Download Personal Data Processing Policy: eng | rus
Personal Data Processing Policy
Approved by the General Director’s
Order No. 3 dated 29.07.2025
and effective from 30.07.2025
1. General Provisions
1. This Personal Data Processing Policy (the Policy) sets forth the procedure for processing and protecting personal data of various categories of Data subjects (Subjects)[1] by the Autonomous Non-Profit Organization “International and Comparative Law Research Center” (INN 7707492159, OGRN 1147799008961, registered address: 14, bldg. 3, Kadashevskaya Embankment, Moscow, 119017) (the Center).
2. The Center considers the protection of human and civil rights and freedoms in the processing of personal data — particularly the right to privacy, personal and family secrets — to be a fundamental goal and prerequisite of its activities.
3. The Center may amend this Policy. The new version of the Policy shall enter into force from the moment it is made publicly available, including by publication on the Center’s website at https://iclrc.ru.
4. This Policy applies to all information the Center may receive about visitors to websites located under the domain names iclrc.ru and iclrc.org (including third-level domains).
2. Purposes, Categories, and Legal Grounds for Processing Personal Data
5. The Center may process personal data exclusively for the purposes for which such data was collected or received. The purposes of processing personal data and the categories of Data subjects are specified in the Annex to this Policy (the Annex).
6. The Center is entitled to process personal data for the stated purposes by any means not prohibited by law, including automated, non-automated, and mixed processing. Upon achieving the purposes of processing — or in the event such purposes no longer apply — unless otherwise required by law or agreed by the parties, the processed personal data shall be subject to deletion.
7. The Center does not process biometric data or information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, personal life, or criminal convictions.
8. The processing of personal data for the purposes specified in the Annex is carried out by the Center on the following legal grounds:
· the conclusion and performance of a contract to which the Subject is a party, beneficiary, or guarantor;
· the consent of the Subject, provided when completing documents, web forms, submitting requests to the Center, or in another form;
· the fulfillment of functions and obligations assigned to the Center under applicable law;
· the pursuit of the legitimate interests of the Center or third parties, or the achievement of objectives of public importance, provided that this does not violate the rights and freedoms of the Data subject.
3. Principles of Personal Data Processing
9. The processing of information by the Center is carried out in accordance with this Policy, the Center’s internal regulations, and the legislation of the Russian Federation, including Federal Law No. 152-FZ of 27 July 2006, “On Personal Data” (the Personal Data Law). In processing personal data, the Center seeks to take into account international best practices and approaches to data protection, provided they do not contradict the Personal Data Law.
10. The Center processes personal data based on the following principles:
· personal data is processed lawfully and fairly;
· the processing of personal data is limited to the achievement of specific, pre-defined, and lawful purposes;
· processing of personal data that is incompatible with the purposes of its collection is not permitted;
· combining databases containing personal data that is processed for incompatible purposes is not allowed;
· only personal data that is relevant to the purposes of processing shall be subject to processing;
· the content and scope of the processed personal data must correspond to the stated purposes of processing. Excessive processing of personal data in relation to those purposes is not permitted;
· when processing personal data, its accuracy, sufficiency, and relevance to the purposes of processing must be ensured; necessary measures must be taken to delete or correct incomplete or inaccurate personal data;
· personal data must be stored in a form that allows identification of the Subject for no longer than required to achieve the purposes of processing, unless a longer storage period is established by federal law, the Subject’s consent, or a contract to which the Subject is a party, beneficiary, or guarantor;
· processed personal data must be destroyed once the purposes of processing have been achieved or are no longer applicable or until the expiration of the processing terms, unless otherwise required by federal law;
· personal data processing must not be used to cause property and/or moral harm to Subjects or to hinder the exercise of their rights and freedoms.
4. Conditions for the Processing of Personal Data
11. The processing of information by the Center is carried out in accordance with this Policy, the Center’s internal regulations, and the legislation of the Russian Federation.
12. Personal data is processed by the Center, as well as by third parties engaged by the Center for processing or to whom personal data is transferred in accordance with Russian legislation. Such third parties may include, in particular:
· the Center’s contractors providing services, including support for the information systems used;
· co-organizers of events held by the Center;
· government or municipal authorities, in cases provided for by law.
13. Data collected by web analytics systems in use may also be accessed and processed by third-party providers of such systems (such as Yandex Metrica).
14. The Center may carry out cross-border transfers of personal data in accordance with the legislation of the Russian Federation.
15. The Center has the right to engage third parties to process personal data it receives and/or to transfer such data to them, as well as to receive data from them for the purposes specified in the Annex, without additional consent from the Data subject, provided that those third parties ensure confidentiality and data security. Such processing by third parties may be performed with or without the use of automation tools and may include any actions with personal data not prohibited by Russian law. Processing by a third party must be based on a contract that defines the list of actions (operations) to be performed with the personal data, the purposes of processing, and the security measures to be taken — including provisions prohibiting disclosure or distribution of personal data without the Subject’s consent, unless otherwise required by law, and in accordance with Article 19 of the Personal Data Law.
16. The Center undertakes to adopt necessary legal, organizational, and technical measures to protect received personal data from unlawful or accidental access, deletion, alteration, blocking, copying, provision, dissemination, or any other unlawful actions, and to comply with the principles and rules of processing established by the Personal Data Law and other relevant regulations.
17. The Center is prohibited from making decisions based solely on the automated processing of personal data that entail legal consequences or otherwise affect the rights and legitimate interests of the Data subject.
18. The Center does not place personal data in publicly accessible sources without the Data subject’s consent.
19. If the Center disseminates personal data of Subjects to an indefinite number of persons, including through its websites, it obtains the Data subjects’ consent to the processing of personal data intended for distribution, in accordance with Article 10.1 of the Personal Data Law. If Subjects set additional conditions or prohibitions for the further processing of their personal data, the Center shall make this information available by posting such conditions or restrictions on the relevant web pages where the data is disseminated.
5. Measures to Ensure the Security of Personal Data
20. The Center takes all necessary organizational and technical measures to protect personal data from unlawful or accidental access, deletion, alteration, blocking, dissemination, and other unlawful actions.
21. Measures to ensure the security of personal data at the Center include, but are not limited to, the following:
· accounting for the categories and list of personal data processed by the Center, the categories of Subjects, data retention periods, and the procedures for the deletion of such data;
· maintaining a register of data storage devices and information systems used to process personal data;
· determining the required level of protection for personal data processed within the Center’s information systems;
· identifying threats to the security of personal data when processed in information systems;
· determining and implementing technical and organizational protection measures prior to the launch of new personal data processing activities or systems;
· conducting and documenting an assessment of potential harm to Subjects in case of violation of the Personal Data Law, as well as correlating such harm with the protective measures applied by the Center;
· establishing rules for access to personal data in information systems, as well as ensuring registration and logging of actions involving personal data;
· using certified information security tools that have passed conformity assessment procedures as required by law;
· detecting incidents of unauthorized access to personal data and taking measures to eliminate and mitigate their consequences;
· restoring personal data that was modified or destroyed as a result of unauthorized access;
· identifying staff positions that require access to personal data (both automated and manual processing) in order to fulfill their job responsibilities;
· ensuring that employees directly involved in personal data processing sign to confirm their familiarity with Russian legislation on personal data protection, this Policy, and other internal policies on personal data protection, and providing appropriate training;
· monitoring and assessing the effectiveness of data protection measures before launching personal data information systems;
· conducting regular internal audits of compliance with Russian legislation on personal data processing and protection.
22. The Center appoints a person responsible for organizing the processing of personal data.
23. The Center’s internal documents (mandatory for all employees), as well as agreements with partners, contractors, and other relevant third parties, define:
· procedures for granting access to personal data;
· procedures for correcting personal data to ensure its accuracy and relevance in accordance with the purposes of processing;
· procedures for deleting or blocking personal data when necessary;
· procedures for processing requests from Subjects (or their legal representatives), including preparation of information about the existence of data related to a particular Subject, providing access, and handling requests to update, block, or delete data that is incomplete, outdated, inaccurate, unlawfully obtained, or no longer needed;
· procedures for handling requests from authorized data protection authorities;
· procedures for obtaining consent from Subjects;
· procedures for transferring personal data to third parties;
· procedures for handling physical data carriers;
· procedures for notifying the authorized data protection authority within the time limits established by law.
24. When collecting personal data, the Center ensures that the collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), blocking, deletion, and deletion of personal data of Russian citizens is carried out using databases located on the territory of the Russian Federation.
6. Use of Cookies and Other Web Analytics Tools
25. Cookies are small files that are created and stored by a browser when visiting the Center’s websites. Cookies are stored on the user’s device for no more than one year and allow for tracking the website’s performance and usage characteristics.
26. Visiting and using the websites by default involves the generation and storage of cookies. However, users may delete cookies from their device at any time through their browser settings. Users may also disable cookies in their browser settings, though this may affect the functionality of the websites.
27. The Center’s websites use the following types of cookies:
| Technical and functional session cookies | These files, generated by the website engines, are used to ensure the smooth operation of the websites and to remember the user’s selected settings within a single session. |
| Analytical cookies | These files allow for counting the number of website users and identifying user actions on the site (such as visited pages, time spent, and the number of pages viewed). Analytical data is collected via Yandex Metrica. |
7. Rights of Data Subjects and Contact Information Regarding Personal Data Processing
28. When personal data is processed, Data subjects have the right to:
· request information concerning the processing of their personal data;
· receive explanations regarding matters related to the processing of their personal data;
· request the rectification, deletion, or blocking of their personal data if it is incomplete, outdated, inaccurate, unlawfully obtained, or no longer necessary for the declared purpose of processing;
· object to the processing of their personal data for the purpose of receiving informational messages from the Center;
· withdraw any consent previously given to the Center for the processing of personal data;
· request that the Center block personal data in cases provided for in Clause 29 of this Policy;
· file objections to the processing of personal data in cases provided for in Clause 30 of this Policy;
· appeal the actions of the Center through administrative or judicial procedures.
29. A Data subject has the right to request that their personal data be blocked (temporarily suspended from processing) in the following cases:
· if the Subject contests the accuracy of the personal data — in which case the data is blocked for a period allowing the Center to verify its accuracy;
· if the Subject believes the data is being processed in violation of this Policy or applicable law — in such cases, the data is blocked for the period of verification of the processing grounds, and if unlawful processing is confirmed, until the violation is remedied;
· if the Subject opposes the deletion of data and instead requests restricted use, when they believe the processing is unlawful — until the violation is remedied;
· if the Center no longer needs the personal data, but the Subject requires it to exercise their right to appeal the Center’s actions — in such cases, the data is blocked for the time necessary for the Subject to submit the appeal;
· if the Subject has submitted an objection under Clause 30 of this Policy — the data is blocked until a determination is made as to whether the legitimate grounds for processing override the grounds of the objection.
30. The Data subject has the right, based on circumstances related to his/her particular situation, to object at any time to the processing of his/her personal data if he/she believes that such processing does not serve the Center’s legitimate interests and/or does not correspond to the stated purposes. In such cases, the Center must block the data and is not entitled to continue processing it unless it can demonstrate compelling legitimate grounds for doing so.
31. In case of any questions or concerns regarding the processing of personal data, including withdrawal of consent, you may contact the Center at privacy@iclrc.ru or send a written request to: 14 bldg. 3 Kadashevskaya Embankment, Moscow, 119017, Russia.
32. The Center responds to Data subject requests within the timeframes established by the legislation of the Russian Federation or, unless provided in the law, within the reasonable timing. If circumstances arise that require additional clarification, the Center may, in cases provided for by Russian law, extend the response period by up to 5 working days, provided that the Data subject is notified with a justified explanation for the delay.
Annex
| Purpose of processing | Categories of personal data | Categories of Subjects | Processing period | Procedure for deletion |
| Ensuring the possibility to attend the Center’s events (including event registration; access to the venue; distribution of information regarding the event; and sending materials related to the event after its conclusion) | · Full name; · Email address; · Place of work or study and position; · Other data the Subject deemed necessary to provide | Participants of events or projects organized or supported (co-organized) by the Center | 1 year after the event or until the date of consent withdrawal | Deletion of information from electronic storage devices; transfer of paper documents to a disposal company |
| Ensuring the possibility of participation in the Center’s projects | · Full name; · Email address; · Place of work or study and position; · Educational background; · Other data the Subject deemed necessary to provide | Candidates for participation in the Center’s projects | Until the purposes of personal data processing are achieved, unless otherwise agreed with the individual Data subject, or until the date of consent withdrawal | Deletion of information from electronic storage devices; transfer of paper documents to a disposal company |
| Participation in the Center’s projects | · Full name; · Email address; · Place of work or study and position; · Educational background; · Bank details, taxpayer identification number (INN), passport data (if payment or reimbursement is expected); · Other data the Subject deemed necessary to provide | Participants of the Center’s projects | 2 years after the completion of the project or until the date of consent withdrawal | Deletion of information from electronic storage devices; transfer of paper documents to a disposal company |
| Ensuring the participation of a speaker in an event or project, including payment or reimbursement of the speaker’s expenses | · Full name; · Email address; · Place of work or study and position; · Bank details, taxpayer identification number (INN), passport data (if participation in the event involves payment); · Other data the Subject deemed necessary to provide | Speakers at events or projects organized or supported (co-organized) by the Center | Until the purposes of personal data processing are achieved, unless otherwise agreed with the individual Subject, or until the date of consent withdrawal | Deletion of information from electronic storage devices; transfer of paper documents to a disposal company |
| Issuance of a library card and provision of access to the Center’s Library | · Full name; · Email address; · Place of work or study and position; · Phone number | Visitors to the Center’s Library | Until the purposes of personal data processing are achieved, or until the date of consent withdrawal | Deletion of information from electronic storage devices; transfer of paper documents to a disposal company |
| Provision of access to databases (for use and content contribution) | · Full name; · Email address; · Place of work or study and position; · Country of residence; · Other data the Subject deemed necessary to provide | Individuals contributing information to the databases, as well as users of the databases | Until the purposes of personal data processing are achieved, or until the date of consent withdrawal | Deletion of information from electronic storage devices; transfer of paper documents to a disposal company |
| Participation in the internship program | · Full name; · Email address; · Phone number; · Place of study and level of education; · Other data the Subject deemed necessary to provide | Interns of the Center and candidates for internship programs | Until the purposes of personal data processing are achieved, unless otherwise agreed with the individual Subject, or until the date of consent withdrawal | Deletion of information from electronic storage devices; transfer of paper documents to a disposal company |
| Responses to Data subject inquiries | · Full name; · Email address; · Place of work or study and position; · Phone number; · Other data the Subject deemed necessary to provide | Individuals who have submitted inquiries to the Center via email or by filling out web forms on the websites | Until the purposes of personal data processing are achieved, or until the date of consent withdrawal | Deletion of information from electronic storage devices; transfer of paper documents to a disposal company |
| Conclusion and performance of civil law contracts | · Full name; · Date of birth; · Bank details, taxpayer identification number (INN), passport data; · Email address; · Phone number; · Other data the Subject deemed necessary to provide | Contractors under civil law contracts (individuals) | 3 years after the fulfillment of all obligations under the contract | Deletion of information from electronic storage devices; transfer of paper documents to a disposal company |
| Conclusion of civil law contracts | · Full name; · Other data the Subject deemed necessary to provide | Representatives of contractors under civil law contracts | 3 years after the fulfillment of all obligations under the contract | Deletion of information from electronic storage devices; transfer of paper documents to a disposal company |
| Distribution of informational mailings | · Full name; · Email address; · Place of work or study and position; · Other data the Subject deemed necessary to provide | Data subjects who have consented to receive informational mailings | Until the purposes of personal data processing are achieved, or until the date of consent withdrawal | Deletion of information from electronic storage devices; transfer of paper documents to a disposal company |
[1] Except for employees, former employees, and employees’ family members.
