Getting there

Personal data processing policy

Personal data processing policy in the Non-profit organization Foundation for Development of the Center for Elaboration and Commercialization of New Technologies

Article 1. General provisions

  1. The personal data processing policy of the Non-profit Organization Foundation for Development of the Center for Elaboration and Commercialization of New Technologies (hereinafter referred to as the Policy, the Foundation) was developed in accordance with the Federal Law No. 152-FZ On Personal Data dated July 27, 2006 (hereinafter referred to as FZ-152).
  2. This Policy defines the procedure of personal data processing and measures to ensure the security of personal data in the Foundation in order to protect the rights and freedoms of individuals and citizens during the processing of their personal data, including the protection of the rights to privacy, personal and family secrecy.
  3. The Policy is the basis for the development of local regulations governing personal data processing in the Foundation.
  4. The Policy applies to all structural units of the Foundation.
  5. This Policy does not apply to information received by the Foundation in the course of interaction with legal entities, in particular, to information received from legal entities in any form about addresses of a legal entity, contact telephone numbers, e-mail addresses, surnames, names and patronymics of sole executive bodies and (or) other persons acting on behalf of legal entities without a power of attorney, as well as any information that is publicly available in accordance with the laws of the Russian Federation.
  6. The following basic concepts are used in the Policy:
    • Automated personal data (PD) processing: processing of personal data with the help of computer devices;
    • Biometric personal data: physiological data (fingerprint data, iris and other data), as well as other physiological or biological characteristics of a person, including the image of a person (photo and video), which allow to establish their identity and are used by the operator to identify the person;
    • PD blocking: temporary termination of PD processing (except for cases when processing is necessary for PD clarification);
    • LE: legal entities whose sole participant (founder) is the Foundation;
    • Personal data information system (PDIS): a set of personal data contained in PD databases and ensuring their processing by information technologies and technical means;
    • Personal Data anonymization: actions as a result of which it is impossible to determine the Personal Data belonging to a certain Personal Data subject without using additional information;
    • Personal Data Processing: any action (operation) or set of actions (operations) performed with or without the use of such means with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of Personal Data;
    • Operator: a state body, a municipal body, a legal entity or an individual who independently or jointly with other persons organizes and (or) performs Personal Data processing, as well as determines the purposes of Personal Data processing, the composition of Personal Data for processing, actions (operations) performed with personal data;
    • Personal data (PD): any information related directly or indirectly to a certain or determinable individual (personal data subject);
    • Provision of Personal Data: actions aimed at disclosing Personal Data to a certain person or a certain number of persons;
    • Distribution of Personal Data: actions aimed at disclosing Personal Data to an indefinite number of persons (transfer of Personal Data) or at familiarizing with personal data of an unlimited number of persons, including disclosure of Personal Data in mass media, placing in information and telecommunication networks or provision of access to personal data in any other way;
    • ACS: access control system, a system of access control and management, a set of hardware and software control and management tools aimed at restricting and registering the entry and exit of objects (people, vehicles) on the territory of the Foundation;
    • cross-border transfer of Personal Data: transfer of Personal Data to the territory of a foreign country, to a foreign authority, a foreign individual or a foreign legal entity;
    • Destruction of Personal Data: actions as a result of which it is impossible to restore the Personal Data content in the PDIS and (or) as a result of which material Personal Data carriers are destroyed.
    • GDPR: General Data Protection Regulation, a European Union regulation through which the European Parliament, the Council of the European Union and the European Commission unify the protection of personal data of all persons in the European Union (EU).

Article 2. Principles and conditions of personal data processing

  1. Personal Data Processing is carried out on the basis of the following principles:
    • Legitimacy and fair basis;
    • Limiting PD processing to specific, predetermined and legitimate purposes;
    • Preventing PD processing incompatible with the purposes of PD collection;
    • Preventing the merger of databases containing personal data processed for purposes that are incompatible with each other;
    • Processing only those PD that meet the purposes of their processing;
    • Ensuring correspondence of the content and volume of the processed Personal Data to the declared processing purposes;
    • Preventing the PD processing excessive in relation to the declared purposes of their processing;
    • Ensuring the accuracy, sufficiency and relevance of Personal Data in relation to the purposes of Personal Data processing; 
    • Destruction or depersonalization of Personal Data upon achievement of the purposes of their processing or in case of loss of necessity to achieve these purposes, in case of impossibility to eliminate the committed Personal Data violations by the operator, unless otherwise provided by the federal law.
  2. The Foundation processes Personal Data if any of the following conditions are met:
    • Personal Data Processing shall be carried out with the consent of the Personal Data subject for processing his/her Personal Data;
    • Personal Data Processing is necessary to achieve the goals set forth in an international treaty of the Russian Federation or law, to implement and perform the functions, powers and duties imposed on the operator by the legislation of the Russian Federation;
    • Personal Data Processing is necessary for the administration of justice, execution of a judicial act, act of another body or official to be executed in accordance with the legislation of the Russian Federation on enforcement proceedings;
    • Personal Data Processing is necessary for the performance of a contract, the party to which is either a beneficiary or guarantor, under which the subject of Personal Data is a Personal Data subject, as well as for the conclusion of a contract at the initiative of the Personal Data subject or the contract under which the Personal Data subject will be a beneficiary or guarantor;
    • Personal Data Processing is necessary to exercise the rights and legitimate interests of the operator or third parties or to achieve socially important goals, provided that the rights and freedoms of the Personal Data subject are not violated;
    • Processing of Personal Data is carried out, the access of an unlimited number of persons to which is provided by the Personal Data subject or at his request (hereinafter referred to as public personal data);
    • Processing of Personal Data is carried out subject to publication or mandatory disclosure in accordance with the federal law.
  3. Personal data are processed in the Foundation for the following purposes:
    • Ensuring compliance with the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation and the local regulatory acts of the Foundation;
    • The implementation of the functions, powers and duties imposed by the legislation of the Russian Federation on the Foundation, based on the Federal Law of September 28, 2010 № 244-FZ On the Skolkovo Innovation Center and other legislative acts;
    • Regulating labor relations with the Foundation's employees;
    • Providing the employees with additional guarantees and compensations, voluntary medical insurance, medical care and other types of social security services;
    • Protection of life, health or other vital interests of personal data subjects;
    • Preparation, conclusion, execution and termination of contracts with counterparties;
    • Restricting access to the Skolkovo Innovation Centre, the Foundation's facilities and the LE;
    • Combating corruption and embezzlement;
    • Ensuring the economic security of the Foundation's activities;
    • Developing reference materials for the internal information support of the Foundation and the LE;
    • Exercising the rights and legitimate interests of the Foundation and the LE in the framework of the activities provided for in the Charter and other local regulations of the Foundation and the LE;
    • for other legitimate reasons.
  4. Personal Data Processing in the Foundation is carried out in the following ways:
    • non-automated Personal Data Processing;
    • automated Personal Data Processing.
  5. The Foundation shall have the right to assign another person or legal entity to process Personal Data with the consent of the Personal Data subject on the basis of an agreement concluded with this person or entity, unless otherwise provided by federal law. The person processing Personal Data on behalf of the Foundation shall comply with the principles and rules of Personal Data processing stipulated by FZ-152 and this Policy.
  6. Storage of personal data is carried out in a form that allows to determine the subject of personal data no longer than it is required by the purpose of personal data processing, except in cases where the term of storage of personal data is not established by federal law, a contract, to which the party, the beneficiary or guarantor is the personal data subject. When storing personal data, the Foundation uses databases located on the territory of the Russian Federation in accordance with Part 5 of Article 18 of FZ-152.
  7. The Foundation has the right to transfer personal data to bodies of inquiry and investigation, other authorized bodies on the grounds provided by the current legislation of the Russian Federation.
  8. The Operator and other persons who received access to personal data shall not disclose to third parties and shall not distribute personal data without the consent of the personal data subject, unless otherwise provided by federal law.
  9. In case an instance of inaccuracy of personal data or revealing the illegitimacy of their processing is proved, the personal data are subject to updating by the operator, and their illegal processing is subject to termination.
  10. In case of achieving the purposes of personal data processing, as well as in case of revocation of the consent of the personal data subject to their processing, the personal data shall be subject to destruction, if:
    • otherwise unprovided by the contract, where the party, beneficiary or guarantor is the personal data subject;
    • the operator is not entitled to process personal data without the consent of the personal data subject on the grounds provided by FZ-152 or other federal laws;
    • otherwise unprovided by the contract between the operator and the personal data subject.
  11. The Operator is obliged to inform the personal data subject or its representative about the Personal Data Processing of such subject upon request of the latter.
  12. For the purpose of information support, the Foundation may create public sources of personal data of the personal data subjects, including directories and address books.
  13. Publicly available Personal Data sources may include the subject's surname, name, patronymic, date and place of birth, photo, position, contact telephone numbers, e-mail address and other personal data provided by the personal data subject. Information about the personal data subject must be removed from the public sources of personal data at any time at the request of the personal data subject, the authorized body for the protection of the rights of personal data subjects or by court decision.
  14. Processing of biometric personal data can be carried out only following the consent of the personal data subject in writing, except for the cases provided by Part 2 of Article 11 of FZ-152.
  15. The use of scanned copies of identity documents, publication of photographs on public resources and other cases of using the image of a person not related to the identification of the subject and the identification procedure are not the procedure of processing biometric personal data, processing of information in these cases is carried out in accordance with the general requirements established by FZ-152.
  16. A photographic image contained in an employee's personal file or on an ACS pass card is not biometric personal data either. Such images cannot be considered as biometric personal data because the actions with the use of the specified data are directed on acknowledgement of their belonging a specific individual whose identity is already defined and whose personal data are already available to the operator.
  17. The processing of special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, state of health, intimate life by the operator is not carried out in the Foundation.
  18. The Operator has the right to transfer personal data for processing in e-mail systems, cloud storage, control systems and other systems in foreign countries that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Personal Data Processing.
  19. Cross-border transfer of personal data within the territory of foreign countries that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Personal Data Processing, as well as other foreign countries that ensure adequate protection of the rights of personal data subjects, is carried out in accordance with FZ-152. 
  20. Cross-border transfer of Personal Data in the territory of foreign states, which do not provide adequate protection of the rights of Personal Data subjects, may be carried out in cases:
    • there is a written consent of the Personal Data subject for the cross-border transfer of their PD;
    • stipulated by international treaties of the Russian Federation;
    • stipulated by federal laws, if it is necessary to protect the foundations of the constitutional order of the Russian Federation, to ensure the defense of the country and the security of the state, as well as to ensure the security of stable and safe functioning of the transport complex, to protect the interests of individuals, society and the state in the field of transport from acts of unlawful interference;
    • performance of a contract to which the personal data subject is a party;
    • protection of life, health and other vital interests of the personal data subject or other persons at the impossibility of obtaining the consent of the personal data subject in writing

Article 3. Rights of the personal data subject

  1. The personal data subject shall decide on the provision of his/her Personal Data and give consent to its processing freely, in his/her own will and in his/her own interests. Consent to Personal Data Processing may be given by the personal data subject or his representative in any form allowing to confirm the fact of its receipt, unless otherwise provided by the federal law.
  2. The personal data subject has the right:
    •  to receive information from the operator regarding the processing of their Personal Data, if such right is not limited in accordance with federal laws;
    •  to request the clarification, blocking or destruction of their personal data in the event that the personal data are incomplete, outdated, inaccurate or not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect their rights;
    •  The PD subject has the right to request, in a structured, universal and machine-readable format, a list of his/her personal data submitted for processing.
  3. It is forbidden to make decisions on the basis of exclusively automated Personal Data Processing which give rise to legal consequences concerning the personal data subject or otherwise affecting their rights and legitimate interests, except for the cases stipulated by federal laws, or in the presence of a written consent of the personal data subject.
  4. In case of revealing illegal processing of the personal data, upon the demand of the personal data subject or their representative, the Foundation blocks illegally processed personal data, checks the instances of illegal Personal Data Processing and, in case of finding instances of illegal processing, specifies or destroys the personal data of the subject in the terms defined by Article 21 of 152-FZ.
  5. In case of impossibility to destroy the personal data within the terms defined in Parts 3 - 5 of Article 21 of 152-FZ, the Foundation blocks the personal data and ensures their destruction within no more than six months unless otherwise stipulated by federal laws.
  6. For the purpose of operative interaction concerning personal data processing, one may contact the email PersonalData@sk.ru

Article 4. Ensuring the security of personal data

  1. The security of Personal Data processed by the operator is provided by implementing legal, organizational and technical measures necessary for meeting the requirements of the federal legislation in the field of Personal Data protection.
  2. To prevent unauthorized access to personal data, the following organizational and technical measures are applied:
    • appointing officials responsible for organizing the processing and protection of Personal Data;
    • organization of internal control over compliance of personal data processing with the requirements of the legislation and the regulatory legal acts adopted in accordance with it with regard to personal data processing, as well as local regulatory acts of the Foundation;
    • restricting the number of persons allowed to process personal data;
    • informing subjects of the requirements of the federal legislation and standard documents on personal data processing and protection;
    • organization of accounting, storage and use of media containing personal data;
    • defining PD security threats during their processing, designing threat models, developing a PD protection system;
    • verifying the readiness and efficiency of the use of information security measures;
    • differentiation of access of users to information resources and hardware-software means of information processing;
    • registration and accounting of actions of PD information systems users;
    • using, where appropriate, a firewall, intrusion detection, security analysis, cryptographic and other information security means;
    • restricting access to the Foundation's facilities, maintaining security of the premises with technical means of personal data processing.

Article 5. Control over compliance with the requirements of the legislation of the Russian Federation in the field of personal data

  1. Control over compliance with the requirements of the legislation of the Russian Federation in the field of personal data is carried out by the Foundation to verify compliance of personal data processing with the requirements of the legislation of the Russian Federation and the local regulations of the Foundation.
  2. Internal control over compliance with the requirements of the legislation of the Russian Federation on personal data by the Foundation's employees, organization of personal data protection and internal control over the protection of personal data of the Foundation's contractors, participants in the Project for establishing and ensuring the functioning of the Skolkovo Innovation Center and participants in the events held by the Foundation, is carried out by the Department of Information Systems and Services.

Article 6. Final provisions

  1. Other rights and obligations of the operator in connection with the Personal Data Processing are determined by the legislation of the Russian Federation in the field of personal data.
  2. The Foundation provides protection and confidentiality of processed personal data of the personal data subjects within the scope of GDPR, to the extent of complying with the legal norms of the legislation of the Russian Federation.