1. Purpose and scope

1.1. This document (hereinafter – Policy) defines the purposes and general principles of personal data processing, as well as as implemented measures to protect the rights of personal data subjects in Moscow Public Foundation for Support of Culture and Development of Contemporary Art (hereinafter – MOF).

1.2. The Policy applies to all IOF personnel (including employees under labor contracts and persons who have entered into other contracts with IOF) and all structural subdivisions of IOF. 

1.3. The requirements of the Policy are also taken into account and applied to other persons when it is necessary for them to participate in the personal data processing processes of the IOF, for example, in cases of transfer of personal data from the IOF to contractors, partners and other contractors on the basis of orders for processing of personal data, other agreements and contracts in the established procedure. 

2. Compliance with applicable law

2.1. The Policy is developed primarily on basis of the legislation of the Russian Federation in view of the registration of IOF on territory of the Russian Federation. The Policy uses terms and definitions in accordance with their meanings as defined in Federal Law of 27.07.2006 No. 152-FZ  “On personal data” (hereinafter – 152-FZ). The MOF processes personal data with taking into account the requirements of the 152-FZ itself, its bylaws and regulatory and methodological documents of the state bodies of the Russian Federation authorized in the sphere of information security and protection of the rights of personal data subjects.

  2.2 The Policy shall, where possible, also take into account the provisions of other legislation applicable to the IOF’s activities in the field of personal data processing, such as the European General Data Protection Regulation (hereinafter – GDPR), or local legislation of individual countries in the part not contradicting the 152-FZ. 

2.3. В individual cases of personal data processing for resolving possible contradictions between the various laws of individual States, the order and principles of personal data processing in IOFs may, in addition to Policies to regulate and itemize in Special sections of IOF documents (e.g., treaties, agreements) related to such individual cases and  which for such cases play the role of Data Processing Agreements (hereinafter – DPA) in GDPR terminology. 

3. Principles of personal data processing

3.1. The processing of personal data is carried out by the IOF on lawful and fair basis, the main legal bases for processing are:
3.1.1.Constitution of the Russian Federation; 
3.1.2.Labor Code of the Russian Federation; 
3.1.3.Civil Code of the Russian Federation; 
3.1.4.Tax Code of the Russian Federation; 
3.1.5.Federal Law of 06.04.2011 No. 63-FZ “On electronic signature”; 
3.1.6.Federal Law of 07.07.2003 No. 126-FZ “On communication”; 
3.1.7. Federal Law of 27.07.2006 No. 149-FZ “On information, information technologies and on protection of information”; 
3.1.8. Federal Law of 04.05.2011 No. 99-FZ “On licensing of certain types of activities”; 
3.1.9.Federal Law of 06.12.2011 No. 402-FZ “On accounting”; 
3.1.10.Federal Law   of 04.1996      No. 27-FZ “On the  individual (personified) registration in the system of compulsory pension insurance”;
3.1.11.Federal Law of 22.10.2004 No. 125-FZ “On archiving in the Russian Federation”; 
3.1.12.Federal Law of 19.12.2012 No. 273-FZ “On Education in the Russian Federation”; 
3.1.13.Federal Law of 22.05.2003 No. 54-FZ “On the use of cash registers in cash settlements and (or) settlements with the use of electronic means of payment; 
3.1.14.Federal Law of 12.01.1996 No. 7-FZ “On non-commercial organizations”; 
3.1.15.Federal Law of 26.12.1995 No. 208-FZ “On joint stock companies”; 
3.1.16.Federal Law of 08.02.1998 No. 14-FZ “On limited liability companies with limited liability”; 
3.1.17.The Law of the Russian Federation from 27.12.1991 № 2124-1 “On mass media”; 
3.1.18.Contracts and agreements of the Companies;
3.1.24. Consents of the subjects of personal data.

3.2. The content and scope of processed personal data are determined on the basis of processing purposes.
Personal data that is redundant or incompatible with the following main purposes will not be processed:
3.2.1. conclusion of labor relations with individuals, recruitment of personnel; 
3.2.2. conclusion, prolongation of contractual relations of MOF; 
3.2.3. identification of parties to contracts, agreements, transactions; 
3.2.4. fulfillment of contractual obligations, including provision of services, performance of works, delivery of goods; 
3.2.5. the use by legal entities and individuals of websites and other information resources of the IOF in accordance with their rules of use, license agreements; 
3.2.6. registration, identification and personalization of users of MOF websites, applications and other information resources; providing access to resources and functions available only to registered users; improving user experience, software products, and the quality of services and work performed by the MOF; 
3.2.7. communicating with individuals and legal entities for sending them notifications, responses to inquiries, mailings and information messages, as well as marketing messages to promote software products, goods, works and services of the MOF and partner organizations; 
3.2.8. carrying out the activities of the certification center in accordance with   legislation of the Russian Federation on electronic signature; 
3.2.9. carrying out the activities of a fiscal data operator in accordance with   legislation of the Russian Federation on fiscal data; 
3.2.10. carrying out the activities of electronic document management operators in in accordance with legislation of the Russian Federation, regulatory documents of state bodies of the Russian Federation; 
3.2.11. realization of activity on provision of additional education; 
3.2.12. carrying out the activities of the mass media outlet in in accordance with legislation of the Russian Federation; 
3.2.13. participation of individuals in referral, bonus programs, loyalty programs of MOF and partner organizations; 
3.2.14. protection of legitimate interests of IOF, its partners and clients; countering illegal or unauthorized actions, fraud in use by clients and users of software products, goods, works and services, ensuring information security; 
3.2.15. organizing access control on the territory of the buildings and offices of the IOF, ensuring the safety of property and security of staff and visitors to events organized by the IOF; 
3.2.16. organization of conferences, seminars, webinars, other public events in interests of MOF, partner organizations, professional communities; 
3.2.17. Compliance with applicable labor, accounting, pension and other laws of the Russian Federation; 
3.2.18.  Compliance with other legislation applicable to the IOF’s activities, including international or local legislation of the countries in whose nationals the IOF operates.

3.3 The main categories of personal data subjects whose data are processed by IOF include:
3.3.1. visitors and users of IOF websites; 
3.3.2. individuals who have or have had labor and civil law relations with the IOF, their close relatives, referrals, and as well as individuals who intend to enter into such relations, e.g., candidates for vacancies; 
3.3.3. natural persons who have or have had labor and civil law relations with IOF counterparties, as well as persons who intend to enter into such relations; 
3.3.4. Individuals doing internships, volunteer internships, internships from educational institutions at IOF; 
3.3.5. Individuals listed in various state registries, databases, publicly available and other sources that are legally obtained and used in providing IOF services as data sources; 
3.3.6. individuals who have contacted MOF with inquiries, messages, applications, complaints, proposals with using contact information or means of collecting feedback; 
3.3.7. individuals participating in interviews, surveys, analytical and marketing research on the subject of the Companies’ activities; 
3.3.8. participants of events organized by IOF or partner organizations; 
3.3.9. visitors to IOF offices; 
3.3.10. IOF founders

3.4. For the specified categories of entities may be processed in accordance with processing purposes:
3.4.1. personal information (surname, first name, patronymic, in including former ones; gender; year, month, date of birth; age; place of birth, nationality, citizenship); 
3.4.2. contact information (postal address, phone numbers, e-mail addresses, pseudonyms, identifiers in social networks and communication services); addresses of registration and actual residence; 
3.4.3. information about identity documents; driver’s license; information about subject’s identification numbers in state accounting systems (for example, TIN, SNILS and etc.); information about compulsory and voluntary health insurance policies; 
3.4.4. professional activity (place of work; position; structural unit; length of service; participation in legal entities; credentials); 
3.4.5. skills and qualifications (education received; profession; specialties assigned; foreign language skills; training courses, internships and practices completed); 
3.4.6. information about family (marital status; family composition; legal representatives, closest relatives); 
3.4.7. social status; property status;
3.4.8. information on treaties and agreements, their statuses;
3.4.9. hobbies and hobbies; personal interests; tastes and preferences; subscriptions to newsletters;
3.4.10. information about encouragements, awards, penalties and bringing to responsibility; 
3.4.11. information about presence in individual registries, databases and lists; 
3.4.12. information on military registration; information on migration registration; 
3.4.13. photo and video images; speech information (voice recording); 
3.4.14. electronic user data (user IDs, network addresses, cookies, device IDs, sizes and screen resolution, information about hardware and software, such as browsers, operating system, installed applications, geolocation, language settings, time zone, time and application usage statistics and IOF information resources, users’ actions in services, sources of referrals to web pages, sent search and other requests, user-generated content); electronic signature certificates; 
3.4.15.other information stipulated by the standard forms, established procedure and processing purposes.

3.5. The processing of personal data at IOF is carried out in a mixed way: with using automation tools and without. 

3.6. Actions with personal data include: collection; recording; systematization; accumulation; storage; clarification (updating, modification); extraction; use; transfer (distribution, provision, access); depersonalization; blocking; deletion, destruction. 

3.7. During processing, the accuracy of personal data, their sufficiency and relevance in relation to the purposes of personal data processing are ensured. If inaccurate or incomplete personal data are detected, they may be clarified and updated. In cases where the updating of personal data is outside the area of responsibility of the MOF, the processing may be suspended until the date of updating. Obligations and responsibility for timely updating of personal data for individual cases of processing may be established by agreements or local acts of the IOF. 

3.8. Processing and storage of personal data shall not be carried out longer than the purposes of personal data processing require, unless there are no legal grounds for further processing, for example, if federal law or an agreement with the personal data subject does not establish an appropriate storage period.

3.9. Processed personal data shall be destroyed or anonymized upon occurrence of the following conditions: 
3.9.1. achievement of the purposes of personal data processing or maximum retention period – shall be destroyed or depersonalized within 30 days; 
3.9.2. loss of necessity in achieving the purposes of personal data processing – within 30 days; 
3.9.3. provision by the personal data subject or his/her legal representative of confirmation that personal data are illegally obtained or are not necessary for the declared purpose of processing – within 7 days; 
3.9.4.  impossibility to ensure the lawfulness of personal data processing – within 10 days; 
3.9.5.  revocation of consent to processing of personal data by the subject of personal data, if retention of personal data is no longer required for purposes of personal data processing – within 30 days; 
3.9.6. revocation of the personal data subject’s consent to use of personal data for contacts with potential customers for promotion of software products, goods, works and services – within 2 days; 
3.9.7. expiration of limitation periods for legal relations within the framework of which personal data processing is or was carried out; 
3.9.8. liquidation (reorganization) of the MOF if the processing was carried out exclusively in interests of the MOF and there is no legal successor.
3.10. When carrying out a cross-border transfer of personal data, before commencing such transfer, the IOF shall make sure that the foreign state to whose territory the transfer will be carried out ensures adequate protection of the rights of personal data subjects or this foreign state is a party to the Council of Europe Convention for the Protection of Individuals with regard to the automated processing of personal data.
3.11. Cross-border transfer to territories of foreign countries that do not ensure adequate protection of the rights of personal data subjects may be carried out in cases provided for by the 152-FZ and GDPR.

4. processing in as a subcontractor and engaging subcontractors

4.1. The IOF, in addition to acting as a personal data controller, may act as a person who processes personal data on behalf of other personal data controllers on the basis of contracts and other agreements. 

4.2. The IOF may, if necessary, engage third-party organizations in the processing of personal data as subcontractors, provided that the principles of processing are complied with and there is an appropriate contract or agreement with them.

5. Obtaining the subject’s consent to the processing of his/her personal data

5.1 In cases of processing not provided for by applicable law or contract with the data subject explicitly, the processing is carried out after obtaining the consent of the personal data subject. 

5.2. Consent may be expressed in form of the personal data subject’s performance of conclusory actions, for example: 
5.2.1. acceptance of the terms and conditions of the offer agreement, rules of use of the MOF website; 
5.2.2. continuing to use the applications, services, information resources, MOF websites, interacting with their user interfaces after notifying the user of data processing; 
5.2.3. granting the necessary permissions to the mobile application when is requested at the time of installation or use; 
5.2.4. making marks, filling in the appropriate fields in forms, blanks; 
5.2.5. maintaining electronic correspondence that refers to processing; 
5.2.6. entering the territory after familiarizing yourself with warning signs and signs; 
5.2.7. other actions performed by the subject, according to which it is possible to judge about his will, in particular, a participant, visitor when visiting the International Festival “Traditions and Modernity”, at the ceremony of awarding the prize “VERA” is aware and agrees that it is possible to carry out photo and video filming, as well as making an audio recording with his participation. However, the MOF reserves the right to use the photos, videos, audio recordings taken during the event without separate written consent to use the photos, videos, audio recordings in publications and media materials including but not limited to online publications, social media, news, press releases, brochures, invitations and other promotional materials.

5.3 In individual cases provided by  legislation of the Russian Federation, consent shall be executed in written form with indication of information provided by  152-FZ, and also in accordance with other applicable requirements, standard forms. 

5.4 In cases of processing of personal data received not from the subject directly, but from other persons on the basis of a contract or order for processing, the obligation to obtain the consent of the subject may be imposed on the person from whom the personal data was obtained. 

5.5. If the data subject refuses to provide the necessary and sufficient amount of his/her personal data, the IOF will not be able to carry out the necessary actions to achieve the relevant processing purposes. For example, in such a case the user’s registration on the site may not be completed, services under the contract may not be rendered, work may not be performed, goods may not be delivered, a job applicant’s resume will not be considered, etc.

6. Processing of electronic user data, including cookies

6.1. The MOF, for the purposes of processing personal data set forth in the Policy, may collect electronic user data on its websites automatically, without the need for the user to participate and perform any actions to send the data. 

6.2. The validity of the electronic data collected in this way in MOF is not verified, the information is processed “as is” in the way it came from the client device. 

6.3. Visitors and users of MOF websites may be shown pop-up notices about the collection and processing of cookie data with a link to Policy and buttons to accept the terms of processing or close the pop-up notice. 

6.4. Such notices mean that when you visit and use websites, information resources in your browser on user’s device, information (such as cookie data) may be stored in your browser to further identify the user or device, remember your session, or store certain settings and user preferences specific to those particular sites. Such information, once saved to browser and prior to expiration or deletion from device, will be sent on each subsequent request to the site on whose behalf they were saved, along with that request for processing on the side of the MOF. 

6.5. The processing of cookie data is necessary for the MOF to correct operation of the sites, in particular, their functions related to access of registered users to the MOF’s software products, services, works and resources; to personalize users; to improve the efficiency and convenience of working with the sites, as well as other purposes provided for in the Policy. 

6.6. In addition to processing cookies set by MOF sites themselves, users and visitors may be set cookies related to third-party sites, such as in cases where MOF sites use third-party components and software. The handling of such cookies is governed by the policies of the respective sites to which they relate, and may change without notice to users of MOF sites.   such cases may include placement on sites: 
6.6.1. visit counters, analytical and statistical services, such as Yandex.Metrica or Google Analytics for collecting statistics of traffic on publicly accessible pages of websites; 
6.6.2. widgets of auxiliary services for collecting feedback, organizing chats and other types of communication with users; 
6.6.3. contextual advertising systems, banner and other marketing networks; 
6.6.4. authorization buttons on sites with using social media accounts;

6.7. The user’s acceptance of the terms of cookies or closing the pop-up notification in in accordance with Policy is considered as consent to the processing of cookie data on MOF websites. 

6.8 In case the user does not agree to the processing of cookies, he must accept the risk that in such case the functions and features of the website may not be available in full, and then follow one of the following options: 
6.8.1. independently configure your browser in accordance with documentation or help for it so that it does not permanently allow to accept and send cookie data for any websites or for a specific MOF website or third-party component website; 
6.8.2. switch to special browser “incognito” mode for use of cookies before closing the browser window or before switching back to normal mode; 
6.8.3. leave the site to to avoid further processing of cookies. 

6.9. The User may independently, through the cookie tools built into browsers, manage stored data, including deleting or viewing information about cookies set by websites, including: 
6.9.1. website addresses and paths to where cookies will be sent; 
6.9.2. names and values of settings stored in cookies; 
6.9.3. cookie expiration dates.

7. Confidentiality and security of personal data

7.1. Confidentiality is ensured for personal data in  MOF in accordance with applicable legislation, local acts of the Companies, terms and conditions of concluded agreements and MOF contracts, except for cases: 
7.1.1. if the personal data is publicly available, contained in publicly available sources of personal data or authorized by the subject for dissemination; 
7.1.2. if the information is subject to mandatory disclosure to third parties, including public authorities, in accordance with the legislation applicable to IOF. 

7.2. The IOF undertakes necessary and sufficient legal, organizational and technical measures to ensure the security of personal data for their protection against unauthorized (including accidental) access, destruction, modification, blocking of access and other unauthorized actions. The such measures include, in particular: 
7.2.1. appointment of individuals or legal entities responsible for organizing the processing and ensuring the security of personal data in specific Companies; 
7.2.2. issuance of local acts on issues of personal data processing, information security, familiarization of employees with them; 
7.2.3. training of employees on issues of personal data processing, information security; 
7.2.4. ensuring physical security of premises and processing facilities, access control, security guards, video surveillance; 
7.2.5. limitation and delimitation of access of employees and other persons to personal data and processing means, monitoring of actions with personal data; 
7.2.6. determination of threats to the security of personal data during their processing in information systems of personal data, formation of threat models on their basis; 
7.2.7. application of security means (anti-virus means, firewalls, means of protection against unauthorized access, means of cryptographic protection of information), in including, in necessary cases, having passed the procedure of conformity assessment in accordance with the established procedure; 
7.2.8. accounting and storage of data carriers, preventing their theft, substitution, unauthorized copying and destruction; 
7.2.9. backing up information for restore capability; 
7.2.10. internal control over compliance with the established procedure, checking the effectiveness of measures taken, responding to incidents; 
7.2.11. checking if there are clauses on ensuring confidentiality and security of personal data in contracts, including, if necessary, clauses on contracts ensuring confidentiality and security of personal data; 
7.2.12. other measures in accordance with the local acts of the IOF.

8. Rights of personal data subjects

8.1. The personal data subject has the right to withdraw consent to the processing of personal data by submitting a relevant request to the IOF, by mail or by applying in person. 

8.2. The personal data subject has the right to to receive information regarding the processing of his/her personal data, including information containing : 
8.2.1. confirmation of the fact of personal data processing; 
8.2.2. legal grounds and purposes of personal data processing; 
8.2.3. purposes and methods of personal data processing applied in IOF; 
8.2.4. name and location of the MOF, information about persons (except for employees) who have access to personal data or to whom personal data may be disclosed on basis of a contract, agreement or on basis of federal law; 
8.2.5. processed personal data related to the respective personal data subject, the source of their obtaining, unless another procedure for submission of such data is provided for by the federal law;
8.2.6. terms of personal data processing, including storage terms. ; 
8.2.7. the procedure for exercising by the personal data subject of the rights provided for by the 152-FZ;
8.2.8. information about realized or about intended cross-border data transfer; 
8.2.9. name or name, surname, first name, patronymic and address of the person who processes personal data on behalf of the IOF, if the processing is or will be entrusted to such a person; 
8.2.10. other information stipulated by 152-FZ or other federal laws. 

8.3. The personal data subject has the right to demand from the IOF to clarify his/her personal data, block or destroy them in case the personal data are incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures provided for by applicable law to protect his/her rights. 

8.4. If the personal data subject believes that the MOF processes his/her personal data with violation of the requirements of the 152-FZ or otherwise violates his/her rights and freedoms, the personal data subject has the right to appeal against actions or inaction of the MOF to Roskomnadzor, other authorized supervisory authority or in court. 

8.5. Personal data subject has the right to protection of his/her rights and legitimate interests, including compensation of losses and (or) compensation of moral damage in court. 

9. Roles and responsibilities

9.1. The rights, duties and responsibilities of the IOF shall be determined by applicable law. 

9.2. Responsibility of MOF employees involved in processing of personal data by virtue of functional duties for proper processing and misuse of personal data is established in accordance with the terms of the contract concluded between MOF and the employee, the obligation of non-disclosure of information, local acts of MOF. 

9.3. The control of compliance with the requirements of the IFA Policy is carried out in general case by those responsible for organization of personal data processing, or by separate structural subdivisions and authorized persons in accordance with local acts of specific Companies. 

9.4. The responsibility of persons involved in processing of personal data on basis of the MOF’s instructions for proper processing and misuse of personal data shall be established in accordance with the terms and conditions of the contract concluded between the MOF and the counterparty, the agreement on confidentiality of information or other agreement. 

9.5 In specific cases provided for by applicable law, such as the GDPR or local laws on personal data processing in individual countries, the IOF may appoint representatives in the territories of other countries. In such cases, rights, duties and responsibilities will be allocated in accordance with contracts, agreements between such representatives and the IOF, and contact details for representatives will be included in the Policy. 

9.6. Persons guilty of violating the norms governing the processing and ensuring information security of personal data shall bear material, disciplinary, administrative, civil or criminal liability in accordance with the procedure established by applicable legislation, local acts, agreements of the IOF. 

10. Publication and updating of the Policy

10.1. The Policy is developed by the persons responsible for organization of personal data processing in IOF and put into effect after approval by IOF.

10.2. The Policy is a publicly available document of the IOF and provides for any person to familiarize themselves with its current version, including existing translations into foreign languages, by publishing it on the Internet at   https://vera.art-space.world. 

10.3. Web forms, forms, MOF templates for collection of personal data in obligatorily contain notices to users about processing of personal data in accordance with Policy with reference to it. 

10.4. The policy is in effect indefinitely upon approval and until it is replaced with a new version. MOF has the right to make changes to Policy without notifying any persons. The policy is reviewed annually to keep current and updated as necessary.