To be a fan!

Privacy Policy for the Processing of the Personal Data of 2018 FIFA World Cup Russia™ Spectators in the Fan Identification System

I. General Provisions

1.1. To ensure the execution of the current legislation of the Russian Federation in full, the Ministry of Digital Development, Communications and Mass Media of the Russian Federation (hereinafter referred to as the Operator) and the organization designated by the Government of the Russian Federation and engaged by the Ministry of Digital Development, Communications and Mass Media of the Russian Federation for the implementation of works related to producing, accounting for, issuing, replacing, using and supporting (providing for) the functioning of the personalized spectator’s cards, AO I-Teco (hereinafter referred to as the Organization) consider that their most important tasks are to follow the principles of legitimacy, justice and privacy when processing the personal data of 2018 FIFA World Cup Russia™ spectators (hereinafter referred to as the spectators) in the Fan Identification System (hereinafter referred to as the FIS) and to ensure the security of the procedures for their processing.

1.2. The privacy policy for the processing of the personal data of the 2018 FIFA World Cup Russia™ spectators in the Fan Identification System (hereinafter referred to as the Policy) is targeted towards ensuring the integrity, accessibility and privacy of spectators’ personal data as well as their completeness and accuracy.

II. Legal Basis for Processing Personal Data

2.1. The Policy has been developed in accordance with the current legislation of the Russian Federation in the area of the processing and protection of personal data, in particular, the provisions of the Federal Law dated 27 July 2006 №152-FZ “On Personal Data” as well as in accordance with the provisions of the Federal Law dated 7 June 2013 N108-FZ “On preparation and staging of the 2018 FIFA World Cup™ and the FIFA Confederations Cup 2017 in the Russian Federation and changes to certain regulatory acts of the Russian Federation.”

 

III. The Principles, Goals, Content and Methods for the Processing of Personal Data

3.1. The Operator and Organization ensure compliance with the principles of the processing of personal data specified in Article 5 of the Federal Law dated 27 July 2006 №152-FZ “On Personal Data.”

3.2. Spectators’ personal data is the information directly or indirectly pertaining to a spectator of sporting competitions. It is provided by him/her or his/her authorized representative to the Ministry of Digital Development, Communications and Mass Media of the Russian Federation in order to ensure security and the issuance of a FAN ID (hereinafter referred to as the personal data).

3.3. The Organization performs the collection and subsequent processing of personal data in order to:

3.3.1. conduct contractual activities within the framework of the creation, change and termination of the relationship between the Operator and Organization, its partners, customers and other counterparties;

3.4. The Operator has set the following conditions for the termination of the processing of personal data:

3.4.1. attainment of the goals for the processing of personal data and the maximum preservation period;

3.4.2. the loss of necessity for reaching the goals for the processing of personal data;

3.4.3. the provision by the subject of the personal data or his/her authorized representative of information confirming that the personal data have been obtained illegally or are not necessary for the declared goal of their processing;

3.4.4. the inability to ensure the legitimacy of the processing of personal data;

3.4.5. the revocation by the subject of the personal data of consent for the processing of the personal data if the preservation of the personal data is no longer required for the purposes of the processing of the personal data;

3.4.6. the expiration of the statute of limitations for the relationship for which the processing of personal data is or was performed.

3.5. The processing of personal data organized by the Operator and executed by the Organization includes the collection, recording, classification, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, removal and destruction of personal data.

3.6. The Organization performs the processing of personal data both with and without the use of automated equipment.

3.7. The spectators’ personal data as well as data about the results of the verification are stored in the FIS until 25 July 2018 inclusive unless otherwise stipulated by Russian legislation.

3.8. The spectators’ personal data as well as the data about the results of the verification are stored and processed in the FIS up until 25 July 2018 inclusive.

 

IV. Measures for the Appropriate Organization of the Processing and Security of Personal Data

4.1. While processing personal data, the Organization takes all necessary legal, organizational and technical measures for protecting them from unauthorized or accidental access, destruction, change, blocking, copying, provision, distribution as well as from any other illegal actions regarding them. The provision of the security of personal data is achieved in part by the following methods:

4.1.1. appointment of an authorized person responsible for the organization of the processing of personal data;

4.1.2. exercise of internal control and/or audit of the compliance of personal data processing with the Federal Law dated 27 July 2006 №152-FZ “On Personal Data” and the regulations adopted in accordance with it, the requirements for the protection of personal data as well as the Operator’s and the Organization’s local regulations;

4.1.3. familiarization of the Organization’s employees who directly perform the processing of personal data with the provisions of the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data, local regulations in regard to personal data processing and (or) the training of the specified employees;

4.1.4. defining the security threats for personal data during their processing in personal data information systems;

4.1.5. use of informational and technical measures for ensuring the security of personal data during their processing in the personal data information systems required for meeting the requirements for personal data protection;

4.1.6. assessment of the effectiveness of the measures taken to ensure the security of personal data before the commissioning of the personal data information system;

4.1.7. control of media containing personal data;

4.1.8. disclosing unauthorized access to personal data and taking appropriate action;

4.1.9. restoring personal data modified or destroyed as a result of unauthorized access;

4.1.10. setting rules for accessing the personal data processed in the FIS as well as ensuring the registration of and accounting for all actions performed with the personal data in the FIS;

4.1.11. control over the measures taken to ensure the security of personal data and the level of protection of the FIS.

V. Person Responsible for Organizing the Processing of Personal Data

5.1. The rights, duties and legal liability of the person responsible for the organization of the processing of personal data have been set out by the Federal Law dated 27 July 2006 №152-FZ “On Personal Data” and the “Provision on Organizing the Processing of and Ensuring the Security of Personal Data” (hereinafter referred to as the Provision) adopted by the Organization.

5.2. The appointment of the person responsible for the organization of the processing of personal data and his/her release from the specified duties are performed by the order of the Director General of the Organization. When appointing the person responsible for the organization of the processing of personal data, consideration is given to the administrator’s powers, competencies and personal qualities that would enable him to duly and fully exercise the rights and duties set forth in the Provision.

5.3. The person responsible for the organization of the processing of personal data:

5.3.1. organizes the execution of internal control over compliance with the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data, by the Organization and its employees;

5.3.2. informs the Organization’s employees about the provisions of the legislation of the Russian Federation on personal data, the Organization’s local regulations on the issues of personal data processing, requirements for the protection of personal data and ensures that employees familiarize themselves with these;

5.3.3. exercises control over the reception and processing of requests and applications by the subjects of personal data or their representatives.

VI. Rights of the Subjects of Personal Data

6.1. A subject of personal data has the right to receive information about his/her personal data processing organized by the Operator.

6.2. A subject of personal data has the right to demand that the Operator clarify these personal data, block them or destroy them if they are incomplete, obsolete, inaccurate, illegally obtained or cannot be considered necessary for the declared goal of their processing as well as to take measures provided for by law to protect his/her rights.

6.3. The right of the subject of personal data to access his/her personal data can be restricted in accordance with federal laws including but not limited to cases when the access of the subject of personal data to his/her personal data violates the rights and legal interests of third parties.

6.4. To exercise and protect his/her rights and legal interests, the subject of personal data has the right to contact the Operator. The Operator reviews any requests and complaints from the subjects of personal data, carefully investigates the facts of violations and takes all necessary measures for their immediate removal, for the punishment of the guilty parties and for settling disputes and conflicts through the pre-trial process.

6.5. A subject of personal data has the right to contest the Operator’s action or inaction by way of appeal to an authorized body for protecting the rights of personal data subjects.

6.6. A subject of personal data has the right to protect their rights and legal interests including compensation for losses and/or compensation for moral harm through legal action.

VII. Responsibility

7.1. Persons who are guilty of violating the norms regulating the processing and protection of personal data bear the responsibility provided for by the legislation of the Russian Federation, the Organization’s local regulations and agreements governing the legal relations between the Organization and third parties.