Approved

President of IT Innovations Fund

__________________ (I.E. Kalashnikova)

Order number 20-U

dated March 01, 2019

POLICY

of IT Innovations Fund

in relation to the processing of personal data

Saint-Petersburg, Russia

2019

GENERAL PROVISIONS

1.1 This new version of the Policy on the processing of personal data of IT Innovations Fund (TIN 7813292056) (hereinafter referred to as the “Policy”) was developed in accordance with the requirements of the Federal Law of the Russian Federation No. 152 from July 27, 2006 “On Personal Data” (as amended by the Federal Law of 31.12.2017 No. 498) (hereinafter - the “Federal Law”), and approved by the Order of the President of IT Innovations Fund from March 01, 2019 No. 20-U.

1.2. The purpose of the Policy is to ensure the protection of the rights and freedoms of a person and a citizen in the processing of his personal data by IT Innovations Fund (hereinafter referred to as the “Fund” or “Operator”), including the protection of privacy rights, personal and family secrets.

1.3. Main terms used in the Policy:

personal data - any information relating to a directly or indirectly determined or designated individual (subject of personal data);
personal data operator (operator) - a state body, municipal body, legal or natural person, organizing and (or) processing personal data, as well as determining the purposes of personal data processing, the composition of personal data to be processed, independently or together with other persons, actions (operations) performed with personal data;
personal data processing - any action (operation) or set of actions (operations) performed using automation means or without using such means with personal data. The processing of personal data includes: collection, recording, systematization, accumulation, storage, refinement (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction;
automated processing of personal data - processing of personal data using computer equipment;
distribution of personal data - actions aimed at disclosing personal data to an indefinite circle of persons;
provision of personal data - actions aimed at disclosing personal data to a specific person or a certain circle of persons;
personal data blocking - temporary suspension of personal data processing (unless it is necessary to process personal data);
destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed;
de-identification of personal data - actions, as a result of which it becomes impossible without the use of additional information to determine the ownership of personal data to a specific subject of personal data;
personal data information system - a set of personal data contained in databases and information technologies and technical means ensuring their processing;
cross-border transfer of personal data - transfer of personal data to the territory of a foreign state to the authority of a foreign state, foreign natural person or foreign legal entity.
Fund’s information portal (Portal) - information resource on the Internet, located at: www.gotech.vc, www.techscout.vc .

1.4. Basic responsibilities of the Operator

The operator must:

- provide the subject of personal data with information concerning the processing of his personal data upon his request or legally provide a refusal;

at the request of the subject of personal data specify the processed personal data, block or delete, if the personal data are incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
keep a Register of requests for personal data subjects, in which the requests of personal data subjects to receive personal data should be recorded, as well as the facts of providing personal data on these requests;
to ensure the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located in the territory of the Russian Federation, except for the cases provided for by paragraph 2, 3, 4, 8, part 1 of art. 6 of the Federal Law;
notify the subject of personal data about the processing of personal data in the event that personal data were not obtained from the subject of personal data;
in the event that the goal of processing personal data is achieved, immediately stop processing personal data and destroy the relevant personal data for a period not exceeding 30 days from the date of the goal of processing personal data, unless otherwise provided by federal laws, and notify the subject of personal data or his legal representative, and if the appeal or request was sent to the authorized body for the protection of the rights of personal data subjects, also notify the specified body;
in the event that the subject of the personal data revokes the consent to the processing of his personal data, stop processing the personal data and destroy the personal data within a period not exceeding 30 days from the date of receipt of the specified recall;
notify the subject of personal data about the destruction of his personal data;
in the event that the subject of personal data requests the termination of the processing of his personal data in order to promote the Fund’s services on the market or fulfill the Fund’s obligations under civil law contracts, immediately stop processing personal data.

1.5. Basic rights of the subjects of personal data:

The subject of personal data has the right to:

decide on the provision of his personal data to the Operator;
withdraw consent to the processing of their personal data;
enter, add or change the processed personal data;
require the exclusion of their personal data from publicly available sources of personal data;
to receive information concerning the processing of his personal data, including the information containing:
confirmation of the fact of personal data processing by the Operator;
legal grounds and purposes for the processing of personal data;
objectives and methods of personal data processing applied by the Operator;
the name and location of the Operator, information about persons (except for Operator’s employees) who have access to personal data or who may disclose personal data on the basis of an agreement with an operator or on the basis of Federal Law;
processed personal data relating to the relevant subject of personal data, the source of their receipt, unless a different procedure for the provision of such data is provided for by Federal Law;
terms of personal data processing, including the periods of their storage;
the procedure for the subject of personal data to exercise the rights provided for by the Federal Law;
information on completed or intended cross-border data transfer;
name or full name, address of the person who processes personal data on behalf of the Operator, if processing is entrusted to or will be entrusted to such person;
other information stipulated by the Federal Law or other federal laws of the Russian Federation;
appeal against the Operator’s actions or inaction to the Authorized Body for the Protection of the Rights of Personal Data Subjects or in court if the Personal Data Subject believes that the Operator processes its personal data in violation of the requirements of the Federal Law or otherwise violates its rights and freedoms;
to protect their rights and legitimate interests, including damages and (or) compensation for non-pecuniary damage.

2. PURPOSE OF PERSONAL DATA COLLECTION

2.1. The Fund collects and stores personal data of employees, visitors to the Portal, including participants in contests, pitch sessions and other events organized and held by the Fund, representatives of legal entities, Fund employees or applicants for filling vacant positions of the Fund, as well as personal data of other personal subjects data received from counterparties of the Fund, necessary for the execution of agreements or treaties to which or on which the beneficiary is the subject of personal data.

2.2. The Fund carries out the processing of personal data in order to:

execute the organization and holding of exhibitions, conferences, congresses, competitions and other events for the support and development of innovations (hereinafter referred to as “Events”);
disseminate information aimed at drawing attention to the Events held in accordance with the objectives of the Fund, as well as dissemination of information about the sponsors of these Events;
gather information about potential participants / participants and experts of the Events, determine the compliance of potential participants / participants of the Events with the stated requirements, provisions for the relevant Event;
communicate with employees, representatives of counterparties, potential participants / participants, experts of the Event by e-mail, telephone, address of residence;
determine the winners of the competition, organization of the accommodation and travel, award the winners of the competition, publish lists of winners and nominees of the competitions, as well as participants of the Events in the public domain;
execute the formation of a data bank of potential participants / participants of the Events;
promote Fund’s services on the market through direct contacts with the subjects of personal data, including informing about the events held (invitation to the Events);
execute the implementation of joint activities with counterparties of the Fund of Events and projects;
execute payment of taxes and fees,
order conclusion, execution and termination of contracts;
identificate the party by the concluded transactions;
send notifications, information and requests related to the implementation of the Funds of activities stipulated by the Charter of the Fund, as well as the fulfillment of obligations under the concluded contracts;
fulfill the goals set out in the Charter of the Fund;
fulfill the terms of employment contracts, the exercise of the rights and obligations of the Employer in accordance with the labor legislation, the maintenance of personnel records management;
organize travel and business trips;
record information in documents reflecting the activities of the Fund;
post information about the composition and activities of the Fund on the Portal;
fulfil the consideration of the resume of applicants for vacant positions of the Fund and make decisions on the possibility of concluding an employment contract with them;
execute accounting and tax accounting services, the formation, production, timely submission of accounting, tax, statistical reports.

2.3. The collection of personal data of potential participants / participants of the Events through the Portal is carried out by self-filling the personal information field on the Portal with the relevant subject, including when he completes a contact form for filing an application for registration at the Event, and entering data about his last name, first name and patronymic (if available), age, contact phone number, e-mail address, place of work and position, information about education, address locations of work and place of residence, information on accounts in social networks, information about interests, information about membership in clubs, associations and unions.

The collection of personal data of other subjects of personal data provided for in this Policy is carried out in direct interaction with the relevant subject of personal data.

3. LEGAL BASIS OF PERSONAL DATA PROCESSING

The Fund processes the personal data of the subjects guided by:

Constitution of the Russian Federation,
Labor Code of the Russian Federation, Civil Code of the Russian Federation, Tax Code of the Russian Federation, Federal Law, Federal Law from January 12, 1996 No. 7 “On Non-Profit Organizations”, Federal Law from July 24, 2009 No. 212 “On Insurance Contributions to Pension Fund of the Russian Federation, Social Insurance Fund, Federal Compulsory Medical Insurance Fund and Territorial Compulsory Medical Insurance Funds ”, Federal Law“ On Mandatory Pension Insurance in the Russian Federation ”No. 167 from December 15, 2001, and adopted regulations governing relations associated with the activities of the Fund;
Federal Law from July 27, 2006 No. 149 “On Information, Information Technologies and Information Protection”;
Decree of the President of the Russian Federation from March 6, 1997 No. 188 “On Approval of the List of Confidential Information”;
Decree of the Government of the Russian Federation from September 15, 2008 No. 687 “On Approval of the Regulation on Peculiarities of Processing Personal Data Performed Without the Use of Automation Tools”;
Decree of the Government of the Russian Federation from November 01, 2012 No. 1119 “On approval of requirements for the protection of personal data when they are processed in personal data information systems”;
Order of Roskomnadzor from September 05, 2013 No. 996 “On approval of requirements and methods for depersonalization of personal data”;
Order No. 21 of the FSTEC of Russia from February 18, 2013 “On Approving the Composition and Content of Organizational and Technical Measures for Ensuring the Security of Personal Data During Their Processing in Personal Data Information Systems”;
Chapter of the Fund;
treaties and agreements to which the beneficiary and (or) the guarantor of which is the subject of personal data;
the consent to the processing of personal data.

4. VOLUME AND CATEGORIES OF PROCESSED PERSONAL DATA, CATEGORIES OF PERSONAL DATA SUBJECTS

4.1. The Fund processes personal data of the following categories of subjects:

persons who have a civil legal nature of contractual relations with the Fund, or who are at the stage of pre-contractual or fulfilled relations of a similar nature;
partners, counterparties, potential counterparties, potential partners, representatives of counterparties-legal entities and individuals-counterparties of the Fund, including personal data of managers, participants (shareholders) and / or their employees, necessary for the Fund to fulfill its obligations under contractual relations with by specified persons and to fulfill the requirements of the legislation of the Russian Federation;
individuals - potential participants / participants of events organized and held by the Fund, both consisting of and non-civil law relations with the Fund;
representatives of potential participants / participants of events organized and conducted by the Fund;
Fund employees;
candidates for vacant positions of the Fund;
relatives (minor children) of the Fund employees in the minimum amount provided for by the current legislation;
users of the Portal and other persons whose processing of personal data is necessary for the Fund in order to achieve the objectives specified in section 2 of this Policy.

4.2. The Fund processes personal data in the following categories and in the following scope:

personal data that the counterparty-individual or a representative of a counterparty (including an individual participant participating in events organized and conducted by the Fund), who is in civil law relations with the Fund, provides the Fund during negotiations, transactions and transactions with : personal data of the subject specified in the document certifying the identity of the corresponding subject of personal data (surname, name, patronymic (if available), date and place of birth, number and date of issue of the document ID, the body that issued the identity document, address of registration at the place of residence, information about education, place of work and position held, information about accounts in social networks, information about interests, information about membership in clubs, associations, unions, numbers contact numbers, email address);
personal data of the Fund's employees in the amount stipulated by the current labor legislation (last name, first name, patronymic (if any), date and place of birth, information about education and specialty, series number of the main identity document, information about the date of issue of the specified document and issuing body, information about the position held, information about the place of residence (stay), telephone, information about the composition of the family, information about labor and general experience, information about military registration (if available), information on wages and social benefits, information contained in the insurance certificate of compulsory pension insurance and a certificate of registration with the tax authority of an individual at the place of residence in the Russian Federation, the content of the employment contract, the content of tax declarations, originals and copies of orders on personnel , personal affairs, personal cards (form T-2), employment records of employees, cases containing materials on advanced training, retraining of employees, their certification, cases on official investigations, as well as other information determined in accordance with the legislation of the Russian Federation and local regulations of the Fund;
personal data of candidates for vacant positions of the Fund (personal data contained in a passport or other document proving identity, personal data provided by candidates to the resume for vacancies of the Fund;
personal data of relatives (minor children) of the Fund’s employees (last name, first name, patronymic (if any), date and place of birth, series and number of birth certificate or main identity document, information about the date of issue of the said document and issuing authority),
personal data of individuals - potential participants / participants of events organized and held by the Fund, who are not in civil law relations with the Fund, as well as representatives of potential participants / participants of events organized and held by the Fund provide personal data to the Fund when filling out information fields on the Portal, including when completing the contact form to submit an application for registration to the Events. The personal data of the subjects of personal data collection received over the Internet and processed by the Fund includes data on: last name, first name, patronymic (if available), age, contact telephone number, e-mail address, place of work and position, educational information, address of the location of work and place of residence, information about accounts in social networks, information about interests, information about membership in clubs, associations and unions;
personal data and other information contained in messages that the subject of personal data sends to the Fund;
technical data that is automatically transmitted by the device through which the personal data subject uses the Portal, including the technical characteristics of the device, the IP address, information stored in cookies that were sent to the personal data subject device, browser information, date and time of access to the Portal, addresses of the requested pages and other similar information.
Special categories of personal data are not processed by the Fund.

5. ORDER AND TERMS OF PROCESSING OF PERSONAL DATA

5.1. The Fund carries out the processing of personal data in the presence of at least one of the following conditions:

the processing of personal data is carried out with the consent of the Personal Data Subject to the processing of his personal data;
the processing of personal data of the Subject is necessary to achieve the goals stipulated by the international agreement of the Russian Federation or the law, to perform the functions, powers and duties assigned to the Fund by the legislation of the Russian Federation;
the processing of personal data is necessary for the administration of justice, the execution of a judicial act, an act of another body or official subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;
processing of personal data is necessary for the execution of the contract, of which either the beneficiary or the guarantor for which is the Personal Data Subject, as well as for the conclusion of the contract on the initiative of the Personal Data Subject or the contract for which the Personal Data Subject is the beneficiary or guarantor;
the processing of personal data is necessary to protect the life, health or other vital interests of the Subject, and at the same time, the consent of the Subject is impossible;
the processing of personal data is necessary for the exercise of the rights and legitimate interests of the Fund or third parties or to achieve socially significant goals, provided that this does not violate the rights and freedoms of the subject of personal data;
processing of personal data is carried out, access of an unlimited number of persons to which is provided by the Personal Data Subject or at his request (hereinafter - publicly available personal data);
the processing of personal data is subject to publication or mandatory disclosure in accordance with Federal Law;

5.2. When processing of personal data is being executed by the Fund, confidentiality of personal data is respected: personal data is not disclosed to third parties, is not otherwise distributed without the consent of the Personal Data Subject, except as required by the current legislation of the Russian Federation.
The inclusion by the Fund of personal data of the Subjects in publicly accessible sources of personal data is possible only if there are requirements of federal legislation, or if the Subject of personal data is obtained.

5.3. The Fund does not process special categories of personal data relating to race, nationality, political views, religious and philosophical beliefs, health status, intimate life of personal data subjects.
5.4. Biometric personal data (information that characterizes the physiological and biological characteristics of a person, on the basis of which his identity can be established and which are used by the Fund to identify the identity of the subject of personal data) is not processed by the Fund.

5.5. The Fund collects, records, organizes, accumulates, stores, refines (updates, changes), retrieves, uses, transfers (distributes, provides, accesses), remodel, blocks, deletes and destroys personal data.

5.6. The processing of personal data by the Fund is carried out in the following ways:

non-automated processing of personal data;
automated processing of personal data with or without transferring the information received through information and telecommunication networks;
mixed processing of personal data.

5.7. The Fund has the right to entrust the processing of personal data to another person only with the consent of the Personal Data Subject, unless otherwise provided by federal law, on the basis of an agreement concluded with this person (hereinafter referred to as the Fund’s instructions). At the same time, the Fund obliges the person who performs the processing of personal data on behalf of, to comply with the principles and rules for the processing of personal data provided for by federal law. In the event that the Fund entrusts the processing of personal data to another person, the responsibility to the subject of personal data for the actions of the said person lies with the Fund. The person who processes personal data on behalf of the Fund is responsible to the Fund.

5.8. The provision of the processed personal data by the Fund is carried out in accordance with the legislation of the Russian Federation:

Federal Tax Service;
Pension fund of the Russian Federation;
The Federal Fund for Mandatory Medical Insurance;
The Federal Service for Labor and Employment;
Military Commissariat of the Ministry of Defense of the Russian Federation.

5.8.1. In order to fulfill the Fund's civil liabilities, it is intended to carry out cross-border transfer of personal data to individuals-participants (representatives of participating organizations) of Events organized and conducted by the Fund on the basis of transactions, of which (the Customer) is a foreign legal entity.Cross-border transfer of personal data is carried out in order to select candidates for passing the relevant stage of the Event, as well as to determine the winner of the relevant Event. Cross-border transmission can be made in respect of personal data provided to the Fund when the Personal Data Subjects fill out information fields on the Portal, including when filling out a contact form, as well as submitting an application for registration to participate in the Events. The composition of such personal data includes data on: surname, name, patronymic (if available), age, contact telephone number, e-mail address, place of work and position held, information about education, address of work location and place of residence, account information in social networks, information about interests, information about membership in clubs, associations and unions.
In the case of a cross-border transfer of personal data by a person who received personal data, they are collected, recorded, organized, accumulated, stored, updated (modified, modified), used, deleted and destroyed personal data.

Prior to the commencement of the cross-border transfer of personal data, the Fund is obliged to ensure that the foreign state, to the territory of which the transfer of personal data is carried out, ensures adequate protection of the rights of personal data subjects.

Cross-border transfer of personal data on the territory of foreign countries that do not provide adequate protection of the rights of personal data subjects may be carried out by the Fund in the following cases:

the consent in writing of the subject of personal data on the cross-border transfer of his personal data;
execution of the contract to which the subject of personal data is a party.

5.9. The Fund has the right to transfer personal data to bodies of inquiry and investigation, other authorized bodies on the grounds stipulated by the legislation of the Russian Federation.
5.10. Access to processed personal data is provided only to those employees of the Fund who need it in connection with the performance of their official duties and in compliance with the principles of personal responsibility.

5.11. The Fund provides separate storage of personal data and their material carriers, which are processed for different purposes and which contain different categories of personal data.

5.12. The processing of personal data by the Fund is terminated in the following cases:

upon the occurrence of conditions for the termination of the processing of personal data or upon the expiration of the established deadlines;
on achieving the goals of their processing or in case of loss of the need to achieve these goals;
at the request of the subject of personal data, if the personal data being processed are unlawfully obtained or not necessary for the stated purpose of processing;
in case of unlawful processing of personal data, if it is impossible to ensure the legality of processing;
upon expiration of the consent of the subject of personal data to the processing of personal data or in the case of the withdrawal of personal data by the subject of such consent, unless there are other legal grounds for the processing of personal data provided for by the legislation of the Russian Federation;
in case of liquidation of the Fund.

5.13. Personal data, the processing time (storage) of which has expired, must be destroyed, unless otherwise provided by federal law. Storage of personal data after the termination of their processing is allowed only after their anonymization.

When storing personal data, the Fund is obliged to ensure the use of databases located on the territory of the Russian Federation, except for the cases provided for in paragraph 2, 3, 4, 8, part 1 of art. 6 of the Federal Law.

The retention period for personal data is:

personal data contained in the personal cards of employees (Form T-2) - for 75 years after the termination of the employment contract;
personal data contained in the settlement (settlement and payment) statements - 5 years from the date of issuance of the relevant document;
personal data of the accounting books of the deposited wages, writs registration logs - 5 years from the date of issuance of the relevant document;
personal data contained in certificates submitted to the accounting department for payment of study leave, receipt of tax exemptions and others - until the need is eliminated;
personal data of candidates for vacant positions - 6 months from the date of the negative decision;
personal data received in connection with the conclusion and execution of contracts, agreements (civil law, labor and others) - 5 years from the date of execution, termination of the relevant agreement (contract);
personal data specified in the consent to the processing of personal data - within 24 months from the date of the end of the relevant event, the offer of participation in which was accepted by the potential participant / participant of the Event.

5.14. The rules for working with personal data and their material carriers without the use of automation tools are defined in accordance with the “Provision on peculiarities of personal data processing carried out without the use of automation tools”, Decree of the Government of the Russian Federation from February 15, 2008 No. 687.

The processing of personal data of the Personal Data Subject is considered implemented without the use of automation tools, if such actions with personal data, such as use, clarification, distribution, destruction of personal data in relation to each of the personal data subjects, are carried out with the direct participation of a person. A document containing personal data is a tangible medium with information recorded in it in any form containing personal data in the form of text (or) their combination.
5.14.1. The processing of personal data is carried out in respect of personal data and must be separated from other information by fixing them on separate material carriers, in special sections or in the form fields.

When recording personal data on tangible media, it is not allowed to record personal data on one tangible medium, the processing purposes of which are not compatible. Standard forms of documents should be designed in such a way that each of the subjects of personal data contained in the document has the opportunity to get acquainted with their personal data contained in the document without violating the rights and legitimate interests of other subjects of personal data.
Documents containing personal data are stored in cabinets locked with a key.

5.14.2. When working with documents containing personal data, an employee of the Fund is obliged to exclude the possibility of familiarization, viewing of these documents by other persons who are not authorized to work with them. When transferring documents containing personal data outside the Fund for business purposes, the Fund employee must take all possible measures to prevent the loss (loss, theft) of such documents.

When working with personal data of personal data subjects, as well as with their carriers, the Fund:

limits the number of employees allowed to work with specific personal data;
performs work with personal data carriers in special dedicated premises.

6. ACTUALIZATION, CORRECTION, DELETION AND DESTRUCTION OF PERSONAL DATA, RESPONSES TO REQUESTS OF SUBJECTS OF PERSONAL DATA.

6.1. In the event of confirmation of the fact of inaccuracy of personal data or the illegality of their processing, personal data are subject to updating by the Fund and processing must be terminated, respectively.
6.2. The Fund provides the subject of personal data or his legal representative information relating to the processing of his personal data, withdrawal of consent and access of the subject of personal data to his data, on the relevant request or request of the subject of personal data or his legal representative.

6.3 The information is provided in an accessible form and does not contain personal data relating to other subjects of personal data, except in cases where there are legal grounds for disclosing such personal data.

6.4 The request of the subject of personal data to receive information concerning the processing of his personal data by the Fund must contain:

information confirming the participation of the subject of personal data in relations with the Fund, or information otherwise confirming the fact of the processing of personal data by the Fund;
the signature of the subject of personal data or his legal representative.

The request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

6.5. The Fund considers the appeal of the subject of personal data and provides an answer to it within 30 days from the date of receipt of the corresponding request in a form similar to the form of the received request.

6.6. When achieving the purposes of processing personal data, as well as in the case of a withdrawal by the subject of personal data of consent for their processing, personal data are subject to destruction, in the terms established by the legislation of the Russian Federation

unless otherwise provided by the contract to which the subject of personal data is a party;
unless otherwise provided by another agreement between the Fund and the subject of personal data.
if the Fund is not entitled to process without the consent of the subject of personal data on the grounds provided for by the Federal Law "On Personal Data" or other federal laws.

6.7. Destruction at the end of the processing of personal data on electronic media is carried out by mechanical violation of the integrity of the media, which does not allow reading or restoring personal data, or by removing electronic media from electronic media using methods and means of guaranteed removal of residual information.

6.8. Destruction at the end of the processing of personal data on paper media is carried out by grinding into small parts using a Schröder, which eliminates the possibility of subsequent recovery of information.

6.9. The rules for processing requests for a personal data subject or an authorized body for the protection of the rights of personal data subjects are the Annex to this Policy and its integral part.

7. FINAL PROVISIONS

7.1. This Policy may be revised in the event of changes in the norms of the current legislation of the Russian Federation, processes and methods for processing personal data, categories of personal data subjects, as well as goals for processing personal data.

7.2. All employees of the Company must be familiar with this Policy.

7.3. In order to ensure unrestricted access to this Policy, it is subject to publication - posting on the Fund Portal.

Contact Us Tell us about yourself and we will be in touch with you within 24 hours.

Contact Us
Tell us about yourself and we will be in touch with you within 24 hours.