Federal state budgetary institution of culture

“The Central Museum of the Great Patriotic war 1941-1945.”

Personal Data Processing Policy


1. General provision


1.1. Federal state budgetary institution of culture "The Central Museum of the Great Patriotic war of 1941-1945" Personal Data Processing Policy (hereinafter referred to as the Policy) is developed in pursuance of requirements of item 2 of clause 1 of Article 18.1 of the Federal Law of 27.07.2006 N 152-FZ "On Personal Data" (hereinafter referred to as the Law on personal data) for the purpose of ensuring of protection of the rights and freedoms of the person and the citizen at processing of his personal data, including protection of the rights to the inviolability of private life, personal and family secret.

1.2. The Policy applies to all personal data processed by the Federal state budgetary institution of culture "The Central Museum of the Great Patriotic war of 1941-1945" (hereinafter referred to as the Operator, Victory Museum).

1.3. The Policy applies to the relationships regarding personal data processing, arose with the Operator both before and after the approval of the Policy.

1.4. In compliance with the requirements of clause 2 of Article 18.1 of the Law on personal data, this Policy is published in free access on the Operator's website in the information and telecommunications network “Internet”.

1.5. Basic terms and definitions used in the Policy:

personal data – any information relating directly or indirectly to a specific or identifiable individual (the subject of personal data);

operator of personal data (the operator) – a state body, municipal body, legal or physical person who independently or jointly with other persons organizing and (or) carrying out processing of personal data, and also defining purposes of personal data processing, the scope of personal data to be processed, actions (operations) committed with personal data;

processing of personal data – any action (operation) or a set of actions (operations) with personal data performed with the use of automation tools or without their use. The processing of personal data includes but is not limited to:

• collection;

• recording;

• systematization;

• accumulation;

• storage;

• refinement (update, change);

• extraction;

• use;

• transfer (distribution, provision, access);

• depersonalization;

• blocking;

• deletion;

• destruction;

automated processing of personal data – processing of personal data by means of computer technology;

dissemination of personal data – actions aimed at disclosure of personal data to an indefinite circle of persons;

provision of personal data – actions aimed at disclosure of personal data to a certain person or a certain circle of persons;

blocking of personal data – temporary termination of the processing of personal data (except if the processing is necessary to clarify personal data);

destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which the material carriers of personal data are destroyed;

depersonalization of personal data – actions, as a result of which it becomes impossible without the use of additional information to determine the identity of personal data to a particular subject of personal data;

information system of personal data – a set of personal data contained in databases and providing their processing of information technologies and technical means;

cross-border transfer of personal data – transfer of personal data to the territory of a foreign state, a foreign state authority, a foreign individual or foreign legal entity.

1.6. Basic rights and obligations of the Operator.

1.6.1. The Operator has the right to:

1) independently determine the scope and the list of measures necessary and sufficient to ensure the fulfillment of the obligations contemplated by the Law on personal data and the regulatory legal acts adopted in accordance therewith, unless otherwise contemplated by the Law on personal data or other Federal laws;

2) entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise contemplated by Federal law, on the basis of the concluded Agreement with this person. A person, processing personal data on behalf of the Operator, is obliged to comply with the principles and rules of personal data processing contemplated by the Law on personal data;

3) in case of withdrawal of the consent on the personal data processing by the subject of personal data, the Operator has the right to continue the processing of personal data without the consent of the subject of personal data if there are grounds specified in the Law on personal data.

1.6.2. The Operator is obliged to:

1) organize the processing of personal data in accordance with the requirements of the Law on personal data;

2) respond to requests and inquiries of subjects of personal data and their legal representatives in accordance with the requirements of the Law on personal data;

3) report to the authorized body for the protection of the rights of the subjects of personal data (The Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor)) the necessary information upon request of this body within 30 days from the date of receiving of such request.

1.7. Basic rights of the subject of personal data. The subject of personal data has the right to:

1) receive information concerning the processing of his personal data, with exception of cases contemplated by Federal laws. The information shall be provided to the subject of personal data by the Operator in an accessible form, and it should not contain personal data relating to other subjects of personal data, except the cases when there are the legal grounds for disclosure of such personal data. The list of information and the procedure of its obtaining is established by the Law on personal data;

2) require from the Operator refinement of his personal data, blocking or destruction them in case of the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing, as well as to take measures contemplated by the law for protection own rights;

3) appeal to Roskomnadzor or in court the illegal actions or inaction of the Operator in the processing of his personal data.

1.8. The main duties of the subject of personal data. The subject of personal data is obliged to:

1) provide reliable information containing personal data to the extent necessary for the purpose of processing;

2) inform the Operator about the refinement (update, change) of their personal data.

1.9. Control over the implementation of the requirements of the Policy is carried out by the authorized person responsible for the organization of personal data processing at the Operator.

1.10. Responsibility for violation of the requirements of the legislation of the Russian Federation and regulations of Victory Museum in regard to processing and protection of personal data is determined in accordance with the legislation of the Russian Federation.


2. Purposes of personal data collection


2.1. The processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes. Processing of personal data incompatible with the purposes of personal data collection is not allowed.

2.2. Only personal data that meet the purposes of processing are subject to processing.

2.3. The processing of personal data by the Operator is carried out for the following purposes:

• ensuring the compliance with the Constitution of the Russian Federation, Federal laws and other regulatory legal acts of the Russian Federation;

• organization of proper functioning of structural units of the Operator;

• implementation of activities in accordance with the Charter of Victory Museum;

• organization of proper provision of services to visitors;

• creation and maintenance of the information system National historical depositary “Victory in Faces”;

• HR records management;

• assistance to employees in employment, education and promotion, provision of personal safety of employees, quality and quantity control of performed work, ensuring the safety of the property;

• recruitment and selection of candidates to work on the Operator;

• organization of individual (personalized) registration of employees in the system of compulsory pension insurance;

• filling in and submission of the required reporting forms to the executive authorities and other authorized organizations;

• implementation of civil law relations;

• accounting;

• implementation of the staff access control procedure;

• ensuring the safety of employees and visitors of Victory Museum.


3. Legal grounds for the processing personal data


3.1. The legal grounds for the processing of personal data is a set of normative legal acts, pursuant to which and in accordance with which the Operator performs the processing of personal data, including:

• The law of the Russian Federation of 14.01.1993 N 4292-1 “About perpetuating of memory of the dead in case of protection of the Fatherland”;

• Constitution of the Russian Federation;

• Civil Code of the Russian Federation;

• Labor Code of the Russian Federation;

• Tax Code of the Russian Federation;

• Federal Law No. 7-FZ of 12.01.1996 “On Non-profit Organizations”;

• Federal Law No. 44-FZ of 05.04.2013 “On the contract system in the procurement of goods, works and services for state and municipal needs”;

• Federal Law No. 223-FZ of 18.07.2011 “On Procurement of Goods, Works and Services by Certain Types of Legal Entities”;

• Federal Law No. 402-FZ of 06.12.2011 “On Accounting”;

• Federal Law No. 167-FZ of 15.12.2001 “On Compulsory Pension Insurance in the Russian Federation”;

• Federal Law No. 259-FZ of 08.11.2007 “Charter of road transport and urban land electric transport”;

• other regulatory legal acts regulating relations related to the Operator's activities.

3.2. The legal basis for the processing of personal data is also:

• the Charter of Victory Museum;

• Agreements concluded between the Operator and the subjects of personal data;

• consent of the subjects of personal data to personal data processing


4. The volume and categories of processed personal data,

the categories of the subjects of personal data.


4.1. The content and volume of the processed personal data shall correspond to the declared purposes of processing stipulated in section № 2 of the Policy. The processed personal data shall not be excessive in relation to the stated purposes of their processing.

4.2. The operator may process personal data of the following categories of the subjects of personal data.

4.2.1. Candidates for employment at the Operator:

• surname, name, patronymic name;

• gender;

• citizenship;

• date and place of birth;

• contact details;

• educational background, work experience, qualifications;

• other personal data provided by candidates in resumes and cover letters.

4.2.2. Current and former the Operator`s employees:

• surname, name, patronymic name;

• gender;

• citizenship;

• date and place of birth;

• image (photo);

• passport details;

• address of registration at the place of residence;

• current residential address;

• contact details;

• individual taxpayer identification number;

• insurance number of individual personal account (SNILS);

• educational background, qualifications, training and professional development;

• marital status, children, relatives;

• previous employment details, including awards and (or) disciplinary sanctions at previous places of work;

• date of marriage registration;

• military service details;

• information on disability;

• information on alimony withholding;

• information on income at previous place of work;

• other personal data provided by employees in accordance with the requirements of the labor legislation.

4.2.3. Information on family members of the Operator's employees:

• surname, name, patronymic name;

• degree of relationship;

• year of birth;

• other personal data provided by employees in accordance with the requirements of the labor legislation.

4.2.4. Customers and contractors of the Operator (individuals):

• surname, name, patronymic name;

• date and place of birth;

• passport details;

• address of registration at the place of residence;

• contact details;

• working position held;

• individual taxpayer identification number;

• current account number;

• other personal data provided by clients and contractors (individuals) necessary for the conclusion and execution of contracts.

4.2.5. Representatives (employees) of Operator's clients and counterparties (legal entities):

• surname, name, patronymic name;

• passport details;

• contact details;

• working position held;

• other personal data provided by representatives (employees) of clients and contractors necessary for the conclusion and execution of contracts.

4.2.6. Participants of the project National historical depositary “Victory in Faces” (individuals):

• surname, name, patronymic;

• contact details;

• other personal data provided by the participants of the project National historical depositary “Victory in Faces” (individuals), necessary for participation in the project, provided within the framework of the “CONSENT ON THE PROCESSING OF PERSONAL DATA”, which is an Appendix to the Agreement on participation in the project National historical depository “VICTORY IN FACES”.

4.3. The Operator shall conduct the processing of biometric personal data (data that characterize the physiological and biological characteristics of a person, based on which it is possible to establish his identity) in accordance with the legislation of the Russian Federation.

4.4. The Operator does not process special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, health condition, intimate life, except the cases stipulated by the legislation of the Russian Federation.


5. Procedure and conditions of personal data processing


5.1. The Operator executes processing of personal data in accordance with the requirements of the legislation of the Russian Federation.

5.2. The processing of personal data shall be carried out with the consent of the subjects of personal data on the processing of their personal data, as well as without any consent in cases stipulated by the legislation of the Russian Federation.

5.3. The Operator performs both automated and non-automated processing of personal data.

5.4. Operator's employees are allowed to process personal data in whose job duties include personal data processing.

With regard to the information system “National historical depository “Victory in Faces”” the access to the processing of personal data is carried out by employees of the Operator, as well as persons involved in the implementation of this project.

5.5. Processing of personal data shall be executed by:

• receiving personal data in oral and written forms directly from the subjects of personal data;

• obtaining personal data from publicly available sources;

• entering personal data into the Operator's registration books, rosters and information systems;

• usage of other methods of personal data processing.

5.6. Any disclosure to third parties and dissemination of personal data without the consent of the subject of personal data is prohibited, unless otherwise contemplated by the Federal law.

5.7. The transfer of personal data to investigative authorities, the Federal Tax Service, the Pension Fund of the Russian Federation, the Social Insurance Fund and other authorized executive bodies and organizations shall be carried out in accordance with the requirements of the legislation of the Russian Federation.

5.8. The Operator takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, distribution and other unauthorized actions thereto, including:

• identifies threats to the security of personal data during their processing;

• adopts local regulations and other documents regulating relations in respect of processing and protection of personal data;

• appoints persons responsible for ensuring the security of personal data in the structural    divisions and information systems of the Operator;

• establishes the necessary conditions for operation with personal data;

• organizes the registration of documents which contain personal data;

• organizes operation of information systems in which personal data is processed;

• keeps personal data in conditions that ensure their safety and exclude unauthorized access to them;

• organizes training of the Operator's employees who are in charge of personal data processing.

5.9. The Operator shall store personal data in a form that allows to determine the subject of personal data, no longer than the purposes of personal data processing require, if the period of storage of personal data is not established by the Federal law or the Agreement.

5.10. During the process of personal data collection, including through the information and telecommunication network Internet, the Operator shall ensure the recording, systematization, accumulation, storage, refinement (update, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for the cases specified by the Law On personal data.


6. Actualization, correction, deletion and destruction

of personal data. The answers to the inquiries of the subjects

for access to personal data


6.1. The confirmation of the processing of personal data by the Operator, the legal basis and purpose of processing of personal data and other information are stated in clause 7 of article 14 of the Law On personal data, shall be provided by the Operator to the subject of personal data or his representative upon request or upon receiving an inquiry of the subject of personal data or his representative.

The provided data shall not include personal data relating to other personal data subjects, except in cases where there are legal grounds for disclosure of such personal data.

The request must contain:

• the main ID number of the subject of the personal data or his representative, information regarding the date of issue of mentioned document and the issuing authority;

• information confirming the participation of the subject of personal data in relations with the Operator (agreement number, date of the agreement conclusion, conditional verbal designation and (or) other information), or information otherwise confirming the fact of processing of personal data by the Operator;

• signature of the subject of the personal data or his representative.

The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

If the inquiry (request) of the subject of the personal data does not reflect all the necessary information in accordance with the requirements of the Law on personal data or the subject does not have the rights of access to the requested information, a reasonable refusal should be sent to him.

The right of the subject of personal data to access his personal data may be limited in accordance with clause 8 of article 14 of the Law on personal data, including if the access of the subject of personal data to his personal data violates the rights and legitimate interests of third parties.

6.2. In case of detection of inaccurate personal data at inquiry by the subject of personal data or either his representative request or at the request of Roskomnadzor the Operator shall block the personal data related to the subject of personal data, from the moment of such request or receiving of the stated request for the period of the revision if blocking of personal data does not violate the rights and legitimate interests of subject of the data or third parties.

In case of confirmation of the fact of inaccuracy of personal data, the Operator on the basis of the data provided by the subject of personal data or his representative or Roskomnadzor, or other necessary documents clarifies personal data within seven working days from the date of submission of such data and unblocking the personal data.

6.3. In case of detection of unlawful processing of personal data within inquiry (request) of the subject of the personal data or his representative or Roskomnadzor the Operator performs the blocking of unlawfully processed personal data relating to the subject of personal data, from the moment of such inquiry or receiving of the request.

6.4. At the moment of purposes achievement of processing of personal data, as well as if the subject of personal data withdraws consent to their processing, personal data shall be destroyed if:

• other is not stipulated by the Agreement, under which the subject of personal data consists as the Party, beneficiary or granter hereof;

• the Operator shall not be entitled to process personal data without the consent of the subject of personal data on the grounds contemplated by Law on the personal data or other Federal laws;

• other is not agreed between the Operator and the subject of personal data.