Data Policy

Supplement

APPROVED

by MIPT Order No. 2191

of Feb. 6, 2020

Personal Data Processing Policy of MIPT

1. General provisions

1.1. The MIPT Personal Data Processing Policy (“the Policy”) stipulates the basic principles, objectives, conditions, and methods for personal data processing, the lists of data subjects and personal data processed at MIPT, the functions of MIPT regarding personal data processing, the rights of personal data subjects, as well as the requirements for personal data protection followed at MIPT.

1.2. The Policy has been developed with regard to the requirements of the Constitution of the Russian Federation, legislative and other statutory acts of the Russian Federation related to personal data.

1.3. The Policy provisions serve as the basis for developing the corporate statutory acts that regulate the processing of personal data of MIPT students, employees, and other data subjects.


2. Legislative and other statutory acts of the Russian Federation underlying the Personal Data Processing Policy of MIPT

2.1. The Personal Data Processing Policy of MIPT is based on the following statutory acts:

  • Labor Code of the Russian Federation;
  • Federal Law No. 152-FZ “On Personal Data” of July 27, 2006;
  • Russian Federation Government Resolution No. 1119 “On Approval of the Requirements for Personal Data Protection During Processing via Personal Data Information Systems” of Nov. 1, 2012;
  • Russian Federation Government Resolution No. 687 “On Approval of the Special Provisions Regarding Personal Data Processing Without Automation” of Sept. 15, 2008;
  • Federal Law No. 149-FZ “On Information, Information Technology, and Information Protection” of July 27, 2006;
  • FSTEC of Russia Order No. 21 “On Approving the List and Scope of Planning and Technical Activities for Personal Data Protection During Processing via Personal Data Information Systems” of Feb. 18, 2013;
  • other statutory acts of the Russian Federation and legal documents of authorized government bodies.

2.2. To implement the Policy provisions, MIPT develops relevant corporate statutory acts and other documents, including:

  • Provision on Personal Data Processing at MIPT;
  • Personal Data Processing Regulations of MIPT structural units;
  • Job Descriptions for MIPT employees involved in personal data processing and protection.

3. Basic terms and definitions used in the corporate statutory acts of MIPT related to personal data processing

Personal data denotes any information that directly or indirectly relates to an identified or identifiable individual (personal data subject).

Information refers to any data, details, and messages regardless of their form of presentation.

Operator refers to a state authority, municipal authority, legal or private person organizing and/or performing personal data processing with or without the participation of other entities, as well as defining the aims of personal data processing, the scope of personal data subject to processing, and the actions (operations) performed on personal data.

Personal data processing refers to any action (operation) or set of actions (operations) performed on personal data with or without the use of automation, including the acquisition, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, presentation, granting access), depersonalization, blocking, deletion, and destruction of personal data.

Automated personal data processing refers to the processing of personal data via computers.

Personal data presentation refers to actions that disclose personal data to a particular person or group of persons.

Personal data distribution refers to actions that disclose personal data to an unidentified group of persons.

Personal data blocking refers to a temporary suspension of personal data processing (except where processing is necessary to clarify personal data).

Personal data destruction refers to actions that make it impossible to recover the personal data content from the personal data information system and/or result in the personal data media being destroyed.

Personal data depersonalization refers to actions that make it impossible to identify personal data as related to a certain data subject without using additional information.

Personal data information system refers to the entirety of the personal data contained in the databases, as well as the information technologies and technical means used for their processing.


4. Personal data processing principles and purposes

4.1. MIPT in its capacity as a personal data operator carries out personal data processing for its employees, students, prospective students, graduates, and those applying for vacant positions.

4.2. MIPT carries out data processing with due regard to protecting the rights and freedoms of the data subjects, including protecting the right to privacy, personal and family secrets, based on the following principles:

  • personal data processing at MIPT is carried out on a legitimate and equitable basis;
  • personal data processing is limited to reaching specific predetermined legitimate goals;
  • personal data processing incompatible with the purposes of personal data acquisition is not allowed;
  • combining databases that contain personal data processed for incompatible purposes is not allowed;
  • only the personal data meeting the purposes of their processing may be processed;
  • the scope and amount of personal data conform to the stated purposes of their processing; personal data redundancy in relation to the stated purposes is not allowed;
  • during the processing of personal data, their accuracy, adequacy, and being up-to-date (if necessary) are ensured in relation to the purposes of personal data processing; MIPT makes all reasonable efforts to delete or clarify incomplete or inaccurate personal data;
  • personal data are stored in the form that enables data subject identification no longer than is required for the purposes of personal data processing, if the personal data retention period is not established by a federal law or an agreement to which the data subject is a party;
  • personal data under processing are deleted or depersonalized once the processing purposes are achieved or once achieving these purposes is no longer necessary, unless otherwise provided by a federal law.

4.3. MIPT processes personal data for the purposes of:

  • complying with the Constitution of the Russian Federation, legislative and other statutory acts of the Russian Federation, and corporate statutory acts of MIPT;
  • exercising the functions, powers, and responsibilities imposed upon MIPT by the Russian legislation, including the presentation of personal data to government authorities, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Mandatory Health Insurance Fund of the Russian Federation, and other state bodies;
  • regulating the labor relations with MIPT employees (assistance in employment, training and career advancement, ensuring personal safety, control over the scope and quality of the work done, safekeeping of property, etc.);
  • carrying out the education process and the admissions at MIPT;
  • protecting the lives, health, or other vital interests of personal data subjects;
  • preparing, signing, executing, and terminating agreements with contracting parties;
  • organizing access control procedures and in-house regime at MIPT facilities;
  • executing court decisions and the acts of other bodies and authorities that are subject to execution in accordance with the Russian enforcement law;
  • exercising the rights and legal interests of MIPT in carrying out activities stipulated by the Articles of Association and other corporate statutory acts of MIPT or with a view to achieving socially desirable goals;
  • other legitimate purposes.


5. List of personal data processed at MIPT

5.1. The list of personal data processed at MIPT is determined in accordance with the Russian legislation and the corporate statutory acts of MIPT, taking into account the personal data processing purposes specified in Section 4.3 of the Policy.

5.2. MIPT does not process special categories of personal data relating to race, ethnicity, political views, religious or philosophical beliefs, and intimate life.


6. Functions of MIPT in personal data processing

6.1. In processing personal data, MIPT:

  • takes measures necessary and sufficient for ensuring the compliance with the Russian legislation and the corporate statutory acts related to personal data;
  • establishes legal, planning, and technical procedures to protect personal data from illegal or accidental access, destruction, modification, blocking, copying, presentation, distribution, as well as from other illicit actions in relation to personal data;
  • appoints a person responsible for managing personal data processing at MIPT;
  • issues corporate statutory acts that define the procedures for personal data processing and protection at MIPT;
  • familiarizes the employees of MIPT directly involved in personal data processing with the provisions of the Russian legislation and the corporate statutory acts of MIPT related to personal data, including the requirements for personal data protection, as well as training the specified employees;
  • publishes the Policy or otherwise ensures unlimited access to it;
  • informs personal data subjects or their representatives in due course of the availability of personal data related to the subjects concerned, and provides these personal data to the data subjects concerned or their representatives upon request, unless otherwise provided by the Russian legislation;
  • terminates the processing of and destroys personal data where required by the Russian legislation related to personal data;
  • carries out other activities stipulated by the Russian legislation related to personal data.


7. Terms of personal data processing

7.1. Personal data are processed at MIPT with the consent of the data subject to have their personal data processed, unless otherwise provided by the Russian legislation related to personal data.

7.2. MIPT shall not distribute or disclose personal data to third parties without the consent of the data subject, unless otherwise provided by the Russian legislation.

7.3. Access to personal data processed at MIPT is only allowed for the MIPT employees holding positions included into the list of MIPT structural unit positions admitted to personal data processing.


8. Actions with personal data and ways of their processing

8.1. MIPT provides for acquisition, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, presentation, granting access), depersonalization, blocking, deletion, and destruction of personal data.

8.2. Personal data processing at MIPT occurs as:

  • non-automated personal data processing;
  • automated personal data processing with or without further transfer of received information via communication networks;
  • mixed processing of personal data.


9. Rights of personal data subjects

9.1. Personal data subjects are entitled to:

  • receive complete information concerning their personal data processed at MIPT;
  • access their personal data, including copies of any records containing their personal data, unless otherwise provided by the federal law;
  • their personal data being clarified, blocked, or destroyed if the data are incomplete, outdated, inaccurate, illegally obtained, or not essential for the processing purpose declared;
  • revoke the consent to personal data processing;
  • take legal measures to protect their rights;
  • appeal against the action or inaction of MIPT infringing on the requirements of the Russian legislation related to personal data to the body authorized for the protection of personal data subject rights or to a court;
  • exercise other rights provided by the Russian legislation.


10. Actions taken by MIPT to ensure fulfilling the obligations of a personal data operator

10.1. Measures necessary and sufficient to ensure that MIPT fulfills its obligations as operator, which are stipulated by the Russian legislation related to personal data processing, include:

  • appointing a person responsible for organizing personal data processing at MIPT;
  • adopting corporate statutory acts and other regulations related to personal data processing and protection;
  • carrying out methodological work and organizing training for the employees of the MIPT structural units holding positions included into the list of MIPT structural unit positions admitted to personal data processing;
  • obtaining the consent of personal data subjects to the processing of their personal data, unless otherwise provided by the Russian legislation;
  • ensuring the separation of personal data processed without the use of automation from other information, in particular, by confining them to separate personal data media, to special sections;
  • providing separate storage and separate material media for personal data processed for different purposes and containing different categories of personal data;
  • prohibiting the transfer of personal data via open communication channels, computer networks outside the area of MIPT control, and the internet without taking the measures established at MIPT for ensuring personal data security (except for public and/or depersonalized data);
  • storing personal data media in compliance with the conditions that ensure the security of personal data and prevent unauthorized access to them;
  • exercising internal control over the compliance of personal data processing with Federal Law No. 152-FZ “On Personal Data” and the statutory legal regulations adopted in accordance therewith, as well as personal data protection requirements, the Policy, and the corporate statutory acts of MIPT;
  • taking other measures stipulated by the Russian legislation related to personal data.

10.2. Measures for ensuring the security of personal data during processing in personal data information systems are established in accordance with the corporate regulations of MIPT that pertain to ensuring the security of personal data during processing in the personal data information systems of MIPT.


11. Control over the compliance with the Russian legislation and the corporate statutory acts of MIPT related to personal data, including personal data protection requirements

11.1. The control over the compliance of MIPT structural units with the Russian legislation and the corporate statutory acts of MIPT related to personal data, including the requirements for personal data protection, is carried out toward checking the compliance of personal data processing in MIPT structural units with the Russian legislation and the corporate statutory acts of MIPT related to personal data, including the requirements for personal data protection, as well as the measures taken to prevent and detect violations of the Russian legislation related to personal data, identify possible channels of leakage and unauthorized access to personal data, and eliminate the consequences of such violations.

11.2. The internal control over the compliance of MIPT structural units with the Russian legislation and the corporate statutory acts of MIPT related to personal data, including the requirements for personal data protection, is carried out by the person responsible for organizing personal data processing at MIPT.

11.3. Personal responsibility for the compliance of MIPT structural units with the requirements of the Russian legislation and the corporate statutory acts of MIPT related to personal data, as well as for ensuring the confidentiality and security of personal data in the said units of MIPT is assigned to their respective managers.