1. Basic Terms
1.1. “Personal data” means any information related, directly or indirectly, to an identified or identifiable natural person (personal data subject).
1.2. “Operator” means the Directorate for Sports and Social Projects that ensures and carries out the processing of personal data and determines the purposes of personal data processing, the contents of personal data to be processed and operations to be performed upon personal data.
1.3. “Personal data processing” means any operation or set of operations performed upon personal data, whether or not by automated means, including personal data collection, recording, organisation, accumulation, storage, adjustment (updating, alteration) retrieval, use, disclosure by transmission (dissemination or making available otherwise), anonymisation, blocking, erasure or destruction.
1.4. “Automated processing of personal data” means the processing of personal data by means of computers.
1.5. “Personal data information system” means a set of personal data contained in databases of personal data as well as information technologies and hardware allowing the processing of such personal data.
2. General
2.1. This Policy of the Directorate for Sports and Social Projects with related to personal data processing and implementation of personal data protection requirements (hereinafter referred to as the “Policy”) is designed to ensure the compliance of personal data processing with the requirements of the federal legislation and their protection against unauthorised access and disclosure.
2.2. This Policy applies to information relating, directly or indirectly, to an identified or identifiable natural person (personal data subject).
2.3. The categories of subjects of personal data processed by the Operator are as follows:
– employees of the Operator; citizens filing a request, complaint or application with the Operator; athletes and participants of any events organised by the Operator pursuant to relevant directives and orders of the government authorities of the Republic of Tatarstan and the Russian Federation.
2.4. The list of personal data processed by the Operator is determined pursuant to the legislation of the Russian Federation and local regulations issued by the Directorate for Sports and Social Projects taking into account the purpose of personal data processing. Special categories of personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, intimate life are not processed.
2.5. The list of operations and methods of personal data processing is as follows: automated, unautomated and combined processing of personal data including their collection, organisation, accumulation, storage, adjustment (updating, alteration) retrieval, use, disclosure by transmission (dissemination or making available otherwise), anonymisation, blocking, erasure or destruction as well as any other operations performed in compliance with the applicable legislation.
3. Principles and Conditions of Personal Data Processing
3.1. The Operator processes personal data pursuant to the requirements of the legislation of the Russian Federation in the field of personal data based on the Constitution of the Russian Federation and other federal laws establishing circumstances and specific aspects of personal data processing to ensure the protection of human and civil rights and freedoms during personal data processing.
3.2. The processing of personal data is limited to achieving particular, predefined and legitimate purposes. The processing of personal data for any purpose other than those initially specified at the time of personal data collection is prohibited.
3.2. When processing personal data, the Operator ensures that personal data are accurate, adequate and, where necessary, relevant to the purpose of personal data processing.
3.3. The Operator may delegate personal data processing to a natural or legal person with consent of the personal data subject unless otherwise provided for by the federal legislation subject to an agreement made with such person. If this is the case, the Operator shall be liable to the personal data subject for such person’s actions or omission to act. The person processing personal data on behalf of the Operator shall be liable to the Operator.
3.4. The Operator undertakes not to disclose personal data to, or share it with, any third parties without consent of the personal data subject unless otherwise provided for by the federal legislation.
3.5. As regards the Operator’s legal capacity and powers, personal data are allowed to be processed in the following cases:
- the personal data subject has given his/her consent to his/her personal data
processing; - personal data processing is necessary for the Operator to perform its functions,
powers and responsibilities vested in the Operator by the legislation of the
Russian Federation; - personal data processing is necessary to perform a contract to which the
personal data subject is a party, or to enter into a contract at the request of the
personal data subject; - personal data processing is necessary to exercise the rights and legitimate
interests pursued by the Operator or a third party, or to perform a task carried
out in the public interest, except where such interests may prejudice any
fundamental rights and freedoms of the personal data subject; - the processing relates to personal data that have been made available to the
general public by the personal data subject or on his/her behalf (personal data
made public by the personal data subject); - the processing relates to personal data subject to publication or disclosure by
virtue of the federal legislation.
4. Personal Data Subject’s Right of Access to Personal Data
4.1. The personal data subject has the right to obtain the following information from the Operator:
- confirmation as to whether or not personal data relating to him/her are being processed by the Operator;
- reasons for and purposes of his/her personal data processing by the Operator;
- methods used by the Operator to process his/her personal data;
- name and location of the Operator, information about any persons (except for the Operator’s employees) who have access to his/her personal data or to whom such personal data may be disclosed pursuant to a contract with the Operator or by virtue of the federal legislation;
- list of the respective personal data subject’s personal data being processed and the source they were obtained from, unless another procedure for providing such data is established by the federal legislation;
- time limits for personal data processing including the time limit for their storage;
- information about any actual or proposed cross-border transmission of his/her personal data;
- full name (corporate name or surname, first name and patronymic) and address of the person processing personal data on behalf of the Operator where personal data processing has been or will be delegated to such person.
4.2. The personal data subject may demand that the Operator should update, block or destroy his/her personal data if the personal data are incomplete, out-of-date, inaccurate, unlawfully obtained or not necessary for the stated purpose of processing, and take measures provided for by the legislation to safeguard his/her rights.
4.3. The information listed in Clause 4.1 is provided to the personal data subject in an intelligible form and it shall not contain any personal data relating to any other personal data subjects except there are any legitimate reasons to disclose such personal data.
4.4. The Operator provides information listed in Clause 4.1 to the personal data subject or his/her legitimate representative upon their request. The request shall contain details of the main certificate of identification of the personal data subject or his/her legitimate representative; information confirming the personal data subject’s relations with the Operator (contract number, date and/or any other relevant information) or otherwise confirming the processing of the respective personal data by the Operator; signature of the personal data subject or his/her legitimate representative. The request may be submitted in electronic form and signed with a digital signature pursuant to the legislation.
4.5. The personal data subject’s rights to access to his/her personal data may be restricted to the extent provided for by the federal legislation, including if the personal data subject’s
access to his/her data prejudices the rights and legitimate interests of any third party.
4.6. If the personal data subject believes that the Operator processes his/her personal data in breach of the requirements of the federal legislation or otherwise prejudices his/her rights and legitimate interests, the personal data subject may file a complaint against the Operator’s actions or omission to act with the authorised agency for protection of personal data subjects’ rights or with a court.
4.7. The personal data subject has the right to defend his/her rights and legitimate interests including by seeking for pecuniary and/or non-pecuniary damage awards in court.
5. Operator’s Obligations
5.1. When collecting personal data, the Operator undertakes to provide the personal data subject, at his/her request, with the information listed in Clause 4.1 hereof.
5.2. If the provision of personal data is an obligation established by the federal legislation, the Operator undertakes to make it clear what legal consequences the personal data subject may incur if he/she refuses to provide his/her personal data.
5.3. The Operator takes any required and adequate legal, organisational and technical measures to ensure the Operator’s compliance with personal data processing obligations established by the federal legislation. These measures include, but are not limited to the following actions:
- to appoint an employee in charge of arranging personal data processing;
- to issue documents establishing the Operator’s policy in the field of personal data processing as well as documents regulating personal data processing aspects;
- to inform the Operator’s employees responsible for personal data processing about federal legislation provisions setting the requirements in the field of personal data protection, and to familiarise them with the Operator’s internal regulations outlining the measures and processes designed to protect personal data during their processing;
- to take measures to ensure personal data security.
6. Measures to Ensure Security of Personal Data Processingобработке
6.1. The term “threats to personal data security” means a set of conditions and factors posing a risk of any unauthorised, whether deliberate or not, access to personal data that may result in their erasure, modification, blocking, copying, sharing or dissemination, and any other illegal actions that may be taken during their processing in the personal data information system.
6.2. When processing personal data, the Operator takes, or ensures the implementation of, all necessary measures to protect personal data against any unauthorised or accidental access, erasure, modification, blocking, copying, sharing or dissemination as well as any other illegal actions with regard to personal data.
7. Policy Review Procedure
7.1. This Policy is subject to review at least once a year.
7.2. If any changes are made to the legislation and special regulations relating to personal data processing, the Operator shall review and update this Policy accordingly.