Personal Data Processing Policy

1. General provisions

1.1. This Personal Data Processing Policy (hereinafter the Policy) of Think BRICS Media (individual entrepreneur Golyakova Anastasia Nikolaevna) (hereinafter the Operator) defines the principles, purposes, conditions, timeframe, and methods of the processing of personal data, the list of personal data subjects, the list of personal data to be processed, the list of actions performed with personal data, the rights of personal data subjects, measures to monitor compliance with the legal requirements of the Russian Federation regarding the processing of personal data, as well as the measures taken to protect personal data.
1.2. The Policy applies to all information that the Operator may receive about visitors of website https://thinkbrics.world/.
1.3. The Policy was prepared taking into account the requirements of the Constitution of the Russian Federation, as well as legislative and other regulatory legal acts of the Russian Federation concerning personal data.

2. Key terms and definitions

2.1. The following terms and definitions are used in this Policy:
Automated processing of personal data refers to the processing of personal data using computer technology.
Blocking of personal data refers to the temporary cessation of the processing of personal data (except in cases when processing is essential to clarify personal data).
Personal data information system refers to the set of personal data contained in databases and the information technologies and technical means used for its processing.
Information refers to data (messages) regardless of the form of its presentation.
Depersonalization of personal data refers to actions that make it impossible to determine the ownership of personal data by a specific personal data subject without the use of additional information.
Processing of personal data refers to any action (operation) or set of actions (operations) performed with or without automation tools with personal data, including the collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, or destruction of personal data.
Operator refers to a legal entity, or individual, who organizes and/or performs the processing of personal data independently or jointly with other entities and also determines the purposes of the processing of personal data and the scope of personal data subject to processing and the actions (operations) performed with personal data.
Personal data refers to any information related to a directly or indirectly defined or definable individual (personal data subject).
Personal data permitted for distribution by a personal data subject refers to personal data to which a personal data subject has provided access to an unlimited number of persons by granting consent to the processing of personal data permitted by the personal data subject for distribution in the manner prescribed by the existing laws of the Russian Federation.
Provision of personal data refers to actions that aim to disclose personal data to a specific person or a specific group of persons.
Distribution of personal data refers to actions that aim to disclose personal data to an unspecified group of persons.
Cross-border transmission of personal data refers to the transmission of personal data to the territory of a foreign state to a foreign government body, foreign individual, or foreign legal entity.
Destruction of personal data refers to actions that make it impossible to restore the content of personal data in a personal data information system and/or destroy the tangible carriers of personal data.

3. Legal grounds for the processing of personal data

3.1. This Policy was prepared in accordance with the following regulatory legal acts:
− Constitution of the Russian Federation
− Civil Code of the Russian Federation
− Federal Law No. 152-FZ dated 27 July 2006 ‘On Personal Data’
− Other regulatory legal acts of the Russian Federation and regulatory documents of authorized government bodies.

4. Processing of personal data

4.1. Purposes and principles of the processing of personal data
4.1.1. Personal data is processed for the following purposes:
− To ensure compliance with the Constitution of the Russian Federation, legislative and other regulatory legal acts of the Russian Federation, and the in-house regulations of the Operator
− To directly engage with personal data subjects using communication tools, including electronic communication tools, in order to provide them with information by sending emails and/or another manner about issues concerning participation in events organized and/or held by the Operator and/or its partners, including the new products, services, and special offers
− To conduct statistical research, surveys, expert examinations, and questionnaires
− To create reference materials for the internal information support of the Operator’s activities
− To inform by sending email newsletters
− For other legal purposes
4.1.2. The Operator processes personal data based on the following principles:
− Personal data is processed on a lawful and fair basis
− The processing of personal data is limited to achieving specific, predetermined, and lawful goals
− Personal data may not be processed in a manner that is incompatible with the purposes of collecting personal data
− Databases containing personal data that is processed for purposes that are incompatible with each other may not be combined
− Only personal data that is consistent with the purposes of its processing may be processed
− The content and volume of personal data being processed must correspond to the stated purposes of processing and no redundancy of personal data is permitted with respect to the stated purposes of its processing
− When processing personal data, it is essential to ensure the accuracy of the personal data, as well as its sufficiency and, where necessary, relevance with respect to the purposes of its processing. The Operator shall take or ensure the adoption of the necessary measures to delete or clarify incomplete or inaccurate personal data
− Personal data shall be stored in a form that makes it possible to identify the subject of the personal data for a period no longer than that needed for the purposes of processing the personal data, unless the personal data storage period is stipulated by federal law or an agreement to which the subject of the personal data is a party, beneficiary, or guarantor
− Personal data that has been processed shall be destroyed or depersonalized once the purposes of its processing have been achieved or in the event there is no longer any need to achieve these purposes, unless otherwise stipulated by federal law
− Personal data shall not be disclosed to third parties or distributed without the consent of the personal data subject, unless otherwise stipulated by federal law
4.2. List of subjects whose personal data is processed by the Operator
4.2.1. The Operator processes the personal data of the following categories of personal data subjects:
− visitors of website https://thinkbrics.world/
4.3. List of personal data processed by the Operator
4.3.1. The list of personal data processed by the Operator is determined based on the laws of the Russian Federation and the Operator’s in-house regulations, taking into account the purposes of processing personal data specified in clause 4.1.1 of the Policy.
4.3.2. The Operator does not process any special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, or intimate life.
4.3.3. The Operator may only process biometric personal data with the written consent of the personal data subject, except for cases stipulated by the laws of the Russian Federation.
4.3.4. The Operator only processes personal data that the personal subject data has permitted to be distributed with the individual consent of the personal data subject for distribution in compliance with the prohibitions and conditions for the processing of personal data stipulated by the personal data subject.
4.4. List of actions performed with personal data and methods of its processing
4.4.1. The Operator collects, records, systematizes, accumulates, stores, clarifies (updates, changes), extracts, uses, transfers (distributes, provides, accesses), depersonalizes, blocks, deletes, and destroys personal data.
4.4.2. The Operator processes personal data in the following ways:
− Non-automated processing of personal data
− Automated processing of personal data with or without the transmission of the information obtained via information and telecommunications networks
− Mixed processing of personal data
4.4.3. Personal data is not transmitted across borders.
4.5. Conditions for the processing of personal data
4.5.1. The Operator processes personal data with the personal data subject’s consent to the processing of his/her personal data, unless otherwise stipulated by applicable law.
4.5.2. The Operator may entrust the processing of personal data to another entity with the consent of the personal data subject, unless otherwise stipulated by federal law, based on an agreement concluded with this person (hereinafter the operator’s instructions). The operator’s instructions specify the list of actions (operations) with personal data that will be performed by the person processing personal data based on the instructions and the purposes of its processing, establish the obligation of such person to maintain the confidentiality of the personal data, ensure the security of the personal data during its processing, and specify the requirements for the protection of the personal data that is being processed in accordance with Article 19 of the Federal Law ‘On Personal Data’.
4.5.3. Personal data shall be processed until the purposes of its processing are achieved, unless the personal data processing period is established by federal law or an agreement to which the personal data subject is a party, beneficiary, or guarantor.
4.5.4. Personal data shall be processed by the Operator or the Operator’s employees whose job responsibilities include processing personal data, after an agreement has been signed to maintain the confidentiality of the personal data and following the review of the legislative provisions of the Russian Federation and the Operator’s in-house regulations concerning personal data, including the requirements for the protection of personal data.
4.5.5. When taking decisions that affect the interests of the personal data subject, the Operator may not rely on personal data obtained solely as a result of their automated processing.

5. Rights of personal data subjects

5.1. Personal data subjects are entitled to:
− Receive full information about their personal data that is being processed by the Operator
− Access their personal data, including the right to receive a copy of any record containing their personal data, except for cases stipulated by federal law
− Update, block, or destroy their personal data based on an application if it is incomplete, outdated, inaccurate, illegally obtained, or is not necessary for the stated purpose of processing
− Revoke consent to the processing of their personal data
− Take measures stipulated by law to protect their rights
− Appeal the Operator’s actions or inaction that were performed in violation of the requirements of the laws of the Russian Federation concerning personal data with the authorized body for the protection of the rights of personal data subjects or with a court
− Exercise other rights stipulated by applicable law
5.2. The rights of personal data subjects to access their personal data may be limited in accordance with federal laws, including if the personal data subject’s access to his/her personal data violates the rights and legitimate interests of third parties.
5.3. The personal data subject may decline informational messages at any time by sending an email to contact@thinkbrics.world with the subject line «Refusal to receive notifications about new products, services, special offers, newsletters».
5.4. The personal data subject may revoke consent it has previously given to the processing of personal data at any time by personally contacting or sending a written request in electronic form to contact@thinkbrics.world.

6. Protection of personal data

6.1. The Operator takes the following key to ensure the security of personal data:
6.1.1. The security of personal data is ensured during its processing by preventing any unauthorized, including accidental, access to the personal data, which may result in the destruction, modification, blocking, copying, or distribution of the personal data, as well as any other unauthorized actions with the personal data.
6.1.2. Measures to ensure the security of personal data are determined taking into account the possible emergence of threats to the vital interests of the individual, society, and the country.
6.2. Measures taken by the Operator to ensure that the operator fulfils its obligations when processing personal data:
6.2.1. The Operator takes legal, organizational, and technical measures to protect personal data against any unauthorized or accidental access, destruction, modification, blocking, copying, provision, or distribution of the personal data, as well as any other illegal actions with respect to the personal data
6.2.2. As stipulated by the laws of the Russian Federation concerning personal data regulations concerning personal data, the measures that areessential and sufficient to ensure that the Operator fulfils its obligations as an operator include:
− Appointing a person responsible for organizing the processing of personal data at the Operator
− Adopting in-house regulations and other documents concerning the processing and protection of personal data
− Publishing or otherwise ensuring unrestricted access to the Policy
− Ensuring the Operator’s employees who are directly involved in the processing of personal data are familiar with the legislative provisions of the Russian Federation and the Operator’s in-house regulations concerning personal data, including the requirements for the protection of personal data
− Obtaining consent from personal data subjects for the processing of their personal data, except for cases stipulated by the laws of the Russian Federation
− Separating personal data processed without automation tools from other information, in particular by recording it on separate tangible personal data carriers and in special sections
− Ensuring the separate storage of personal data and its tangible carriers that are processed for different purposes and contain different categories of personal data
− Ensuring the security of personal data when transmitting it via open communication channels;
− Storing tangible media with data in conditions that ensure the safeguarding of the personal data and prevent unauthorized access to it
− Conducting internal monitoring to ensure that the processing of personal data complies with the Federal Law ‘On Personal Data’, regulatory legal acts adopted in accordance therewith, the requirements for the protection of personal data, this Policy, and the Operator’s in-house regulations
− Providing information in the prescribed manner to personal data subjects or their representatives about the existence of personal data concerning the relevant subjects and providing them with an opportunity to review this personal data upon request, unless otherwise stipulated by the laws of the Russian Federation
− Ceasing the processing of personal data and destroying it in cases stipulated by the laws of the Russian Federation concerning personal data
− Taking other measures stipulated by the laws of the Russian Federation concerning personal data
6.2.3. The measures taken to ensure the security of personal data when it is processed in personal data information systems are established in accordance with the Operator’s inhouse regulations concerning the security of personal data when it is processed in such systems.

7. Monitoring compliance with the laws of the Russian Federation and the Operator’s in-house regulations concerning personal data, including requirements for the protection of personal data

7.1. Compliance with the legislative requirements of the Russian Federation and the Operator’s in-house regulations concerning personal data, including requirements for the protection of personal data, is monitored for the purpose of:
− Verifying that the processing of personal data complies with these requirements;
− Verifying that the measures taken to protect personal data comply with these requirements
− Taking measures to prevent and identify violations of the laws of the Russian Federation concerning personal data, identify any possible channels used to leak or provide unauthorized access to personal data, and mitigate the aftermath of such violations.
7.2. Internal monitoring of compliance with the legislative requirements of the Russian Federation and the Operator’s in-house regulations concerning personal data, including requirements for the protection of personal data, is performed by the person responsible for organizing the processing of personal data at the Operator.