Personal data processing policy of the Russian Association of Cardiovascular Surgeons websites
1. General terms
1.1. The present personal data processing Policy (hereinafter referred to as the Policy) is framed and applied by the Russian Association of Cardiovascular Surgeons (hereinafter referred to as the Operator, Association) as required under the Federal Act from 27 July 2006 №152-FZ on Personal Data.
1.2. By agreeing to the Policy during registration the user gives consent to personal data processing.
- 1.3.1. Personal data - any information concerning a certain individual or an individual that may be identified on the basis of that information (the subject of personal data), including his or her family name, first name, patronymic, the year, month, date and place of birth, address, family, social, property status, education, profession, incomes and other information;
- 1.3.2. Personal data processing - any action (operation) or complex of actions (operations) performed with or without the usage of automatic means, including collection; recording, systematization; compilation; storage; adjustment (updating and amending); retrieval; use; transfer (distribution, presentation, and access) including cross‐border transfer; anonymising; blocking; deletion; and destruction of personal data.
- 1.3.3. Data subject - an individual who is the subject of personal data.
- 1.3.4. Personal data operator – a state body, municipal body, legal entity or an individual that organises and/or effects processing of personal data and also determines the goals and content of personal data processing.
- 1.3.5. User account - a location on the Association network server used to store a computer username, password, and other information.
- 1.3.6. Personal data confidentiality - the law on personal data obligates operators to take all the necessary organizational and technical measures required for protecting personal data against unlawful or accidental access.
1.4. The aim of the present policy is to provide personal data protection and accountability for the employees who have personal data access.
1.5. Entry into force of the Policy
- 1.5.1. The Policy shall enter into force upon approval of the president of the Association and shall remain in force indefinitely, till it’s replaced by a new Policy.
- 1.5.2. The Policy can be modified by an order of the president of the Association.
2. The purpose of personal data processing
2.1. The Association provides personal data collection and processing according to Russian legislation for the following purposes:
- Implementation of the commitments made by the Association while concluding the User Agreement on services: “Abstract submission”, “Online registration”, “Participation as an Association member”.
- Statistical and marketing researches of anonymous data.
- Marketing informational dispatch.
2.2. The basis for personal data processing being the following legal acts:
- The Charter of the Russian Association of Cardiovascular Surgeons (https://racvs.ru/about/ustav/),
- Consent to processing of personal data (https://ascvts2018.org/registration/personal-data-protection/consent.php),
- Association’s internet services information,
- User agreement
- Agreement on joining to acquiring
- Yandex.Metrica usage conditions
3. Amount of processed personal data
3.1. The Association collects and processes personal data in an automatic mode. The information includes:
- date of the last visit to the website,
- session data,
- visited pages data,
- IP address,
- cookie-file data,
- browser and operating system data.
3.2. Personal data of the Users is stored by Yandex.Metrica counter code on the Association website in an automatic mode. The list of stored data is as follows:
- date of visit,
- session duration,
- previous site address,
- login page,
- browsing history,
- IP address,
- data on the browser.
3.3. When using site services the User voluntarily transmits the following personal data in a web-form to the Association:
- email address,
- name, middle name, last name
- -date of birth
- mobile phone
- workplace data
- postal address
3.4. The Association shall not be responsible for the accuracy of the data transmitted by the User.
4. Personal data processing procedures and conditions
4.1. Personal data is processed during the time necessary for purposes fulfilment in accordance with p. 2, but not less than 5 years pursuant to the Federal Act on Accountancy № 402-FZ as of 6 December 2011 and archival legislation (Order of Ministry of Culture as of 25 August 2010 No.558 on the List of the standard business archive documents elaborated by state authorities, local state bodies and companies with the terms of retention period)
4.2. If the Consent is withdrawn, the Association shall block User’s data. At the same time the access to some site services requiring identification can be limited.
4.3. Processing Personal data obtained by the Association comprises: collection, recording, systematization, accumulation, storage, retrieval, use, deletion, blocking, transfer (dissemination, provision, access), destruction.
4.4. The User shall be granted permanent access to User Account. It is necessary to login the site to view the information.
4.5. Any change can be made by the User in regard to personal data on the site by entering login and password.
4.6. The Association shall not store users’ bank cards data. Personal data (name, surname, bank cards data, and email) shall be transmitted to third parties who provide acquiring services.
4.7. The Association is entitled to transmit personal data to agencies conducting initial inquiries and pre-trial investigations, other authorized agencies on the basis of existing legislation.
5. Personal Data Protection
5.1. Data shall be protected by means of technical and organizational measures against unauthorised access, alteration, transfer, public disclosure, deletion or destruction. The measures include:
- timely identification, forecasting of sources of threats, reasons and conditions contributing damage to the information relations stakeholders, disruption of the functioning of Association sites;
- carrying out data backup;
- sites’ access control (only necessary resources access for the employees with corresponding duties), i.e. protection against unauthorized access;
- protection from unauthorized site modification: system protection from SQL-injections, from fishing through redirect, attacks through XSS, script and frame entering, including computer viruses and protection of sessions from interception;
- setting up a protected mode of data transmission with 128-bit SSL encryption protocol;
- access limit to the personal data service location, setting up video surveillance;
- logging-in, personal data operations committed by users;
- identification of users by login and password, IP – address being recorded
5.2. Users’ personal data shall be stored on the server with the following physical address -Moscow, Rublevskoe shosse, 135
6. Updating, correction, deletion and destruction of data
6.1. Upon completion of the retention period (p.4.1 of the present Policy) user’s personal data can be blocked.
6.2. The Consent can be withdrawn by the User before the end of the term indicated in p. 4.1. For this purpose a request shall be sent to the administrator of the Association to the following address - firstname.lastname@example.org . Name, Surname, email and User ID are to be indicated.
6.3. To renew the access to Association services the User can address a notification to the administrator email: email@example.com. When renewing access the Consent shall be made one more time.
6.4. The Association shall inform the User or representative of the User about personal data processing upon his/or her request.