Personal Data Processing Policy of ANO (Autonomous Nonprofit Organization) “Agency for the Development of Computer Sports”

1. Basic Terms

Automated personal data processing – personal data processing by computer equipment;
Personal data blocking – temporary termination of personal data processing (except when processing is necessary to clarify personal data);
Biometric personal data – information that describes the physiological and biological characteristics of an individual, on the basis of which his/her identity can be established;
Personal data information system – a set of personal data contained in databases and information technologies and technical means ensuring their processing;
Personal data anonymization – actions that make it impossible, without the use of additional information, to determine whether personal data belong to a particular subject of personal data;
Personal data processing – any action (operation) or a set of actions (operations) with personal data performed with or without the use of automation tools. Personal data processing includes, but is not limited to:

  • collection;
  • recording;
  • systematization;
  • accumulation;
  • storage;
  • clarification (updating,
  • modification);
  • extraction;
  • use;
  • transfer (distribution, provision, access);
  • anonymization;
  • blocking;
  • deletion;
  • destruction;

Publicly available personal data – personal data, access to which is provided by a personal data subject or at his/her request, to an unlimited number of persons;
Personal data operator (operator) – a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out personal data processing, as well as determining the purpose of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data;
Organization – Autonomous noncommercial organization “Agency for the development of computer and other sports” (ANO “Agency for the development of computer sports”);
Personal data – any information relating to directly or indirectly identified or identifiable an individual (personal data subject);
Personal data, authorized by a personal data subject for
distribution – personal data, access to which is provided by a personal data subject by giving consent to the processing of personal data, authorized by the personal data subject for distribution;
Policy – Personal Data Processing Policy of ANO “Agency for the development of computer and other sports” – a document approved by the General Director of the Organization and governing the collection and processing of personal data in the Organization;
Personal data provision – actions aimed at disclosure of personal data to a certain person or a certain circle of persons;
Personal data dissemination – actions aimed at disclosure of personal data to an indefinite circle of persons;
Trans-border transfer of personal data – transfer of personal data in a foreign country to a foreign authority, a foreign individual or a foreign legal entity;
Website – a set of logically linked web pages on the Internet, located at: https://en.gamesofuture.com/;
Personal data destruction – actions resulting in the impossibility to restore the content of personal data in the personal data information system and (or) resulting in the destruction of personal data tangible media.

2. Legal basis for personal data processing

2.1. The legal basis for personal data processing in the Organization includes:

  • the Constitution of the Russian Federation;
  • the Labor Code of the Russian Federation
  • the Civil Code of the Russian Federation;
  • the Tax Code of the Russian Federation;
  • the Federal Law No. 329-FZ “On physical culture and sports in the Russian Federation” dated 04 Dec.2007;
  • the Federal Law No. 63-FZ “On electronic signature” dated 06 Apr. 2011;
  • the Federal Law No. 126-FZ “On communication” dated 07 Jul. 2003;
  • the Federal Law No. 149-FZ “On information, information technologies and protection of information” dated 27 Jul. 2006;
  • the Federal Law No. No. 402-FZ “On accounting” dated 06 Dec. 2011;
  • the Federal Law No. 27-FZ “On individual (personalized) accounting in the compulsory pension insurance system” dated 01 Apr. 1996;
  • the Federal Law No. № 422-FZ “On conducting an experiment on establishing a special tax regime “Tax on professional income” dated 27 Nov. 2018;
  • the Federal Law No. 125-FZ “On archives in the Russian Federation” dated 22 Oct. 2004;
  • the Federal Law No. 273-FZ “On education in the Russian Federation” dated 19 Dec. 2012;
  • the Federal Law No. 54-FZ “On the application of cash registers for settling accounts in the Russian Federation” dated 22 May, 2003;
  • the Federal Law No. 7-FZ “On nonprofit organizations” dated 12 Jan. 1996;
  • the Federal Law No. 135-FZ “On charitable and volunteering activity” dated 11 Aug. 1995;
  • the Charter of the Organization;
  • Contracts and agreements of the Organization;
  • Consents by personal data subjects.

3. General Provisions

3.1. The Policy was developed in accordance with paragraph 2 part 1 article 18.1 of Federal Law No. 152-FZ “On personal data” dated 27 Jul. 2006 and “Recommendations for drafting a document defining operator’s policy regarding personal data processing in accordance with Federal Law No. 152-FZ “On personal data” dated 27 Jul. 2006″ as developed by the Federal Service for supervision of communications, information technology, and mass media (Roscomnadzor).

3.2. Personal data processing by the Organization is based on the following principles:
a) limiting personal data processing to the achievement of specific, predetermined and legitimate purposes;
b) avoiding personal data processing that is incompatible with the purposes of personal data collection;
c) avoiding the integration of personal data databases, the processing of which is carried out for purposes, incompatible with each other;
d) processing only those personal data, which correspond to the purposes of their processing;
e) compliance of the content and volume of the processed personal data with the declared processing purposes;
f) avoiding personal data processing excessive in relation to the stated purposes of their processing;
g) ensuring the accuracy, sufficiency and relevance of personal data in relation to the purpose of personal data processing;
h) destruction or depersonalization of personal data upon attainment of objectives of their processing or in case of loss of necessity in attainment of such objectives, if it is impossible for the Organization to eliminate violations of personal data, unless otherwise provided by the Russian legislation.

4. Purposes of personal data collection and processing

4.1. Personal data are processed for the following purposes:

a) ensuring the requirements of the legislation of the Russian Federation;
b) registration and regulation of labor relations, decision-making on employment of a candidate for a vacant position, inclusion in the personnel reserve;
c) information stipulation in personnel documents, information systems/resources of the Organization;
d) information stipulation in electronic and printed publications about activities of the Organization, held or organized events (including the use of biometric personal data)
e) accrual of wages and their transfer to a bank account, payment for services (works, other) under civil-law contracts;
f) granting vacations to employees of the Organization and sending them on business trips, issuance of international passports and visas, as well as medical insurance for those going abroad;
g) organizing and processing of awards and incentives for employees of the Organization;
h) provision of additional guarantees and compensations to employees and members of their families, including non-state pension provision, voluntary health insurance, medical care and other types of social security;
i) provision of tax credits;
j) ensuring safe working conditions and personal safety of the Organization’s employees and visitors;
k) assistance in employment, training and promotion, participation in public events (conferences, seminars, meetings, forums, meetings with the media, competitions, etc.)
l) ensuring the performance by the Organization’s employees of their employment duties, control over the quantity and quality of work performed;
m) calculation and making of tax payments stipulated by the legislation of the Russian Federation;
n) submission of statutory reports with regard to individuals to tax authorities, off-budgetary funds and other state and municipal authorities and state-owned enterprises
o) conducting educational and pre-graduation practice and internships;
p) involvement and organization of participation of volunteers in the activities of the Organization and the Organization’s partners;
q) compliance with the access control procedures on the territory of the Organization;
r) enforcement of judicial acts, acts of other bodies or officials to be enforced in accordance with the legislation of the Russian Federation;
s) ensuring the performance of civil-law contracts, control over the quantity and quality of services (works, other) rendered;
t) conclusion and performance of civil-law contracts with individuals and legal entities, individual entrepreneurs and other persons;
u) filling in the primary statistical documentation in accordance with the current legislation of the Russian Federation;
v) auditing of the Organization’s activities and technical systems;
w) holding sports, recreational and festive events;
x) provision of information about the Organization, its products and other information to the Website visitors;
y) publication of information provided by the Website visitors;
z) distribution of information and other materials in the areas of the Organization’s activities;
aa) publication or mandatory disclosure of personal data in accordance with the legislation of the Russian Federation;
bb) for other legitimate purposes.

5. Scope and categories of processed personal data, categories of personal data subjects

5.1 The scope of personal data processed by the Organization:

family name, first name, patronymic;
year and place of birth;
gender;
age;
phone number, e-mail address;
information about the profession and other personal data provided by the applicant in the curriculum vitae and cover letters;
education, qualifications, professional training and information about advanced training;
academic degree, academic rank (when awarded, numbers of diplomas, certificates);
images (photos), video recordings with the personal data subject and audio recordings of the voice of the personal data subject;
passport data;
address of registration and actual residence;
individual taxpayer number;
insurance number of individual personal account (SNILS);
marital status, children, family ties;
employment record, including encouragements, awards and/or disciplinary penalties;
data on marriage registration;
information about military registration;
information about disability;
information about alimony deductions;
information about income from previous employment;
criminal records;
information about state awards, other awards and insignia of distinction (dates of awards);
number and expiration date of the visa to the Russian Federation (for personal data subjects, who are foreign citizens);
number and expiration date of the work permit (for personal data subjects, who are foreign citizens)
address of migration registration in Russia (for personal data subjects, who are foreign citizens);
information about existing credits and debts;
other personal data, provided by the personal data subjects for specified purposes.

5.2 Biometric personal data in the Organization are processed in accordance with the legislation of the Russian Federation.

5.3. The Organization does not process personal data of special categories relating to race, ethnicity, political views, religious or philosophical beliefs, health, intimate life or criminal record.

5.4. Special categories of personal data relating to race, nationality, political opinions, religious or philosophical beliefs, health status, intimate life, or criminal record are processed by the Organization in the following cases:

the personal data subject has given consent in writing;
special categories of personal data are made publicly available by the personal data subject;
processing of special categories of personal data is necessary for protection of the life, health or other vital interests of the personal data subject, or the life, health or other vital interests of other persons, and the consent of the personal data subject cannot be obtained;
special categories of personal data are processed for medical and preventive purposes, for purposes of establishing a medical diagnosis, rendering medical and medical and social services, provided that the personal data are processed by a person professionally engaged in medical activities and obliged in accordance with the laws of the Russian Federation to maintain medical secrecy;
special categories of personal data are processed in accordance with the legislation on mandatory types of insurance, with the insurance legislation, as well as for the provision of additional insurance.

5.5. The Organization processes publicly available personal data.

5.6. Categories of personal data subjects and list of processed personal data:

– employees of the Organization:
family name, first name, patronymic;
year and place of birth;
gender;
age;
phone number, e-mail address;
education, qualifications, professional training and information about advanced training;
academic degree, academic rank (when awarded, numbers of diplomas, certificates);
images (photos), video recordings with the personal data subject and audio recordings of the voice of the personal data subject;
passport data;
address of registration and actual residence;
individual taxpayer number;
insurance number of individual personal account (SNILS);
marital status, children, family ties;
employment record, including encouragements, awards and/or disciplinary penalties;
data on marriage registration;
information about military registration;
information about disability;
information about alimony deductions;
information about income from previous employment;
criminal records;
information about state awards, other awards and insignia of distinction (dates of awards);
number and expiration date of the visa to the Russian Federation (for personal data subjects, who are foreign citizens);
number and expiration date of the work permit (for personal data subjects, who are foreign citizens)
address of migration registration in Russia (for personal data subjects, who are foreign citizens);
information about existing credits and debts;
other personal data, provided by the personal data subjects for specified purposes;

– candidates for vacant positions:
family name, first name, patronymic;
year and place of birth;
gender;
age;
phone number, e-mail address;
information about the profession and other personal data provided by the applicant in the curriculum vitae and cover letters;
education, qualifications, professional training and information about advanced training;
academic degree, academic rank (when awarded, numbers of diplomas, certificates);
images (photos), video recordings with the personal data subject and audio recordings of the voice of the personal data subject;
passport data;
address of registration and actual residence;
marital status, children, family ties;
employment record, including encouragements, awards and/or disciplinary penalties;
information about state awards, other awards and insignia of distinction (dates of awards);
number and expiration date of the visa to the Russian Federation (for personal data subjects, who are foreign citizens);
number and expiration date of the work permit (for personal data subjects, who are foreign citizens)
address of migration registration in Russia (for personal data subjects, who are foreign citizens);
other personal data, provided by personal data subjects for specified purposes;

– persons undergoing internship or on-the-job training in the Organization, volunteers:
family name, first name, patronymic;
year and place of birth;
gender;
age;
phone number, e-mail address;
education, qualifications, professional training and information about advanced training;
academic degree, academic rank (when awarded, numbers of diplomas, certificates);
images (photos), video recordings with the personal data subject and audio recordings of the voice of the personal data subject;
passport data;
address of registration and actual residence;
other personal data, provided by personal data subjects for specified purposes;

– personal data subjects, who are related to employees of the Organization:
family name, first name, patronymic;
year and place of birth;
gender;
age;
phone number, e-mail address;
other personal data, provided by personal data subjects for specified purposes;

– founders of the organization and personal data subjects, who are members of the management bodies of the Organization:
family name, first name, patronymic;
year and place of birth;
gender;
age;
phone number, e-mail address;
images (photos), video recordings with the personal data subject and audio recordings of the voice of the personal data subject;
passport data;
address of registration and actual residence;
other personal data, provided by personal data subjects for specified purposes;

– individuals, who are in contractual and other civil relations with the Organization:
family name, first name, patronymic;
year and place of birth;
gender;
age;
phone number, e-mail address;
education, qualifications, professional training and information about advanced training;
academic degree, academic rank (when awarded, numbers of diplomas, certificates);
images (photos), video recordings with the personal data subject and audio recordings of the voice of the personal data subject;
passport data;
address of registration and actual residence;
individual taxpayer number;
insurance number of individual personal account (SNILS);
marital status, children, family ties;
employment record, including encouragements, awards and/or disciplinary penalties;
data on marriage registration;
information about military registration;
information about disability;
information about alimony deductions;
information about income from previous employment;
criminal records;
information about state awards, other awards and insignia of distinction (dates of awards);
number and expiration date of the visa to the Russian Federation (for personal data subjects, who are foreign citizens);
number and expiration date of the work permit (for personal data subjects, who are foreign citizens)
address of migration registration in Russia (for personal data subjects, who are foreign citizens);
information about existing credits and debts;
other personal data, provided by the personal data subjects for specified purposes;

– personal data subjects representing legal entities, and individuals, who are in contractual and other civil relations with the Organization:
family name, first name, patronymic;
year and place of birth;
gender;
age;
phone number, e-mail address;
passport data;
address of registration and actual residence;
other personal data, provided by the personal data subjects for specified purposes;

– the Organization’s office visitors:
family name, first name, patronymic;
year and place of birth;
gender;
age;
phone number, e-mail address;
other personal data, provided by the personal data subjects for specified purposes;

– personal data subjects who are Internet users / Website visitors and transmit their personal data through the Organization’s Website, as well as personal data subjects, who have applied to the Organization:
family name, first name, patronymic;
phone number, e-mail address;
employment record;
other personal data, provided by the personal data subjects for specified purposes.

6. Procedure and conditions of personal data processing

6.1. Personal data processing includes the collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

6.2. The Organization creates public sources of personal data (directories, address books). Personal data reported by the subject (family name, first name, patronymic, position, work contact details, etc.) are included in such sources only with the written consent of the personal data subject.

6.3. The Organization processes personal data using automation tools and without using automation tools.

6.4. Personal data processing, including their storage, is performed within the time limits established by the current legislation, as well as by Organization’s regulation.

6.5. Personal data are processed by the Organization with the consent of the personal data subject to the processing of his/her personal data, unless otherwise provided for by the legislation of the Russian Federation.

6.6. Without the consent of the personal data subject, the Organization does not disclose to third parties and does not distribute personal data, unless otherwise provided for by the legislation of the Russian Federation.

6.7. The Organization has the right to entrust personal data processing to another subject with the consent of the personal data subject on the basis of an agreement concluded with this subject. The agreement shall contain a list of actions (operations) with personal data that will be performed by the subject processing personal data, the purposes of processing, the obligation of such subject to maintain the confidentiality of personal data and ensure the security of personal data during their processing, as well as the requirements for the protection of processed personal data in accordance with Article 19 of Federal Law No. 152-FZ “On personal data” of 27 Jul. 2006.

6.8. For the purpose of internal information support, the Organization creates internal reference materials, which include the last name, first name, patronymic, position, date of birth (without year), phone number (work, cell), work email address, other personal data reported by the personal data subject.

6.9. Access to personal data processed by the Organization is allowed to employees of the Organization holding the following positions:

General Director;

Human resources Director;

Head of recruitment, adaptation and HR support;

Project manager for HR processes;

Director of technology and game products department;

Project manager of the technology and game products department;

Deputy general director, Director of the financial and legal block;

Head of legal support department;

Accountant;

Chief accountant;

Director of the department for financial and administrative support;

Lawyer;

Head of the administrative and economic department;

Document flow manager;

Administrator of the administration department.

6.10. The Organization transfers personal data to state and municipal bodies, officials of these bodies within the framework and in accordance with the legislation of the Russian Federation.

6.11. The Organization ensures separate storage of personal data and their material carriers, which are processed for different purposes and which contain different categories of personal data.

6.12. Personal data physical media are stored by the Organization in compliance with the conditions that ensure the safety of personal data and exclude unauthorized access thereto.

6.13. Upon reaching the goals of personal data processing, as well as in the event that the personal data subject withdraws consent to their processing, personal data are subject to destruction if:

it is not provided for otherwise by the agreement;

the Organization is not entitled to process personal data without the consent of the personal data subject on the grounds provided for by Federal Law No. 152-FZ “On personal data” of 27 Jul. 2006 or other laws of the Russian Federation;

it is not provided for otherwise by another agreement between the Organization and the personal data subject.

6.14. Personal data are processed confidentially.

6.15. Personal data processing for the purpose of promoting goods, works, or services on the market by direct contacts with a personal data subject (potential consumer) via means of communication is allowed only with the prior consent of the personal data subject.

6.16. The Organization, at the request of the personal data subject, shall terminate the processing of his/her personal data within the time limits established by the legislation of the Russian Federation.

7. Ensuring the security of personal data

7.1. The security of personal data processed by the Organization is ensured by the implementation of legal, organizational and technical measures necessary to ensure the requirements of legislation on personal data protection.

7.2. To prevent unauthorized access to personal data, the Organization applies the following organizational and technical measures:

  • appointment of officials responsible for organizing the processing and protection of personal data and / or concluding a civil law contract with an individual or legal entity that ensures the processing and protection of personal data;
  • restriction of the scope of persons allowed to process personal data;
  • familiarization of subjects with the requirements of federal legislation and regulatory documents of the Organization for the processing and protection of personal data;
  • organization of accounting, storage and circulation of media containing information with personal data;
  • identification of threats to the security of personal data during their processing, the formation of threat models on their basis;
  • development of a personal data protection system based on the threat model;
  • verification of the readiness and effectiveness of the use of information security tools;
  • delimitation of user access to information resources and software and hardware for information processing;
  • registration and accounting of actions of users of personal data information systems;
  • use of anti-virus tools and means of restoring the personal data protection system;
  • application, if necessary, of firewalls, means of intrusion detection, security analysis and cryptographic information protection;
  • organization of access control to the territory of the Organization, protection of premises with technical means of personal data processing.

8. Rights and obligations of the Organization in personal data processing

8.1. The Organization shall take measures necessary and sufficient to ensure the fulfillment of the obligations stipulated by the legislation of the Russian Federation, including:

  • appointment of a person responsible for organizing the processing of personal data;
  • organization of work to ensure the security of personal data during their processing in personal data information systems;
  • conducting proceedings on the facts of non-compliance with the conditions of storage of personal data carriers, the use of information security tools that may lead to a violation of the confidentiality of personal data or other violations leading to a decrease in the level of protection of personal data;
  • suspension of the provision of personal data to users of the information system upon detection of violations of the personal data provision procedure;
  • publication of documents defining the personal data processing policy, local acts on personal data processing, as well as local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, eliminating the consequences of such violations;
  • application of legal, organizational and technical measures to ensure the security of personal data, an assessment of the harm that may be caused to personal data subjects in the event of a violation of the law, the ratio of this harm and the measures taken by the Organization aimed at ensuring the fulfillment of obligations stipulated by the legislation of the Russian Federation;
  • familiarization of employees directly involved in personal data processing with the provisions of the legislation of the Russian Federation on personal data, including the requirements for personal data protection, documents defining the Organization’s personal data processing policy, local acts on personal data processing, and (or) training of said employees.

8.2. The Organization shall publish the Policy or otherwise provide unrestricted access thereto.

9. Rights of a personal data subject

9.1. A personal data subject has the right to provide and withdraw consent to the processing of his/her personal data by sending a corresponding request to the Organization by mail or by contacting in person.

9.2. A personal data subject decides on the provision of his/her personal data and agrees to their processing freely, voluntarily and in his own interests. Consent to the processing of personal data may be given by the personal data subject or his representative in any form that allows confirming the fact of its receipt, unless otherwise established by Russian and international legislation.

9.3. A personal data subject has the right to receive information concerning the processing of his/her personal data, including information containing:

  • confirmation of the fact of personal data processing by the Organization;
  • legal grounds and purposes of personal data processing;
  • purposes and methods of personal data processing used by the Organization;
  • terms of processing of personal data, including the terms of their storage.

9.4. A personal data subject has the right to demand from the Organization the clarification of his/her personal data, their blocking or destruction if the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing, as well as to take measures provided by law to protect his/her rights.

9.5. If a personal data subject believes that the Organization processes his/her personal data in violation of the requirements of the Federal Law “On personal data” or otherwise violates his/her rights and freedoms, the personal data subject has the right to appeal the actions or inaction of the Organization to the authorized body for the protection of the rights of personal data subjects (the Federal Service for supervision of communications, information technology, and mass media (Roskomnadzor)) or in court.

9.6. A personal data subject has the right to protect his/her rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.

9.7. It is prohibited to make decisions based solely on automated processing of personal data that generate legal consequences with respect to the personal data subject or otherwise affect his/her rights and interests under the legislation of the Russian Federation, except in cases provided for by laws, or with the written consent of the personal data subject.

10. Storage and destruction of personal data, responses to requests of subjects for access to personal data

10.1. Personal data of personal data subjects may be provided both on paper and in electronic form (via a local computer network, electronic media, or otherwise).

10.2. Personal data should be stored in a form that allows the identification of the personal data subject, no longer than the purposes of their processing require. Personal data are subject to destruction upon achievement of the processing objectives or in case there is no more need to achieve them.

10.3. For the premises in which personal data are processed (stored), a security regime shall be organized, in which the safety of personal data carriers and technical means of processing personal data is ensured, and the possibility of unauthorized persons entering and staying in these premises is excluded.

10.4. Unauthorized persons are allowed in the premises where personal data are processed (stored) only in the presence of employees of the Organization.

10.5. The storage of personal data in a form that allows the identification of the personal data subject may be no longer than the purposes of their processing require.

10.6. Consents to the processing of personal data fall under the category of personal data and, accordingly, shall be stored at the place of storage of personal data.

10.7. Personal data shall be destroyed within a period not exceeding three (3) working days from the date of achievement of the purpose of personal data processing or in case there is no mote need to achieve them, unless otherwise provided by the legislation of the Russian Federation and this Policy.

10.8. The information specified in Part 7 of Article 14 of the Federal Law “On personal data” is provided to the personal data subject or his/her representative by the Organization when contacting or receiving a request from the personal data subject or his/her representative within ten (10) working days from the date of its receipt.

10.9. The information shall be provided in an accessible form, it shall not include personal data related to other personal data subjects, except in cases where there are legitimate grounds for the disclosure of such personal data.

10.10. If the personal data subject’s request does not reflect all the necessary information in accordance with the requirements of the Federal Law “On personal data” or the subject does not have rights of access to the requested information, a reasoned refusal shall be sent to him/her.

10.11. The request must contain data of the main identity document of the personal data subject or his/her representative, information confirming the participation of the personal data subject in relations with the Organization (contract number, date of conclusion of the contract, conditional verbal designation and (or) other information), or information otherwise confirming the fact of personal data processing by the Organization, signature (including electronic) of the personal data subject or his/her representative. The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

10.12. A personal data subject’s right of access to his/her personal data may be restricted in accordance with Part 8 of Article 14 of the Federal Law “On personal data”, including if the access of a personal data subject to his/her personal data violates the rights and legitimate interests of third parties.

10.13. Within a period not exceeding seven (7) working days from the date of submission by a personal data subject or his/her representative of information confirming that the personal data are incomplete, inaccurate or irrelevant, the Organization shall amend them accordingly.

10.14. Within a period not exceeding seven (7) working days from the date of submission by a personal data subject or his/her representative of information confirming that such personal data are illegally obtained or are not necessary for the stated purpose of processing, the Organization shall destroy such personal data.

10.15. The Organization shall notify the personal data subject or his/her representative of the changes made and the measures taken and take reasonable measures to notify third parties to whom the personal data of this subject have been transferred.

10.16. The Organization shall provide the authorized body for the protection of the rights of personal data subjects at the request of this body with the necessary information within ten (10) working days from the date of receipt of such request.

10.17. If the personal data subject withdraws consent to the processing of his/her personal data, the Organization shall terminate their processing or ensure the termination of such processing (if the personal data are processed by another person acting on behalf of the Organization) and if the storage of personal data is no longer required for the purposes of personal data processing, destroy the personal data or ensure their destruction (if the personal data are processed by another person acting on behalf of the Organization) within no more than thirty (30) days from the date of receipt of the said withdrawal, unless otherwise provided for by the contract to which the personal data subject is a party, beneficiary or guarantor, by another agreement between the Organization and the personal data subject, or if the Organization is not entitled to process personal data without the consent of the personal data subject on the grounds provided for by Federal Law “On personal data” or the legislation of the Russian Federation.

10.18. If the personal data cannot be destroyed within the above period, the Organization shall block such personal data or ensure their blocking (if the personal data are processed by another person acting on behalf of the Organization) and ensure the destruction of the personal data within no more than six (6) months, unless another period is established by federal laws.

10.19. If a personal data subject withdraws consent to the processing of his/her personal data, the Organization has the right to continue processing personal data without the consent of the personal data subject if there are grounds specified in part 2 of Article 9 of the Federal Law “On personal data” or the legislation of the Russian Federation.

10.20. If a personal data subject applies to the Organization with a request to terminate the processing of his/her personal data, the Organization shall, within no more than ten (10) working days from the date the Organization receives the relevant request, terminate their processing or ensure the termination of such processing (if such processing is performed by the person processing personal data).