IN THE PROCESSING OF PERSONAL DATA

5.1. For the purposes of compliance with the legislation of the Russian Federation, to achieve the purposes of processing, and in the interests and with the consent of the PD subjects, the Operator, in the course of its activities, provides PD to third parties specified in paragraphs 5.2, 5.3, and 5.4.

5.2. The Operator provides PD of service providers and employees to the following organizations:

• The Federal Tax Service of the Russian Federation;
• The Social Fund of Russia;
• Banks for salary payments and for payment of services under service contracts;
• Law enforcement agencies (in cases established by law).

5.3. The Operator provides PD of students, consumers, and service customers to law enforcement agencies (in cases established by law).

5.4. The Operator provides to the Goethe Cultural Center at the German Embassy in Moscow (INN 9909056286, KPP 773860002), the Central Administration of the Goethe-Institut in Munich (Germany), and service providers for conducting Goethe-Institut exams the following PD of consumers and customers of Goethe-Institut exam services: surname, first name, patronymic; date and place of birth; purpose of exam participation (if indicated); information about exam results; information about the document (certificate) received based on exam results.

RIGHTS OF THE PERSONAL DATA SUBJECT

6.1. The PD subject has the right to:

1. obtain information concerning the processing of their PD, including confirmation of the fact of PD processing by the Operator, the legal grounds and purposes of PD processing, the methods of PD processing applied by the Operator, the name and location of the Operator, information about third parties participating in the processing of PD, the terms of processing and storage of PD, information about cross-border data transfer;
2. access information about the processed PD relating to the relevant PD subject;
3. appeal against actions or inaction of the Operator;
4. withdraw consent to the processing of PD. The user can withdraw their consent to the processing of personal data in the manner prescribed by the Law on Personal Data No. 152-FZ, by submitting a written application to the Operator at the address: 656031, Barnaul, Stroitely Ave., 117, office 215.

6.2. Information concerning the processing of the subject's PD is provided to them or their representative by the Operator within ten working days from the date of the appeal or the Operator's receipt of the request from the PD subject or their representative. This period may be extended, but not more than five working days, if the Operator sends a reasoned notification to the PD subject's address indicating the reasons for extending the period for providing the requested information. The request must contain the number of the primary identity document of the PD subject or their representative, information about the date of issue of the specified document and the issuing authority, information confirming the participation of the PD subject in relations with the operator (contract number, contract date, conditional verbal designation and/or other information), or information otherwise confirming the fact of PD processing by the Operator, the signature of the PD subject or their representative.

OBLIGATIONS OF THE OPERATOR

7.1. The Operator is obliged to provide the PD subject, upon their request, with information concerning the processing of the subject's PD.

7.2. When collecting PD, including via the information and telecommunications network "Internet", the operator is obliged to ensure the recording, systematization, accumulation, storage, clarification (updating, modification), retrieval of PD of citizens of the Russian Federation using databases located on the territory of the Russian Federation.

7.3. The Operator is obliged to apply legal, organizational, and technical measures to ensure the security of PD from unlawful or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of PD, as well as from other unlawful actions regarding PD.

7.4. The Operator is obliged to carry out internal control over the compliance of PD processing with Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data" and this document adopted in accordance with it, defining its policy regarding PD processing.

7.5. The Operator is obliged to ensure unrestricted access to this document defining its policy regarding PD processing.

MEASURES TO ENSURE THE SECURITY OF PERSONAL DATA

Measures to ensure the security of PD during their processing include:

• Development of a written form of consent for PD processing;
• Obtaining written consent from PD subjects for the processing of their PD;
• Issuance of the Operator's local acts on PD processing issues;
• Appointment of a person responsible for organizing PD processing;
• Determination of possible threats to PD security during their processing and taking measures to protect PD from possible security threats;
• Storage of material PD carriers under conditions ensuring the safety of PD and excluding unauthorized access to them;
• Establishment of individual access passwords for the Operator to the PD information system;
• Use of anti-virus software with regularly updated databases to detect, prevent, and eliminate the consequences of computer attacks;
• Internal control over the conditions of PD processing.