25-27 сентября 2025 г.
Иркутск, ВК «Сибэкспоцентр»
PERSONAL DATA PROCESSING POLICY
1. General provisions
1.1. This Policy of Expotur LLC (hereinafter referred to as the Operator, Organization) regarding the processing of personal data defines the purposes, content and procedure for processing personal data, measures aimed at protecting personal data, as well as procedures aimed at identifying and preventing violations of the legislation of the Russian Federation in the field of personal data in the Organization.
1.2. This Personal Data Processing Policy (hereinafter referred to as the Policy) is drawn up in accordance with Article 7, paragraph 2 of Article 18.1 of Federal Law No. 152 — FZ “On Personal Data” of July 27, 2006, Article 86 of the Labor Code of the Russian Federation, Article 152.2. of the Civil Code of the Russian Federation, as well as other relevant documents. legal acts of the Russian Federation in the field of personal data protection and processing and applies to all personal data (hereinafter referred to as Data) that an Organization may receive from a personal data subject, a Site user who is a consumer of the site’s services https://www.itmexpo.ru / (hereinafter referred to as the “Site”), which contains information about the Operator’s services, and from the personal data subject who is in a relationship with the Operator regulated by labor law (hereinafter referred to as the Employee).
1.3. The Operator ensures that processed personal data is protected from unauthorized access and disclosure, as well as from misuse or loss, in accordance with the requirements of Federal Law No.
1.4. The operator of Expotur LLC (TIN / OGRN 7701626600 / 1057748926630) is located at: 47 Myasnitskaya str., Moscow, 101001, Russia. The legal address of Expotur LLC is: 105082, Moscow, Rubtsovskaya embankment, 3, building 1, room. 1/1/4.
1.5. This Policy and its amendments are approved by the General Director of Expotur LLC and introduced by order. All employees of Expotur LLC must be familiar with this Policy and its amendments under their signature. This Policy is binding on all Expotur LLC employees who have access to their personal data.
1.6. In order to ensure unrestricted access to this document, which defines the policy of Expotur LLC regarding the processing of personal data and in the field of measures implemented to protect personal data, Expotur LLC publishes the text of this Policy on the official website of Expotur LLC https://www.itmexpo.ru.
1.7. The website may contain hyperlinks to other websites provided by third parties. The Operator does not control or assume responsibility for the websites of third parties that the user may access through the links available on the website. Once the user has left the websites, the Operator is not responsible for the protection or confidentiality of any information provided by the user as a personal data subject and personal information. The personal data subject should exercise caution and review the relevant privacy policy of the website they are visiting.
1.8. Expotour LLC reserves the right to make necessary changes to the Policy in case of changes in the current legislation of the Russian Federation and the conditions of its activities.
2. Basic concepts
2.1. The following basic concepts are used in this Policy:
Personal data is any information related to a directly or indirectly identified or identifiable individual (subject of personal data).
Confidential personal information is information that can be processed when visiting the Website, which is automatically transmitted to the Website’s services during their use using software installed on the subject’s personal data device, which uses cookies (metric programs).
Operator — a legal entity or individual that independently or jointly with other persons organizes and / or performs the processing of personal data, as well as determines the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data.
Personal data processing is any action (operation) or a set of actions (operations) performed using automation tools or without such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data.
Automated processing of personal data — processing of personal data using computer technology.
Personal data information system — a set of personal data contained in databases and information technologies and technical means that ensure their processing.
Publicly available personal data — personal data placed by the subject of personal data in publicly available sources of personal data (including reference books, address books), access to which is granted to an unlimited number of persons, or personal data placed in publicly available sources of personal data on the basis of the written consent of the subject of personal data.
Dissemination of personal data — actions aimed at disclosing personal data to an indefinite group of persons.
Provision of personal data — actions aimed at disclosing personal data to a certain person or a certain group of persons.
Blocking of personal data — temporary termination of the processing of personal data (except in cases where the processing is necessary to clarify personal data).
Personal data anonymization is an action that makes it impossible to identify a specific data subject without using additional information.
Destruction of personal data is an action that makes it impossible to restore the content of personal data in the personal data information system and (or) destroys the physical media of personal data.
Cookies are a piece of data that the Website requests from the browser used on the User’s personal computer or mobile device, which reflects the User’s preferences and actions on the Website, as well as information about the User’s equipment, date, and time of visiting the Website.
2.2. Personal data processing in the Organization is carried out using automation tools or without using such tools and includes the collection, recording, systematization, accumulation, storage, clarification (update, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data of personal data subjects whose personal data is processed in the Organization.
2.3. Processing of personal data without the use of automation tools can be carried out in the form of documents on paper media and in electronic form (files, databases) on electronic media.
2.4. Categories of personal data subjects processed by the Operator:
2.4.1. Employees are individuals, job candidates, employees, their family members, former employees, and other individuals whose personal data the Organization is required to process in accordance with labor laws;
2.4.2. Visitors are individuals who are or have been visitors to the Organization’s exhibitions, as well as participants in non-exhibition events, and who have expressed a desire to attend them.
2.4.3. Contractors are individuals (subjects of personal data), participants in events, individuals providing services (performing work) for the Organization, and other individuals who have entered into or intend to enter into a civil law contract with the Organization;
2.4.4. Users are individuals who use the Organization’s website on the Internet to obtain information about the services and events provided by the Organization.
3. The purposes of processing personal data and the corresponding lists of personal data processed
3.1. The personal data of the subjects of personal data specified in subparagraph 2.4.1. of paragraph 2 of this Policy is processed for the following purposes:
— ensuring compliance with labor legislation by the Operator;
— assistance to employees in finding employment;
— obtaining education and promotion;
— ensuring personal safety of employees;
— monitoring the quantity and quality of work performed;
— ensuring the safety of property;
— ensuring the working conditions, guarantees, and compensations established by Russian legislation.
3.1.1. Personal data of employees processed by the Organization for the purposes specified in clause 3.1.:
— last name, first name, patronymic (if any) (including previous surnames, first names, etc.
(or) middle names (if any), if they are changed);
— date and place of birth;
— information about citizenship;
— type, series, number of the identity document of a citizen of the Russian Federation, name of the body, code of the subdivision of the body that issued it, date of issue;
— type, series, number of the identity document of a citizen of the Russian Federation outside the Russian Federation, name of the authority that issued it, date of issue;
— address of the place of residence, date of registration at the place of residence (place of stay); |
— phone number, email address;
— information contained in the insurance certificate of the mandatory pension fund of the Russian Federation.
insurance policy or a document confirming registration in the individual (personalized) accounting system;
— taxpayer identification number;
— details of the compulsory health insurance policy;
— details of the certificate of state registration of civil status acts;
— information about your marital status and family composition;
— information about employment, including part-time work, business and other activities, and military service;
— information about military service, military registration, and details of military registration documents (series, number, date of issue, and name of the issuing authorities);
— information about education, including the name of the educational institution, the year of graduation, the qualification, specialty, and (or) field of study, as well as the name and details of the educational document;
— information about proficiency in foreign languages and the languages of the peoples of the Russian Federation;
— information about the presence or absence of a disease that prevents the employee from performing their work;
— photo;
— current account number;
— bank card number;
— other information that the personal data subject wishes to provide about themselves and that meets the purposes of personal data processing specified in paragraph 3.2. of this Policy.
3.1.2. The Organization’s documents that contain employees’ personal data are:
— sets of documents accompanying the process of formalizing labor relations during recruitment, transfer, and dismissal;
— sets of materials on questionnaires, testing, and conducting interviews with candidates for a position;
— originals and copies of personnel orders (instructions);
— personal files, workbooks, and information about employees’ work experience;
— files containing employee certification materials;
— cases containing materials from internal investigations;
— reference and information database on personnel (card files, journals);
— copies of reports sent to state regulatory bodies.
3.2. The personal data of the subjects of personal data specified in subparagraph 2.4.2. of paragraph 2 of this Policy is processed for the following purposes:
— carrying out civil law relations related to attending exhibitions and other events organized by the Organization.
3.2.1. Personal data of customers processed by the Organization for the purposes specified in clause 3.2.:
— last name, first name and patronymic;
— email address;
— contact phone number;
— bank details.
3.2.2. The Organization’s documents that contain personal data of the clients specified in subparagraph 2.4.2. of clause 2 of this Policy are:
— civil law contracts and documents related to their execution;
— tickets for attending events;
— automated databases created by the Operator.
3.3. The personal data of the subjects of personal data specified in subparagraph 2.4.3. of paragraph 2 of this Policy is processed for the following purposes:
— preparation, conclusion, and execution of civil law contracts.
3.3.1. Personal data of contractors processed by the Organization for the purposes specified in clause 3.3.:
— last name, first name, patronymic (if any);
— type, series, number of the document confirming the identity of a Russian Federation citizen, name of the authority, code of the unit of the authority that issued it, and date of issue;
— information about the taxpayer’s identification number;
— residential address, date of registration at the place of residence (place of stay);
— address of actual residence;
— information about work experience and total work experience;
— position;
— place of work;
— phone number and email address;
— postal address;
— additional information provided by the personal data subject (contractor) at their own request.
3.3.2. The Organization’s documents that contain the personal data of the contractors specified in subparagraph 2.4.3. of paragraph 2 of this Policy are:
— a copy of a passport or other identity document;
— copy of the power of attorney;
— statutory documents;
— extracts from the Unified State Register of Legal Entities, Unified State Register of Legal Entities;
— copies of permits (patents, licenses, certificates, permits, etc.);
— data stored in government registers;
— contracts concluded between the Organization and its counterparties;
— other documents provided by contractors for the purpose of preparing, concluding and executing civil contracts.
3.4. Personal data of the subjects of personal data specified in subclauses 2.4.3. of clause 2 of this Policy are processed for the following purposes::
— creating a database of counterparties for concluding and executing contracts.
3.4.1. Personal data of counterparties processed by the Organization for the purposes specified in clause 3.4.:
— last name, first name, patronymic (if any);
— phone number, email address.
3.4.2. Documents of the Organization that contain personal data of counterparties used for the purposes set out in clause 3.4. of this Policy are::
— contracts/copies of contracts concluded by counterparties with the Organization;
— electronic databases created by the Organization.
3.5. Confidential personal information of the subjects of personal data specified in sub-clause 2.4.4. of clause 2 of this Policy is processed for the following purposes::
— collecting statistical information about the actions and functions that users of the Site are most interested in, in order to provide a better and more personalized experience, study demand, improve the quality of service, and organize access to information about the Organization’s activities posted on the Site in the Internet information and telecommunications network.
3.5.1. Confidential personal information of users processed by the Organization for the purposes specified in clause 3.5.:
— data that is automatically transmitted to the site’s services during their use using the software installed on the user’s device;
— IP address;
— cookie data;
— parameters and settings of Internet browsers (or other programs used to access the site’s services);
— log files, hardware and software specifications used by the user;
— date and time of access to the Site’s services;
— addresses of the requested pages;
— order history;
— information about subscriptions and messages to the support service;
— other similar information.
3.5.2. Confidential personal information of users used for the purposes established by paragraph 3.5. of this Policy is contained in text files (Cookies) that the website stores on the user’s computer using a browser, including:
Session cookies are temporary cookies that are stored during the User’s time on the Site and are deleted after the User leaves the Site. Session cookies allow the Site to remember the User’s choices on the previous site to avoid the need to re-enter information.
persistent — Cookies that are stored on the User’s personal computer and are not deleted when the browser is closed. Persistent Cookies can store user preferences for a specific website, allowing these preferences to be used in future browsing sessions. These Cookies identify the User of the Website as unique and help to remember information about the User and their previous actions when the User returns to the Website.
statistical data includes information about the use of the Website. Its main purpose is to improve the Website’s functionality.
mandatory cookies are required for the proper functioning of the Website.
4. Receiving and processing employees ’ personal data
4.1. Receiving personal data.
4.1.1. The Operator receives personal data, with the exception of publicly available personal data, directly from the subjects of personal data, or from persons who have duly executed powers to represent the interests of personal data subjects when transferring personal data to the Operator.
4.1.2. If the subject’s personal data can only be obtained from a third party, the subject is notified in advance and written consent must be obtained from him. The organization informs the personal data subject about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the subject’s refusal to give written consent to receive them.
4.1.3. The Organization does not have the right to receive and process information about the subject of personal data related to special categories of personal data in accordance with the legislation of the Russian Federation in the field of personal data, except for cases stipulated by the Labor Code and other federal laws.
4.1.4. Upon receipt of personal data, the Operator is obliged to inform the personal data subject:
— about the purposes for which the Operator receives personal data;
— about the list of personal data requested by the Operator;
— about the list of actions that the Operator intends to perform with personal data;
— the period during which the consent of the personal data subject to the processing of personal data is valid;
— on the procedure for revoking consent to the processing of personal data;
— about the consequences of the personal data subject’s refusal to provide the Operator with consent to receive and process personal data.
4.1.5. Confidential personal information is collected automatically using metric programs in connection with the user’s activity on the Site. When you visit the site, all logins to your account are recorded. Other information about user traffic is not processed or stored.
Some Site pages have Yandex. Metrica service codes installed. This service can receive and process information only about the fact that the user visited the page, and other information that is transmitted by the user’s browser. The use of this service is necessary for the Operator to quickly analyze site visits, evaluate internal and external site traffic, view depth, and user activity. Data received from the specified service is not stored or processed.
4.2. Processing of personal data
4.2.1. The Operator processes personal data in accordance with the principles and rules provided for by
— with the consent of the personal data subject to the processing of their personal data. Consent to the processing of personal data is considered to have been obtained by the Operator from the moment the personal data subject provides written consent to the processing of personal data, or from the moment a special mark is placed in the corresponding field of the personal data collection form on the Website, and in cases established by law, only from the moment a separate written consent to the processing of personal data is provided;
— processing of personal data is necessary for the preparation, conclusion, and execution of a civil law contract in which the subject of personal data is a party, beneficiary, or guarantor;
— in cases where the processing of personal data is necessary for the Operator to carry out and fulfill the functions, powers, and duties assigned by the legislation of the Russian Federation;
— processing of personal data is necessary to protect the life, health, or other vital interests of the subject of personal data, if obtaining the subject’s consent is not possible;
— the collection and processing of personal information using cookies is carried out with the user’s consent.
4.2.2. Only those personal data that meet the processing purposes specified in this Policy are subject to processing. Personal data is not subject to processing if its nature and scope do not meet the specified purposes.
4.2.3. If the Operator needs biometric personal data or health data to achieve the goals specified in paragraph 3 of this Policy, such processing is carried out only on the basis of the subject’s written consent in accordance with the law. Processing of special categories of personal data must be immediately stopped if the reasons for its implementation are eliminated.
4.2.4. The Operator also has the right to ask the subject of personal data to provide additional consent if it is necessary to use personal data and personal information for purposes other than those specified in this Policy.
4.4. The consent to the processing of personal data may be revoked by the subject of personal data. In the event of revocation of the consent to the processing of personal data, the Organization may continue to process personal data without the consent of the subject of personal data if the grounds specified in the paragraphs
4.5. If, for any reason, the User does not want the services installed on the Site to have access to his / her personal information, the user can “log out” (log out of his / her account) or clear cookies (via his / her browser) at his / her own request.
5. Terms, procedures, and methods of processing personal data of subjects
personal data
5.1. Before processing personal data, the Organization must notify Roskomnadzor of its intention to process personal data.
5.2. The legal basis for processing personal data is:
5.2.3. To process the personal data of contractors (clause 2.4.3. of the Policy), the operator’s statutory documents, civil law contracts concluded between the operator and the subject of personal data, and Federal Law No. 27 of July 2006
5.3. The Organization processes personal data in the following ways::
— non-automated processing of personal data (for the purposes specified in clauses 3.1 −3.5 of this Policy);
— automated processing of personal data with or without transmission of the received information via information and telecommunication networks (for the purposes specified in paragraphs 3.1. −3.8. of this Policy);
— mixed processing of personal data (for the purposes specified in clauses 3.1 −3.5 of this Policy).
— non-automated processing of personal data (for the purposes specified in clauses 3.1 −3.5 of this Policy);
— automated processing of personal data with or without transmission of the received information via information and telecommunication networks (for the purposes specified in paragraphs 3.1. −3.8. of this Policy);
— mixed processing of personal data (for the purposes specified in clauses 3.1 −3.5 of this Policy).
5.4. The collection, recording, systematization, accumulation and refinement (updating, modification) of personal data in the Organization is carried out by::
— receiving original documents or copies thereof;
— copying of original documents;
— entering information in accounting forms on paper and electronic media;
— entering information in registration and other forms of collection;
— creation of documents containing personal data on paper and electronic media;
— entering personal data into personal data information systems;
— getting information about your personal data by phone or by e-mail;
— metric programs.
5.5. The Organization uses the following information systems::
— corporate email;
— electronic document management system;
— user workplace support system;
— system of normative reference information;
— HR management system;
— remote access control system;
— information portal;
— metric programs.
5.6. Employees and representatives of the Operator who have the right to process personal data in information systems are provided with a unique login and password to access the relevant information system, in accordance with the functions provided for in the official regulations.
5.7. Ensuring the security of personal data processed in information systems is achieved by preventing unauthorized, including accidental, access to personal data.
5.8. Access by the Operator’s employees to personal data stored in the Operator’s personal data information systems requires mandatory identification and authentication procedures.
5.9. The exchange of personal data during their processing in the Operator’s personal data information systems is carried out via communication channels, the protection of which is ensured by implementing appropriate organizational measures and using software and technical means in accordance with Article 19 of the Federal Law “On Personal Data”.
5.10. In the event of violations of the procedure for processing personal data in the Operator’s personal data information systems, the authorized responsible employees take measures to establish the causes of the violations and eliminate them as soon as such violations are detected.
5.11. Employees and their representatives must be provided with a signed copy of the Operator’s documents that establish the procedure for processing personal data, as well as their rights and obligations in this area.
6. Transfer and dissemination of personal data
6.1. When the Organization transfers personal data, the subject of personal data must give their consent in writing or electronically. If an employee has given their consent to transfer personal data electronically, they must sign the consent with an enhanced electronic digital signature.
6.2. The organization has the right to transfer information related to the personal data of an employee, client, or counterparty without their consent, if such information needs to be transferred upon request from government agencies in accordance with the procedures established by law.
6.3. The organization does not have the right to provide personal data to a third party without the written consent of the subject of personal data, except in cases where it is necessary to prevent a threat to the employee’s life and health, as well as in cases established by law.
6.4. In the event that the person who made the request is not authorized by federal law to receive information related to the personal data of the subject of personal data, the Organization is obliged to refuse to provide the information to the person. The person who made the request is issued a notification about the refusal to provide information.
6.5. An employee’s personal data may be transferred to employee representatives in accordance with the procedure established by the Labor Code, to the extent necessary for these representatives to perform their functions.
6.6. Consent to the processing of personal data permitted by the subject of personal data for distribution is issued separately from other consents of the subject of personal data to the processing of his personal data.
6.7. The organization is obliged to provide the personal data subject with the opportunity to determine the list of personal data for each category of personal data specified in the consent to the dissemination of personal data.
6.8. If it does not follow from the consent provided by the personal data subject to the dissemination of personal data that the personal data subject has agreed to the dissemination of personal data, such personal data is processed by the Organization without the right of dissemination.
6.9. If the consent to the transfer of personal data provided by the personal data subject does not indicate that the personal data subject has not established prohibitions and conditions for the processing of personal data or has not indicated the categories and list of personal data for which the personal data subject sets conditions and prohibitions, the Organization processes such personal data without the possibility of transfer (distribution, provision, access) to an unlimited number of persons.
6.10. The consent of the personal data subject to the dissemination of personal data may be provided to the Operator:
— directly;
— using the information system of the authorized body for the protection of the rights of personal data subjects.
6.11. In consenting to the dissemination of personal data, the subject of personal data has the right to establish prohibitions on the transfer (except for granting access) of these personal data by the Organization to an unlimited number of persons, as well as prohibitions on processing or conditions for processing (except for obtaining access) of these personal data by an unlimited number of persons. The Organization may not refuse to establish prohibitions and conditions by the subject of personal data.
6.12. The organization is obliged to publish information on the terms of processing and the existence of prohibitions and conditions for processing the subject’s personal data by an unlimited number of persons for distribution within three business days of receiving the subject’s consent.
6.13. The transfer (distribution, provision, access) of personal data authorized for distribution by the personal data subject must be terminated at any time upon its request. This requirement should include the last name, first name, patronymic (if any), contact information (phone number, email address or postal address) of the personal data subject, as well as a list of personal data that is subject to termination of processing.
6.14. The consent of the personal data subject to the dissemination of personal data is terminated from the moment the Organization receives the request specified in clause 6.13. of this Policy.
6.15. A personal data subject has the right to request that any person processing his / her personal data stop transmitting (distributing, providing, accessing) his / her personal data that was previously allowed for distribution, in case of non-compliance with the provisions of the Federal Law of 27.07.2006 no.
6.16. The organization or a third party is obliged to stop transmitting (distributing, providing, accessing) personal data within three working days from the moment of receipt of the employee’s request or within the time period specified in the court decision that has entered into legal force. If such a deadline is not specified in the court decision, the Organization or a third party must stop transmitting the employee’s personal data within three working days from the date of entry into force of the court decision.
6.17. Access to personal data of personal data subjects is allowed only to specially authorized persons, and these persons should have the right to receive only those personal data that are necessary for performing a specific function.
7. Terms of processing and storage of personal data
7.1. The Organization ensures the protection of personal data of personal data subjects from misuse or loss.
7.2. Documents containing data of personal data subjects are stored in paper form in folders, stitched and numbered by pages, in a specially designated cabinet that provides protection against unauthorized access.
7.3. Personal data may also be stored electronically in a local computer network. Access to electronic databases containing personal data is provided by a two-step password system: at the level of the local computer network and at the level of databases.
7.4. It is allowed to copy and extract personal data only for official purposes, with the written permission of the Director General of the Organization or his deputy.
7.5. Processing of personal data in the Organization is terminated in the following cases:
— if an act of illegal processing of personal data is detected. The processing period is terminated within three business days from the date of detection of such an act;
— when the processing goals are achieved (with some exceptions);
— upon the expiration of the validity period or upon the subject of personal data withdrawing their consent to the processing of their personal data (with certain exceptions), if, in accordance with the Law on Personal Data, their processing is permitted only with their consent;
— when a personal data subject requests the Organization to stop processing personal data (except in cases specified in Part 5.1 of Article 21 of the Personal Data Law). The processing must be stopped within 10 business days from the date of receipt of the request (with the possibility of extension for no more than five business days if a notification is sent explaining the reasons for the extension).
7.6. Personal data is stored in a form that allows the personal data subject to be identified for no longer than is necessary for the purposes of processing. The only exception is when the period of storage of personal data is established by federal law or a contract in which the personal data subject is a party (beneficiary or guarantor).
7.7. Hard copy personal data is stored in the Organization for the duration of storage of documents, for which these terms are provided for by the legislation on archival affairs in the Russian Federation (Federal Law of 22.10.2004 no.
7.8. The period of storage of personal data processed in personal data information systems corresponds to the period of storage of personal data on paper media.
8. Procedure for blocking and destroying personal data
8.1. The Organization blocks personal data in accordance with the procedure and conditions stipulated by the legislation in the field of personal data.
8.2. If the purposes of personal data processing are achieved or if it is no longer necessary to achieve these goals, personal data is destroyed or depersonalized. An exception may be provided for by federal law.
8.3. Personal data obtained as a result of depersonalization may be processed with or without the use of automation tools and are not subject to disclosure.
8.4. Personal data obtained as a result of anonymization shall not be provided to third parties who process personal data using additional information that directly or indirectly identifies a specific individual.
8.5. When processing personal data obtained as a result of anonymization, without using automation tools, the safety of the material media containing the data and the access procedure for the Organization’s employees to the premises where the data is stored are ensured to prevent unauthorized access to anonymized personal data, unauthorized destruction, modification, blocking, copying, distribution, and other illegal actions.
8.6. When processing personal data obtained as a result of anonymization, the information systems of personal data are protected by passwords, antivirus policies, rules for working with removable media (if any), backup rules, and rules for accessing the premises where the elements of the information systems of personal data are located.
8.7. When storing personal data obtained as a result of anonymization, the personal data obtained as a result of anonymization and information about the selected method of anonymization of personal data and the parameters of the procedure for anonymization of personal data are stored separately.
8.8. The Commission established by the order of the Director General is responsible for the destruction of personal data.
8.9. The Commission compiles a list of documents, other material media, and (or) information in information systems containing personal data that are subject to destruction.
8.10. Personal data on paper media is destroyed using a shredder. Personal data on electronic media is destroyed by mechanically damaging the integrity of the media, making it impossible to read or recover the personal data, and by deleting the data from electronic media using methods and tools that guarantee the removal of residual information.
8.11. The Commission confirms the destruction of personal data in accordance with the Requirements for Confirmation of the Destruction of Personal Data approved by Order No. 179 of Roskomnadzor dated 28.10.2022, namely:
— an act of destruction of personal data — if the data is processed without the use of automation tools;
— an act of destruction of personal data and an unloading from the event log in the personal data information system — if the data is processed using automation tools or simultaneously using and not using such tools.
The act can be drawn up on paper or in electronic form, signed with electronic signatures.
The forms of the act and the log’s unloading, taking into account the information that should be contained in these documents, are approved by the General Director’s order.
8.12. After the act of destruction of personal data and the unloading from the event log in the information system of personal data, the commission transfers them to the general department for subsequent storage. Acts and unloading from the log are stored for three years from the moment of destruction of personal data.
9. Personal data protection
9.1. In accordance with the requirements of regulatory documents, the Operator has created a personal data protection system consisting of legal, organizational, and technical protection subsystems.
9.2. The legal protection subsystem is a set of legal, organizational, administrative, and regulatory documents that ensure the creation, operation, and improvement of personal data protection systems.
9.3. The organizational protection subsystem includes the organization of the management structure of personal data protection systems, the authorization system, and information protection when working with employees, partners, and third parties.
9.4. The technical protection subsystem includes a set of technical, software, and hardware tools that ensure the protection of personal data.
9.5. The main personal data protection measures used by the Operator are:
— designating a person responsible for the processing of personal data, who is responsible for organizing the processing of personal data, providing training and instructions, and conducting internal control to ensure that the institution and its employees comply with the requirements for the protection of personal data;
— identification of current threats to the security of personal data when processing them in personal data information systems and development of measures and measures to protect personal data;
— establishing rules for access to personal data processed in personal data information systems, as well as ensuring registration and accounting of all actions performed with personal data in personal data information systems;
— setting individual passwords for employees ’ access to the information system in accordance with their work responsibilities;
— application of information security tools that have passed the compliance assessment procedure in accordance with the established procedure;
— certified antivirus software with regularly updated databases;
— compliance with the conditions that ensure the safety of personal data and exclude unauthorized access to them;
— detection of unauthorized access to personal data and taking measures;
— recovery of personal data modified or destroyed as a result of unauthorized access to them;
— training of the Operator’s employees directly engaged in personal data processing in the provisions of the Russian Federation legislation on personal data, including requirements for personal data protection, familiarization with the documents defining the Operator’s policy on personal data processing, local acts on personal data processing;
— to ensure software security, services and applications are scanned for vulnerabilities using a combination of static source code analysis and dynamic testing.;
— encryption of all user data during transport using TLS;
— conducting an independent site penetration test on an annual basis;
— implementation of internal control and audit.
10. Basic rights of the personal data subject and obligations of the Operator.
Consideration of requests from personal data subjects
10.1. Basic rights of the personal data subject.
10.1.1. The personal data subject has the right to receive information concerning the processing of his / her personal data, including information containing::
1) confirmation of the processing of personal data by the operator;
2) legal grounds and purposes of processing personal data;
3) the purposes and methods of personal data processing used by the operator;
4) the name and location of the operator, information about persons (except for the operator’s employees) who have access to personal data or to whom personal data may be disclosed under a contract with the operator or under federal law;
5) processed personal data related to the relevant subject of personal data, and the source of their acquisition, unless otherwise provided for by federal law;
6) the terms of processing personal data, including the terms of their storage;
7) the procedure for exercising the rights provided for by this Federal Law by a personal data subject;
8) information about actual or planned cross-border data transfer;
9) the name or surname, first name, patronymic, and address of the person who processes personal data on behalf of the operator, if the processing is or will be entrusted to such a person;
10) other information provided for by this Federal Law or other federal laws.
The specified information must be provided to the personal data subject by the Operator in an accessible form, and it must not contain personal data related to other personal data subjects, unless there are legal grounds for disclosing such personal data.
The specified information is provided to the personal data subject or their representative by the Operator’s authorized representative who processes the relevant personal data within ten business days from the date of the request or receipt of the personal data subject’s or their representative’s request.
The specified period may be extended, but not more than five business days, if the operator sends a motivated notification to the subject of personal data, indicating the reasons for extending the period for providing the requested information.
The request must contain: the number of the main document certifying the identity of the personal data subject or his representative, information about the date of issue of the specified document and the issuing authority, information confirming the participation of the personal data subject in relations with the operator (contract number, date of conclusion of the contract, conditional verbal designation and (or) other information) or information that otherwise confirming the fact of processing of personal data by the operator, the signature of the personal data subject or his representative.
10.1.2. Personal data subjects have the right to request the Operator to clarify their personal data, block or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect their rights.
10.1.3. Operator’s Obligations.
The operator must:
1) when contacting a personal data subject, provide information about the processing of personal data;
2) in cases where the personal data was not received from the personal data subject, notify the personal data subject of the fact that the Operator received personal data;
3) in case of refusal to provide personal data, explain to the personal data subject the consequences of such refusal;
4) publish or otherwise provide unrestricted access to the document defining the Operator’s policy regarding the processing of personal data;
5) take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other illegal actions in relation to personal data;
6) provide answers to requests and appeals of personal data subjects, their representatives and the authorized body for the protection of the rights of personal data subjects;
7) refuse the personal data subject to fulfill the request for providing information specified in clause 5.1.1. if the request does not meet the conditions provided for in clause 5.1.1. or other legal requirements. Such refusal must be motivated.
8) If the fact of illegal or accidental transfer (provision, dissemination, access) of personal data that has resulted in a violation of the rights of personal data subjects is established, notify the authorized body for the protection of the rights of personal data subjects within the time limits established by Part 3.1 of Article 21 of Federal Law No.
11. Revocation of consent to the processing of personal data.
11.1. The period of validity of the consent of the personal data subject is unlimited, however, the personal data subject has the right to withdraw consent to the processing of personal data by the Operator at any time in cases established by law, by sending a written notification to the Operator’s location or email address info@itmexpo.ru marked “Revocation of consent to the processing of personal data”.
11.2. Revocation of consent to the processing of personal data entails the deletion of the user’s account from the Site, as well as the destruction of records containing personal data on paper and in the information systems for processing personal data of the Operator and third parties within a period not exceeding 10 working days from the date of receipt.
11.3. The User can independently delete the stored Cookies in the settings of his browser, if desired.
The user has the right to refuse to process Cookies in the settings of their browser. In this case, the Operator does not guarantee the proper functioning of the Site and the services it offers.