The regulations for personal data processing

 

I. General provisions

1.1. Thepresent Regulations establish the procedure for processing the users' personal data at the website of St. Petersburg International Film Festival “Worldwide” (Mirovoy), OOO Soprichastnost Film Company(hereinafter referred to as the Company, or the Operator), and ensure compliance with the requirements of protecting citizens' rights when processing personal data.

1.2. The present Regulations are approved by order of the General Director of the Companyandshall be considered valid until they are canceled or replaced by another similar internal act. The Regulations are binding upon all employees of the Company who are authorizedto have access to the users' personal data.

II. General definitions used in the present regulations

2.1. For the purposes of these Regulations, the following general definitions are used:

A websitemeans a set of software and hardware for computers, intended to make the data available to everyone on the Internet. The website is accessible by its unique email address or its letter designation and may contain graphics, texts, audio, video, and other forms of information that can be reproduced through a computer.

An operatormeans a legalentity or natural person that arranges and (or) performs personal data processing, and also determines the purposes and content of the of personal data processing;

Personal data means any information relating to a particular person (referred to as the personal data subject) that can be identified on the basis of such information, including his/herfull name, year, month, date and place of birth, address, marital, social and property status, education, profession, income, other information;

Personal data subject in the context of these provisions means an individual who is a visitor and a user of the website.

Personal data processing means any actions (operations) with personal data, including collecting, classifying, accumulating, storing, updating, changing, using, distributing (including transferring), anonymizing, blocking or destroying personal data;

Confidentiality of personal data means a binding requirement for the operator or other person who has gained access to personal data, not to allow their disclosure without the consent of the personal data subject or on other legal basis;

Distribution of personal data meansany actions aimed at transferring personal data to a certain group of persons or making personal data available to unlimited number of persons, including disclosing personal data in the media, posting on information and telecommunication networks or providing access to personal data in any other way;

Using personal data means any actions (operations) with personal data performed by the operator in order to make decisions or to take any other actions that lead to legal consequences in relation to the personal data subject or other persons, or otherwise affecting the rights and freedoms of the personal data subject or other persons;

Destroying personal data means actions, as a result of which it would be impossible to restore the content of personal data in the personal data information system or as a result of which material carriers of the employees' personal data would be destroyed;

Anonymizing personal data means actions, as a result of which it would be impossible to identify the personal data as relating to a particular personal data subject;

Blocking personal data means temporary suspension of collecting, classifying,accumulating, using, or distributing personal data, including their transferring;

Publicly available personal data means personal data, made accessible to an unlimited number of persons with the consent of personal data subject, or to which, in accordance with federal laws, the confidentiality requirement does not apply.

III. The content of the user’s personal data

3.1. The personal data include:

  • the following data provided by the Userwhen signing in:
    • the User's full name;
    • date and place of birth;
    • contactdetails, including phone numbers, e-mail, and/or website;
    • place of study or work.
  • automatically collected data:
    • IP address, cookie data;
    • the User’s browser type as well as technical specifications of the equipment and software used by the User;
    • date and time of access to the website, addresses of requested pages and other similar information.

3.2. The personal data specified in clause 3.1 of these Regulationsshall be processed in order to identify the Users, to ensure the execution of the user agreement, to provide the User with personalized services and content, to improve the website quality and provide services, to target advertising materials, and to conduct statistical and other studies based on anonymized personal data.

3.3. The Users' personal data shall be processed with their consent. When signing in at the website in order to gain access to the Company's services, the User thereby, in accordance with Article 9 of the Federal Law # 152 FZ of July 27, 2006 "On Personal Data", expresses his/her full consent to the automated, or non-automated processing and use of his/her personal data.

IV. Confidentiality of personal data

4.1. The information listed in Article 3 of these Regulations is confidential. The company must ensure the confidentiality of personal data and is obliged to prevent their disclosewithout the customers’ consent of or on any other legal basis.

4.2. When collecting, processing and storing personal data of the customers, all confidentiality measuresshall apply to both paper and electronic (automated) storage media.

4.3. The confidentiality mode of personal data shall be considered lifted as long as they are anonymized or released in publicly available sources (mass media, the Internet, the Unified State Register of Legal Entities or other public state registers).

V. Rights and obligations of the personal data operator

5.1. The Users' personal data is shall be processed by the Company with the consent of the personal data subjects,except cases listed in paragraph 5.2 of the present section. In accordance with the law, the obligation to provide evidence of consent to processing personal data on the grounds of this clause lies with the operator.

5.2. The Company has the right to process its personal data without the consent of the personal data subject in the following cases:

  • the personal data are processed on the basis of a federal law that specifies the purpose, the conditions for obtaining personal data and the circle of subjects whose personal data are subject to processing, and also determines the powers of the operator;
  • the personal data are processed in order to fulfill the contract, where one of the parties is the personal data subject;
  • the personal data are processed for statistical or other scientific purposes, with mandatory anonymization of the personal data;
  • the personal data have to be processed in order to protect the life, health or other vital interests of the personal data subject, if obtaining the consent of the subject is impossible;
  • the personal data have to be processed if, in accordance with federal law, they should be published, including the personal data of persons who hold public posts,positions in the state civil service, or personal data of candidates for elected state or municipal posts.

5.3. In order to ensure human rights and freedoms of citizens, the Company and its employees are obliged to comply with the following general requirements when processing the User’s personal data:

5.3.1. When determining the volume and content of the User’s personal data to be processed, the Company employees shall meet the requirements of the Federal Law “On Personal Data”, the legislation regulating the media operation, and the user agreement. The Company receives the User’s personal data only to the extent necessary to achieve the legitimate goals of collecting and processing personal data.

5.3.2. The Company employees should not process any non-public personal data of the User concerning his/her criminal record, political, religious and other beliefs and private life.

5.4. The Company shall ensure the protection of the User’s personal data from illegal use or loss at their own expense in the manner prescribed by federal law.

5.5. Should the Company, on the basis of the contract, entrust the processing of personal data to another party, and an essential condition of the contract shall be the provision that such a party is obliged to ensure confidentiality and security of the personal data in their processing.

VI. Rights of the personal data subject

6.1. The personal data subject has the right to receive information about the Operator, his/her location, the availability of personal data by the Operator related to the relevant personal data subject, and also to familiarize him/herself with such personal data. The personal data subject has the right to demand that the Operator shouldupdate his/her personal data, block or destroy them if the data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated processing purpose, as well as the right to take measures prescribed by law to protect his/her rights.

6.2. Information on the availability of personal data should be provided to the personal data subject by the Operator in an accessible form, and it should not contain personal data related to other personal data subjects.

6.3. The personal data shallbe provided to the personal data subject or to his legal representative of upon request or upon receiving a request from the personal data subject or his/her legal representative.Such request must contain the number of the main ID document of the personal data subject or his/her legal representative, as well as the information about the date of issue of the above-mentioned ID and the authority that issued it, and also the signature of the personal data subject or his/her legal representative. The request may be sent in electronic form and signed with an electronic digital signature in accordance with the legislation of the Russian Federation.

6.4. The personal data subject has the right to receive, upon receiving a request, the information concerning processing of his/her personal data, including, in particular, the following:

  1. confirmation of the fact of processing the personal data by the Operator, and the purpose of such processing;
  2. the methods of personal data processing used by the Operator;
  3. theinformation on persons who have access to personal data or who may be granted such access;
  4. a list of the processed personal data and their source;
  5. thepersonal data processing time, including the storage period;
  6. information on what legal consequences for the of personal data subject may have the processing of his/her personal data.

6.5. The personal data subject has the right to withdraw his/her consent to the personal data processing, to limit the methods and forms of the processing, and to prohibit the distribution of the personal data without his/her consent.

6.6. The personal data subject has the right to appeal the actions or inaction of the Operator to the authorized body protecting the rights of personal data subjects or in court.

6.7. The personal data subject has the right to protect his/her rights and legitimate interests, including compensation for losses and non-pecuniary damage in court.

VII. Personal data processing

7.1. The personal data shall be processed by the Operator solely to achieve the goals set by theseRegulations and the user agreement.

7.2. The personal data shall be processed by the Operator through obtaining, classifying, accumulating, storing, updating (e.g. changing, amending), using, distributing, anonymizing, blocking, destroying and protecting against unauthorized access.

7.3. The personal data shall be processed by the method of mixed (including automated) processing.

7.4. Only employees of the Company, whose responsibilities are directly related to access and working with the User’s personal data, can have access to processing the User’s personal data.

7.5. In the case of the relevant appeal of the personal data subject, the Operator is obliged to make the necessary changes, destroy or block the relevant personal data as long as thepersonal data subject or his/her legal representative provides the confirmation that the personal data which relate to the relevant subject and which are processed by the Operator, are incomplete, outdated, unreliable, illegally obtained or are not necessary for the stated processing purpose. If this is the case, the Operator is obliged to notify the personal data subject or his/her legal representative and any third parties to whom the personal data of this subject were transferred, about the changes made and the measures taken.

7.6. The Operator must destroy the User’s personal data after 6 months from the date of processing them.

VIII. Personal data transferring

8.1. The personal data shall be transferred by the Operator only if it is necessary to execute the User Agreement or to provide certain Services to the User with his/her consent.

8.2. The personal data shall be transferred by the Operator to third parties only on the basis of the relevant agreement, and an essential condition of the contract shall be the provision that such a party is obliged to ensure confidentiality and security of the personal data in their processing. This provision does not apply as long as the personal data are anonymized or in relation to publicly available personal data.

8.3. The personal data shall be transferred to state bodies within their authority,in accordance with applicable law.

IX. Personal data storage

9.1. Personal data may be stored in electronic form in the Russian Federation.

X. Access to the customers' personal data

10.1. The right to access the Customers'personal data is granted to the General Director of the Company, and employees of the Company.

10.2. The personal data subject may have access to his/her personal data upon personal appeal or upon receiving a written request. The Operator is obliged to inform the personal data subject about the availability of personal data about him/her, as well as provide an opportunityto familiarize him/herself with them within ten business days from the time of appeal.

XI. Protection of the users' personal data

11.1. Any information containing the User’s personal data stored on electronic media shall be protected.

11.2. When processing the Users'personal data, the Operator is obliged to take the necessary organizational and technical measures to protect the personal data from illegal or accidental access, as well as destruction, changing, blocking, copying, distribution of personal data, or from other illegal actions.

11.3. Overall protection of the Users' personal data shall be arranged by an employee of the Company.

11.4. The protection of the Users' personal data stored in the electronic databases of the Company from unauthorized access, distortion and destruction of the information, or from other illegal actions, shall be provided by the Company employees.

11.5. The Company employee who has access to the User's personal data due to his/her responsibilities:

  • must provide storage of any information containing the Users' personal data, excluding access to them by third parties;
  • in the absence of the employee, no documents containing the Users' personal data of Users should be left at his/her workplace;
  • when going on holiday or a business trip,or in other cases of long absence of the employee, he/shemust transfer the media containing the Users' personal data to a person who will be appointed responsible for performing his/her duties by a local act of the Company (an order or an instruction). If such a person is not appointed, the above-mentioned documents and other media shall be transferred to another employee who has access to the Users' personal data.

11.6. In case ofresignationof the employee who has access to the Users' personal data, the media containing the personal data shall be transferred to another employee who has access to the Users' personal data.

11.7. Other Company employees who do not have properly formalized accessrights,are not allowed to access the Users' personal data.

11.8. Access to electronic databases containing the Users' personal data is protected by means of:

  • using anti-virus programs and other software and hardware means of protecting the perimeter of the internal network that block unauthorized access the Operator's local network;
  • differentiation of access rights through an account;

11.10. All electronic applications containing the personal data, including personal data information systems, folders and files containing personal data, shall be protected by a password.

11.11. The Users' personal data can be copied for official useonly with the written permission of the head of the Company.

11.12. Replies to written requests of authorized state bodies, other organizations and institutions concerning the Users' personal data can be given only with the written consent of thepersonal datasubjects, unless otherwise provided by law. The replies shall be made in writing, on the letterhead of the Company, and to the extent that prevents disclosing the excessive personal data.

XII. Responsibility for disclosing information containing personal data of a private customer or representatives of a corporate client

12.1. The Company employees guilty of violating the rules that regulate receiving, processing and protecting personal data bear disciplinary, administrative, civil or criminal liability in accordance with federal laws.