Personal Data Processing Policy

1.1. This document defines the policy of the NGO "Insango" (hereinafter referred to as the Company) regarding the processing of personal data (hereinafter referred to as PD).In accordance with the legislation of the Russian Federation, the Company is the operator of personal data.
1.2. This policy has been developed in accordance with the current legislation of the Russian Federation on personal data:
- Federal Law of the Russian Federation of 27.07.2006 No. 152-FZ "On Personal Data" (hereinafter – 152- FZ), which establishes the basic principles and conditions for the processing of personal data, the rights, duties and responsibilities of participants in relations related to the processing of personal data;
- Decree of the Government of the Russian Federation dated 11/01/2012 No. 1119 "On Approval of Requirements for the Protection of Personal Data during their Processing in Personal Data Information Systems";
- Decree of the Government of the Russian Federation dated 09/15/2008 No. 687 "On approval of the Regulation on the specifics of personal data processing carried out without the use of automation tools".
1.3. The validity of this The Policy applies to all processes for the collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data carried out using automation tools and without the use of such tools.
1.4. This Policy is subject to revision and, if necessary, updating in the event of changes in the legislation of the Russian Federation on personal data.

2.1. Personal data processing is carried out on the basis of the following principles:
- personal data processing is carried out on a legal and fair basis;
- the processing of personal data is limited to achieving specific, predefined and
legitimate goals;
- personal data processing incompatible with the purposes of collecting personal data is not allowed;
- it is not allowed to combine databases containing personal data, the processing of which
is carried out for purposes incompatible with each other;
- the content and volume of PD processed correspond to the stated processing objectives.
The processed PD is not redundant in relation to the stated
processing purposes;
- when processing personal data, the accuracy of personal data and their sufficiency are ensured, and, if
necessary, the relevance of personal data in relation to the stated purposes of their processing.;
- the storage of personal data is carried out in a form that makes it possible to determine the subject of personal data no longer than the purposes of processing personal data require, unless the period of storage of personal data is established by federal law, an agreement to which the party, the beneficiary,
is a PD subject;
- processed personal data is subject to destruction or depersonalization upon achievement of goals
processing, in case of loss of the need to achieve these goals, as well as upon request in the prescribed form from the PD subject or his legal representative with a request for the destruction or depersonalization of the processed PD, unless otherwise provided by federal law.

Z.1. Personal data processing is carried out in compliance with the principles and rules established by the Federal Law "On Personal Data". Personal data is processed in the following cases:
- PD processing is carried out with the consent of the PD subject to the processing of his personal data;
- PD processing is necessary to achieve the goals stipulated by an international agreement of the Russian Federation or a law, to carry out and fulfill the functions, powers and duties assigned to the operator by the legislation of the Russian Federation.
- the processing of personal data is necessary for the execution of the contract, the party to which either
the beneficiary for which the PD subject is, as well as for concluding an agreement on the initiative of the PD subject or an agreement under which the PD subject will be the beneficiary;
- PD processing is necessary to protect the life, health or other vital interests of the PD subject if obtaining the PD subject's consent is not possible;
- PD processing is necessary to exercise the rights and legitimate interests of the operator or third parties, or to achieve socially significant goals, provided that the rights and freedoms of the PD subject are not violated.;
- personal data is processed for statistical or other research purposes, subject to mandatory anonymization of personal data. The exception is the processing of personal data in order to promote goods, works, and services on the market by making direct contacts with a potential consumer using means of communication.;
- PD is being processed, access to an unlimited number of persons to which is provided by the PD subject or at his request (hereinafter referred to as PD made publicly available by the PD subject).
3.2. The Company may process data on the health status of a personal data subject in the following cases::
- the personal data subject has given written consent to the processing of his personal data;
- in accordance with the legislation on state social assistance, labor legislation, the legislation of the Russian Federation on pensions for state pension provision, on labor pensions;
- it is impossible to obtain the consent of the PD subject in order to protect the life, health or other vital interests of a PD employee or the life, health or other vital interests of others;
- to establish or exercise the rights of an employee or third parties, as well as in connection with the administration of justice;
- in accordance with the legislation on compulsory types of insurance, with insurance legislation.
3.3. Biometric personal data (information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity and which are used by the operator to establish the identity of the subject of personal data) are not processed in the Company.
3.4. Decisions based solely on automated PD processing that generate legal consequences for the PD subject or otherwise affect his rights and legitimate interests are not made.
3.5. If it is not possible to obtain the subject's written consent to the processing of his personal data, consent may be given by the subject of personal data or his representative in any other form that allows confirming the receipt of such consent.
3.6. When assigning PD processing to another person, the Company enters into an agreement (hereinafter referred to as the operator's order) with this person and receives the consent of the PD subject, unless otherwise provided by federal law. At the same time, the Company, on behalf of the operator, obliges the person processing personal data on behalf of the Company to comply with the principles and rules of personal data processing provided for by the Federal Law (On Personal Data).
3.7. In cases where the Company entrusts the processing of personal data to another person, the Company is responsible to the PD subject for the actions of the specified person. The person who processes personal data on behalf of the Company is responsible to the Company.
3.8. The Company undertakes and obliges other persons who have obtained access to personal data not to disclose or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by federal law.
Z.9. The terms of PD processing are determined in accordance with the validity period of the contract with the PD subject, the Rosarchive order dated 06.10.2000 (List of standard management documents generated in the activities of organizations, indicating the retention periods), the statute of limitations, as well as other legal requirements and regulatory documents of the Bank of Russia.

4.1. In accordance with the requirements of the Federal Law (On Personal Data), the Company is obliged to:
- to provide the PD subject, upon his request, with information regarding the processing of his PD, or to legally provide a refusal: within thirty days from the date
of receipt of the PD subject's request or his representative;
- at the request of the PD subject, hijack, block or delete processed PD if
Personal data are incomplete, outdated, inaccurate, illegally obtained, or are not necessary for the stated purpose of processing: within a period not exceeding seven working days from the date on which the personal data subject or his representative provides information confirming these facts.;
- keep records of PD subjects' requests, which should record PD subjects' requests for PD, as well as the facts of providing PD for these requests;
- notify the PD subject of the PD processing in the event that the PD was not received from the PD subject. The following cases are an exception:
the PD subject has been notified about the processing of his PD by the company;
Personal data were received by the company in connection with the execution of an agreement to which the PD subject is a party or beneficiary or on the basis
of a federal law;
PD were made publicly available by the PD subject or obtained from a publicly
available source;
the company processes personal data for statistical or other
research purposes, for carrying out professional activities
of a journalist or of scientific, literary or other creative activity, provided that the rights and legitimate interests of the PD subject are not violated.;
providing the PD subject with the information contained in the PD Processing Notification violates the rights and legitimate interests of third parties.
- if the purpose of PD processing is achieved, immediately stop PD processing and destroy the relevant PD within a period not exceeding thirty days from the date of achievement of the purpose of PD processing, unless otherwise provided by an agreement to which the PD subject is a party, another agreement between the Company and the PD subject, or if the Company is not entitled to processpersonal data protection without the consent of the personal data subject on the grounds provided for by No. 152-FZ (On Personal Data) or other federal laws
;
- if the PD subject withdraws consent to the processing of their personal data, stop processing
Personal data and destroy personal data within a period not exceeding thirty days from the date of receipt of the said withdrawal, unless otherwise provided by an agreement between the Company and the subject of personal data. The Company is obliged to notify the PD subject about the destruction of the PD.;
- in case of receipt of a PD subject's request to stop processing PD received for the purpose of promoting goods, works, services on the market, immediately stop processing PD;
- documents (information carriers, records in databases) must be destroyed in a way that excludes the recovery of information containing personal data (by crushing in paper cutting machines, burning, crushing, turning into a shapeless mass, deleting/zeroing records in databases using standard database management systems or operating systems). If the PD is destroyed upon a request for access to the PD of a PD subject, its legal representative or an authorized body for the protection of the rights of PD subjects, a notification is sent to the PD subject. In
if the request for access to personal data has been sent by the authorized body for the protection
of the rights of personal data subjects, the notification is also sent to the specified body.
- when processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, their relevance to the purposes of personal data processing must be ensured. Measures should be taken to delete or clarify incomplete or inaccurate data. The clarification implies changes in the composition of the personal data both in electronic form in the Ispdn and on tangible media, with subsequent production and consideration of a new tangible
medium.;
- in the event that the provision of personal data is mandatory in accordance with federal
law and the PD subject refuses to provide his personal data, the employee of the Company who collects personal data must explain to the PD subject the legal consequences of such refusal. Explanations may be provided in electronic form (checkboxes, notifications, etc.), on the Company's website and in the personal account.

5.1. When processing personal data, the Company applies the necessary legal, organizational and technical measures to protect Personal Data from unlawful or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions in relation to personal data. 5.2
. Ensuring the security of personal data is achieved by the following measures:
- identification of PD security threats during their processing in PD information systems;
- the use of organizational and technical measures to ensure the safety of personal data in
their processing in personal data information systems necessary to meet the requirements for personal data protection, the fulfillment of which ensures the levels of personal data security established by the Government of the Russian Federation.;
- assessment of the effectiveness of measures taken to ensure the safety of personal data prior to the commissioning of the personal data information system;
- taking into account machine media Personal data;
- detection of facts of unauthorized access to personal data and taking measures;
- restoration of personal data modified or destroyed due
to unauthorized access to them;
- establishing rules for access to personal data processed in the personal data information system, as
well as ensuring registration and accounting of all actions performed with personal data in
the personal data information system;
- the appointment by the operator of the person responsible for the organization of personal
data processing;
- control over the measures taken to ensure the security of personal data and the level
of security of personal data information systems.

6.1. In accordance with the Federal Law (On Personal Data, the PD subject has the right to receive information related to the PD processing by the Company, namely:
- confirmation of the fact of PD processing by the Company;
- legal grounds and purposes of PD processing by the Company;
- the methods of PD processing used by the Company;
- the name and location of the Company, information about persons (with the exception
of employees of the Company) who have access to personal data or to whom it may be disclosed
Personal data on the basis of an agreement with the operator or on the basis of a federal law;
- processed personal data related to the relevant personal data subject, the source of their receipt, unless another procedure for submitting such data is provided for by federal
law;
- the terms of PD processing by the Company, including the terms of their storage;
- the procedure for the PD subject to exercise the rights provided for by the Federal Law (On Personal
Data);
- information about the completed or proposed cross-border data transfer;
- the name or surname, first name, patronymic and address of the person who processes personal
data on behalf of the Company, if processing has been or will be entrusted to such a person;
- other information provided by F3 (On Personal Data) or other federal laws;
- require the Company to clarify its personal data, block them, or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained, or is not necessary for the stated purpose of processing;
- revoke consent to the processing of personal data in cases stipulated by law.

7.1. The PD subject's right to access his personal data is limited if the provision of personal data violates the rights and legitimate interests of others.
7.2. If the information related to the PD processing, as well as the PD being processed, has been provided to the PD subject for review upon his request, the PD subject has the right to send a repeat request. In order to obtain information related to the processing of personal data and to familiarize oneself with such personal data no earlier than thirty days after the initial request is sent, unless a shorter period is established by federal law, a regulatory legal act adopted in accordance with it, or an agreement to which the PD subject is a party or beneficiary.
7.3. The PD subject has the right to send a repeated request to the Company in order to obtain information related to the processing of PD, as well as to familiarize himself with the processed PD before the expiration of the PD processing period, and if such information and (or) the processed PD were not provided to him for review in full based on the results of consideration of the initial request. The repeated request must contain a justification for sending the repeated request.
7.4. The Company has the right to restrict the personal data subject's access to his personal data in accordance with Part 8 of Article 14 of the Federal Law (On Personal Data).