Personal Data Processing and Protection Policy of Private Culture Institution “GARAGE Museum of Contemporary Art”

  1. GENERAL
    1. This Policy of Private Culture Institution "GARAGE Museum of Contemporary Art" with regard to processing and protection of personal data (hereinafter - the "Policy") has been adopted in order to comply with the legislation governing the relations associated with the processing of personal data, to ensure observance of the rights and freedoms of personal data subjects, and confidentiality of personal data, to ensure security of their processing and published in order to ensure unlimited access using Internet information and telecommunication tools to familiarize unlimited number of persons with the provisions of this Policy.
    2. This Policy defines the goals and legal grounds for processing of personal data, scope and categories of processed personal data, categories of personal data subjects, procedure and conditions for personal data processing as well as relations associated with updating, correction, deletion and destruction of personal data, determines the procedure for providing answers on requests of personal data subjects for access to personal data.
    3. The following basic concepts are used in this Policy in the following meanings:
      • personal data - any information relating directly or indirectly to a specific or determinable individual (subject of personal data);
      • Personal Data Operator (Operator) – Private Cultural Institution “GARAGE Museum of Contemporary Art” (OGRN 1147799010083, TIN 7706471526, legal address: 119049, Krymsky Val Street, building 32, Moscow);
      • processing of personal data - any action (operation) or a set of actions (operations) with personal data committed with or without automation. Processing of personal data includes, but is not limited to: collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction;
      • automated processing of personal data - processing of personal data using computer technology;
      • distribution of personal data - actions aimed at disclosure of personal data to indefinite number of persons;
      • provision of personal data - actions aimed at disclosure of personal data to specific person or certain circle of persons;
      • blocking of personal data - temporary termination of personal data processing (unless the processing is required to clarify personal data);
      • destruction of personal data - actions, as a result of which it becomes impossible to restore content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;
      • depersonalization of personal data - actions as a result of which it becomes impossible without the use of additional information to determine the ownership of personal data to a specific subject of personal data;
      • information system of personal data - set of personal data contained in databases and providing information processing of information technologies and technical means;
      • cross-border transfer of personal data - transfer of personal data to the territory of a foreign state to a government body of a foreign state, to a foreign individual or to a foreign legal entity.
  2. PERSONAL DATA PROCESSING GOAL AND LEGAL GROUNDS
    1. Processing of personal data is carried out in order to:
      • ensure fulfilment of obligations related to exhibitions, events of a cultural and educational nature, including lectures, master classes, provision of other services provided by the Operator as well as obligations arising from labor contracts and state contracts;
      • send invitations and provide information on events conducted by the Operator;
      • mail out targeted advertising as well as information about the activities of the Operator and the activities carried out by the Operator;
      • exercise the rights and obligations of the employer, train Operator’s employees, ensure personal safety of employees, safety of the Operator’s property, conduct personnel records management;
      • make decisions on the employment of the candidate;
      • organize and provide access control in the premises of the Operator;
      • receive feedback from users of the Operator's websites;
      • perform other duties assigned to the Operator by law.
    2. Legal grounds for processing of personal data are:
      • Federal Law dd. 12.01.1996 No. 7-FZ “On Non-Profit Organizations”;
      • Labor Code of the Russian Federation;
      • Federal Law dd. December 19, 2005 No. 160-FZ “On Ratification of the Council of Europe Convention on the Protection of Individuals with Automatic Processing of Personal Data”;
      • Civil Code of the Russian Federation (Part One) dd. November 30, 1994 No. 51-FZ;
      • Civil Code of the Russian Federation (Part two) dd. January 26, 1996 No. 14-FZ;
      • Civil Code of the Russian Federation (Part three) dd. November 26, 2001 No. 146-FZ;
      • Civil Code of the Russian Federation (Part four) dd. December 18, 2006 No. 230-FZ;
      • Operator Charter.
  3. PROCESSED PERSONAL DATA SCOPE AND CATEGORIES. CATEGORIES OF PERSONAL DATA SUBJECTS
    1. Scope and categories of processed personal data is determined in accordance with the purposes of personal data processing as well as depends on the category of personal data subjects. Operator processes personal data based on the avoidance of redundancy of processed data to stated processing purposes. Maximum volumes of processed personal data are indicated in clause 3.3 of this Policy.
    2. This Policy establishes the following categories of personal data subjects:
      • candidates for vacant positions of the Operator;
      • employees of the Operator, relatives of the Operator’s employees to the extent determined by law, if information about them is provided by the employee;
      • persons who are members of the operator’s management bodies and are not employees;
      • individuals with whom the Operator concludes civil law contracts;
      • visitors to the site owned by the Operator: https://garagemca.org
    3. This Policy defines the following scopes of personal data processed by the Operator:
      • for the category “candidates for vacant positions of the Operator”: last name, first name, patronymic, date of birth, education, name of previous employers, period of work, name of positions with previous employers;
      • for the category “Operator employees”: personal data specified in the passport, another document proving the employee’s identity, education, attitude to military duty (military service), salary information, phone number, address of actual residence, bank details, insurance number, individual personal account of insured person in mandatory pension insurance system, individual tax number (if any), phone number, email;
      • for the category “Persons who are members of the Operator’s management bodies and are not employees”: personal data specified in the passport, another document proving the identity of personal data subjects, education, salary information, phone number, address of actual residence, bank details, insurance number of the individual personal account of insured person in the mandatory pension insurance system, individual tax number (if any), phone number, email;
      • for the category “Individuals with whom the Operator enters into civil law contracts”: personal data specified in the passport, another document proving the identity of personal data subject, bank details, insurance number of the individual personal account of insured person in the mandatory pension insurance system, individual tax number (if any), phone number, email;
      • for the category “Visitors to the site owned by the Operator”: full name; phone number; e-mail.
  4. PERSONAL DATA PROCESSING PROCEDURE AND TERMS
    1. The Operator does not process personal data regarding race, nationality, religious, philosophical and other beliefs, intimate life, political views, membership in public associations, political parties as well as in trade unions
    2. Biometric personal data is not processed by the Operator.
    3. The Operator does not carry out cross-border transfer of personal data.
    4. Method of obtaining (collecting) personal data depends on the category of personal data and can be done by:
      • receipt of personal data from the subject of personal data in the form of copies (originals) of documents, completed questionnaires, details of contracts as well as special forms completed by visitors to the site belonging to the Operator on the Operator's site;
      • receipt of personal data from third parties in cases and in the manner prescribed by law;
      • receipt of personal data from public sources.
    5. With regard to personal data, the Operator performs the following actions both using automation tools and without using such tools: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, removal, destruction.
    6. When storing databases, the Operator uses databases located in the Russian Federation.
    7. This Policy establishes that the deadlines for processing personal data cannot exceed the deadlines established by:
      • legislation of the Russian Federation;
      • subject of personal data expressed in written consent to the processing of his personal data or in a statement on the withdrawal of consent to the processing of personal data.
      In this case, processing of personal data cannot be longer than the goals of processing personal data require. Upon the deadline for processing personal data, the Operator stops processing personal data. In addition, the processing of personal data is terminated by the Operator in the following cases:
      • changes, recognition become invalid for normative acts establishing the legal basis for processing of personal data;
      • dentification of illegal processing of personal data by the Operator;
      • revocation of consent to processing of personal data by the subject of personal data, if processing of such personal data in accordance with the law is allowed only on the basis of the consent of personal data subject.
    8. The Operator does not have the right to disclose to third parties and distribute personal data without written consent of the subject of personal data, unless otherwise provided by this Policy and legislation.
    9. The Operator has the right to transfer personal data to the bodies of inquiry and preliminary investigation, other authorized bodies on the grounds stipulated by the legislation of the Russian Federation.
    10. The Operator implements the following requirements for protection of personal data:
      • appoints a person responsible for organizing the processing of personal data from among the employees of the Operator;
      • develops and approves local regulatory legal acts by the order of the head of the Operator in the field of personal data processing;
      • when operating personal data information systems - takes the following legal, organizational and technical measures to ensure the security of personal data during its processing, the implementation of which ensures the established levels of personal data security:
        • organizes a security regime for premises in which the information system is located that impedes the possibility of uncontrolled entry or stay in these premises of persons who do not have access to these premises;
        • ensures the safety of personal data carriers;
        • approves the list of persons whose access to personal data processed in the information system is necessary for them to perform official (labor) duties;
        • uses information security tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security if the use of such means is required to neutralize current threats.
      • when processing personal data carried out without the use of automation, it complies with the requirements established by the Decree of the Government of the Russian Federation dd. September 15, 2008 No. 687 "On approval of the Regulation on processing of personal data carried out without the use of automation";
      • organizes periodic checks of the conditions for processing personal data;
      • carries out familiarization of employees who process personal data with the provisions of the legislation on personal data (including the requirements for protection of personal data), local acts on processing of personal data and (or) organizes training for these employees;
      • notifies the authorized body for protection of the rights of personal data subjects about (intention to process) personal data processing;
      • depersonalizes personal data processed in personal data information systems in cases established by regulatory legal acts of the Russian Federation as well as in accordance with the requirements and methods established by the authorized body for protection of the rights of personal data subjects.
  5. UPDATE, CORRECTION, DESTRUCTION OF PERSONAL DATA, RESPONSES TO SUBJECT REQUESTS FOR ACCESS TO PERSONAL DATA
    1. Upon occurrence of circumstances specified in clause 4.7 of this Policy, the Operator shall destroy personal data, unless otherwise provided by an agreement to which the subject of personal data is the beneficiary or guarantor or by agreement between the Operator and the subject of personal data.
    2. In case of confirmation of personal data inaccuracy or illegality of their processing, personal data is subject to updating by the Operator, and processing should be stopped, respectively.
    3. The Operator is obliged to inform the subject of personal data or his representative about processing of personal data carried out by him at the request of the latter.
    4. Requests specified in clause 5.3 of this Policy should be sent to the Operator in writing at the address specified in paragraph 2 of clause 1.3 of this Policy and should assume the address to which the Operator must sent an answer.
    5. The Operator undertakes to provide a response to the request of the subject of personal data within a period not exceeding 20 (twenty) business days from the date of receipt of the request.
  6. MAJOR RIGHTS AND OBLIGATIONS OF THE OPERATOR AND PERSONAL DATA SUBJECTS
    1. Personal data subject has the right to receive information about processing of his personal data by the Operator, except as otherwise provided by law.
    2. Personal data subject has the right to require the Operator to clarify his personal data, block or destroy it, if the personal data is inaccurate, outdated, incomplete, obtained in violation of the law or is not necessary for stated purpose of personal data processing.
    3. Personal data subject has the right to withdraw his consent to processing of personal data in the case when the Operator processes personal data on the basis of the consent of personal data subject.
    4. When processing personal data, the Operator is obliged to comply with the requirements of the law and this Policy.
  7. FINAL PROVISIONS
    1. The Operator has the right to make changes to this Policy by ensuring that these changes are reviewed in the same way that interested parties are familiarized with this Policy.
    2. In everything else that is not provided for by this Policy, the Operator is guided by the requirements of the current legislatio.
    3. No clauses of this Policy can be considered as aimed at restricting the rights and legitimate interests of personal data subjects.