PERSONAL DATA PRIVACY POLICY

 

This Personal Data Privacy Policy (hereinafter referred to as the "Privacy Policy") applies to all personal data that the Personal Data Processing Operator (hereinafter referred to as the "PDPO") may obtain about the Personal Data Subject while using the Website with the domain name (https://journal-ncz.ru). The PDPO requests that you carefully read the Privacy Policy and, if you disagree with any of its provisions, stop using the Website and immediately leave.


1. BASIC CONCEPTS

1. Key terms used in the Privacy Policy:

1.1. Automated processing of personal data is the personal data processing using computer technology.

1.2. Blocking of personal data is a temporary cessation of the personal data processing (except in cases where processing is necessary to clarify personal data).

1.3. Personal data information system is a set of personal data contained in databases and the information technologies and technical means that ensure their processing.

1.4. Confidentiality of personal data is a mandatory requirement for compliance by the PDPO or any other person who has gained access to personal data to prevent its dissemination without the consent of the subject of personal data or the presence of other legal grounds. 

1.5. Anonymization of personal data is an action that makes it impossible to determine the ownership of personal data by a specific subject of personal data without the use of additional information.  

1.6. Personal data processing is any action (operation) or set of actions (operations) performed by the PDPO with or without the use of automation tools with Personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of Personal data.

1.7. Personal data processing operator (PDPO) is an organization that, independently or jointly with other persons, organizes and (or) carries out the processing of personal data, and also determines the purposes of processing personal data, the composition of personal data to be processed, and the actions (operations) performed with personal data. 

1.8. Personal data is any information relating to a directly or indirectly identified or identifiable natural person (subject of Personal data).

1.9. Personal data permitted for distribution by the subject of personal data are  personal data, access to which by an unlimited number of persons is granted by the User (the subject of personal data) by giving consent to the processing of personal data, permitted by the subject of personal data for distribution in the manner prescribed by current Russian legislation. 

1.10. Privacy Policy is the document with all amendments and additions, located on the Internet at https://journal-ncz.ru/eng_privacy.

1.11. The User is the subject of Personal Data, a legally competent individual using the Website for their own benefit. Throughout this Privacy Policy, the User is also referred to as the subject of Personal Data.

1.12. Provision of personal data are the actions aimed at disclosing personal data to a specific person or a specific group of persons.

1.13. The website is a collection of graphic and informational materials, as well as computer programs and databases, ensuring their availability on the Internet at the network address (https://journal-ncz.ru).

1.14. Dissemination of personal data are the actions aimed at disclosing personal data to an indefinite number of persons.

1.15. Cross-border transfer of personal data is the transfer of personal data to the territory of a foreign state to a government body of a foreign state, a foreign individual or a foreign legal entity.

1.16. Deletion of personal data are the actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the tangible media of personal data are destroyed.

1.17. Cookies files are a small piece of data sent by a web server and stored on the User's device used to access the Site, which the web client or web browser sends to the web server each time in an HTTPS request when attempting to open a page of the corresponding site. 

1.18. Personal Data Subject is a legally competent individual who uses the Site in their own interests.

1.19. An IP address is a unique network address of a node in a computer network built using the IP protocol.

 2. GENERAL PROVISIONS

2.1. The Privacy Policy defines the purposes, content, and procedures for processing Personal Data, measures aimed at protecting Personal Data, and procedures aimed at identifying and preventing violations of Russian legislation in the area of Personal Data. This Privacy Policy sets forth the obligations of the PDPO to process and protect Personal Data, including ensuring the confidentiality of Personal Data provided to the PDPO.

2.2. This Privacy Policy defines the policy of the PDPO, as the operator processing Personal Data, regarding the processing and protection of Personal Data. The processing of Personal Data by the PDPO is carried out in compliance with the principles and conditions set forth in this Privacy Policy and the legislation of the Russian Federation on Personal Data. The Operator's primary goal and condition for carrying out its activities is to respect the rights and freedoms of individuals and citizens when processing their Personal Data, including the protection of privacy, personal and family confidentiality.  

2.3. This Privacy Policy applies only to information obtained during the use of the Site and within the framework of fulfilling the contractual obligations of the PDPO.  

2.4. The User decides to provide their Personal Data and consents to its processing voluntarily, of their own free will, and in their own interests. Consent to the processing of Personal Data must be specific, objective, informed, conscious, and unambiguous. The PDPO does not verify the accuracy of the Personal Data provided by the User. 

2.5. By using the Site you agree to this Privacy Policy and the terms of Personal Data processing.

2.6. By accepting this Privacy Policy, the User thereby gives his consent to the PDPO to process his Personal Data specified in Section 3 of this Privacy Policy, including the collection, recording, accumulation, storage, clarification (updating, modification), retrieval, use, transfer to third parties (distribution, provision, access), depersonalization, blocking, deletion, destruction of Personal Data for the purposes specified in Section 3.

2.7. By refusing to consent to the processing of their Personal Data by the PDPO for the purposes specified in Section 3, the Personal Data Subject understands that they will not be able to take advantage of all the features of the Site and its services, and that use of the Site will be limited.

2.8. A personal data subject who has provided personal data that is not in full compliance with the requirements of the relevant section of the Site or that does not correspond to reality will not be able to use all the capabilities of the Site and its services, including receiving individual services provided through the Site, and use of the Site will be limited.

2.9. Rights of the PDPO:

- collect Personal Data through forms on the Website;
- provide access to the Website;
- collect, record, accumulate, store, clarify (update, change), extract, use, transfer (disseminate, provide, access), depersonalize, block, delete, destroy Personal Data; 
- transfer personal data to third parties on the basis of agreements concluded to achieve the purposes specified in Section 3 of the Privacy Policy and instructions for the processing of personal data;
- in case if the User withdraw the consent to the processing of Personal Data, the PDPO has the right to continue processing Personal Data without the User’s consent if there are grounds specified in the current legislation;
- refuse the User's repeated request for information regarding his Personal Data, which is processed by the PDPO in accordance with the terms of the federal law, upon provision of a reasoned response;
- to distribute Personal Data under the separate consent to the distribution of personal data.

2.10. Responsibilities of the PDPO:

- Use the received Personal Data solely for the purposes specified in Section 3 of this Privacy Policy;
- Provide the User with information concerning their Personal Data upon a relevant request or appeal;
- In case of loss or disclosure of confidential information, PDPO will not be liable if such confidential information:
- became publicly known prior to its loss or disclosure;
- was received from a third party prior to its receipt by PDPO;
- was disclosed with the consent of the User;

- Inform the Personal Data Subject or their representative of the information on the processing of Personal Data of such Personal Data Subject carried out by the PDPO upon their request; 
- Not to disclose to third parties or distribute Personal Data without the consent of the User, unless otherwise provided by law;
- When getting a request or appeal from the User, provide him with the information and data specified in the request/appeal in an accessible form and without specifying Personal Data related to other subjects of personal data, except in cases where there are legal grounds for disclosure of such Personal Data;
- Explain to the User the procedure for making a decision based solely on the Automated Processing of their personal data and the possible legal consequences of such a decision, provide the User with the opportunity to object to such a decision, and explain the procedure for protecting the User's rights and legitimate interests. The PDPO is obligated to consider the objection specified in this clause within thirty days of its receipt and notify the personal data subject of the results of the review of such objection; 
- Explain to the User the legal consequences of refusing to provide their Personal Data and/or to give consent to their processing, if, in accordance with federal law, the provision of Personal Data and/or giving consent to the PDPO to process Personal Data are mandatory;
- When collecting personal data, including through the Internet information and telecommunications network, the PDPO is obliged to ensure the recording, systematization, accumulation, storage, clarification (updating, modification), and extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, with the exception of cases specified in the current Russian legislation;
- The PDPO is obliged to ensure reliable protection of Personal Data and protection of its confidentiality.

2.11. User's Rights: a User has the right
- to demand from the PDPO clarification of his Personal data, their blocking or destruction in case when the Personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, by sending a request to the editorial office of the site by email to journal@kniish.ru;
- to request information about the measures taken by the PDPO to protect personal data;
- to send a request to the PDPO regarding their Personal Data processed by the PDPO by sending a request (Appendix No. 4 to this Privacy Policy) to the PDPO by e-mail to the editorial office of the site journal@kniish.ru;
- to send a repeated request to the PDPO regarding their Personal Data that is processed by the PDPO, no earlier than 30 (thirty) days after the initial request, unless a shorter period is set by federal law;
- to re-apply to the PDPO or send a repeated request in order to obtain information regarding their Personal Data processed by the PDPO, as well as in order to become familiar with the Personal Data being processed, before the expiration of the period of 30 (thirty) days, if such information and/or the Personal Data being processed were not provided to them for review in full following the consideration of the initial request. The repeated request must be justified;
- to send the PDPO a revocation of the consent given to the processing of Personal data, consent to the Distribution of Personal data;
- to protect their legal rights and interests, including compensation for losses and (or) compensation for moral damages in court;
- to appeal the actions or inactions of the PDPO to the authorized body for the protection of the rights of personal data subjects or in court.



2.12. User's Responsibilities:
- to comply with the requirements specified in paragraph 1.11 of this Privacy Policy;
- to provide their accurate personal data.

2.13. Databases of information containing personal data of citizens of the Russian Federation are located on the territory of the Russian Federation.

2.14. The PDPO processes personal data lawfully and fairly to fulfill its legally mandated functions, powers, and obligations, and to exercise the rights and legitimate interests of the PDPO and other persons. Personal data may only be transferred (distributed, provided) and used in the cases and according to the procedure stipulated by federal laws, with the consent of the personal data subject, if required by applicable law.

2.15. The PDPO receives Personal Data directly from the subject of Personal Data, except in cases where Personal Data is transferred within the framework of contractual relationships.

2.16. The PDPO processes the User's Personal Data with their consent, provided either in writing (if necessary in accordance with the current legislation of the Russian Federation) or when performing implied actions.

2.17. The principles of processing Personal Data established by this Privacy Policy:

2.17.1. The processing of Personal Data must be carried out lawfully and fairly.

2.17.2. The processing of Personal data must be limited to achieving specific, predetermined, and legitimate purposes. Processing of Personal data incompatible with the purposes for which it was collected is prohibited. Processing of Personal data that exceeds the stated purposes of its processing is prohibited.

2.17.3. It is not permitted to combine databases containing Personal Data that are processed for purposes that are incompatible with each other.

2.17.4. Only Personal Data that meets the purposes of their processing are subject to processing.

2.17.5. The content and volume of processed Personal Data must correspond to the stated purposes of processing. Processed Personal Data must not exceed the stated purposes of processing.

2.17.6. When processing Personal data, the accuracy, sufficiency, and, where necessary, relevance of the Personal data for the processing purposes must be ensured. The data protection officer must take necessary measures, or ensure that they are taken, to delete or rectify incomplete or inaccurate data.

2.17.7. Personal data must be stored in a form that allows identification of the data subject for no longer than required for the purposes of processing the Personal data, unless the storage period for Personal data is established by federal law or an agreement to which the data subject is a party, beneficiary, or guarantor. Processed Personal data must be destroyed or anonymized upon the achievement of the processing purposes or when these purposes are no longer necessary, unless otherwise provided by federal law.

2.17.8. The PDPO is obliged to ensure that the foreign state to whose territory the Cross-border transfer of Personal data is carried out ensures adequate protection of the rights of subjects of Personal data, before the start of the cross-border transfer of Personal data. 

2.17.9. The PDPO carries out the cross-border transfer of Personal data of authors of articles and media materials to international databases of scientific publications (such as Scopus and Web of Science, DOAJ, Dimensions, etc.). In accordance with Part 2 of the List of cases in which the requirements of Parts 3-6, 8-11 of Article 12 of the Federal Law "On Personal Data", approved by Decree of the Government of the Russian Federation of December 29, 2022 N 2526, do not apply to operators carrying out the cross-border transfer of Personal data in order to fulfill the functions, powers and obligations imposed on state bodies and municipal authorities by an international treaty of the Russian Federation, the legislation of the Russian Federation, etc. The cases in which the requirements of Parts 8-11 of Article 12 of the Federal Law "On Personal Data" do not apply to operators carrying out the cross-border transfer of Personal data in order to fulfill the functions, powers and obligations imposed on state bodies and municipal authorities by an international treaty of the Russian Federation, the legislation of the Russian Federation, include the implementation of events in the field of culture, science and education. 

2.17.10. PDPO does not control and is not responsible for the processing of information by third-party websites that can be accessed via links available on the Site. 

3. PURPOSES OF COLLECTING AND PROCESSING PERSONAL DATA. VOLUME AND CATEGORIES OF PROCESSED PERSONAL DATA, CATEGORIES OF PERSONAL DATA SUBJECTS

3.1. The PDPO collects and processes Personal data for the following purposes:
3.1.1. Providing the User with the ability to create a personal account on the Website. To do so, the User completes the registration form on the Website and provides the following Personal data:
- email address;
- last name, first name, and patronymic (if any).
3.1.2. Sending newsletters to Users who have completed the subscription form on the Website and consented to receive information about the Website, the PDPO, and its partners, including advertising. The User provides their email address in the subscription form on the Website.
The newsletter is sent using the Site's software.
To receive the newsletter, the User provides the following personal information:
- email address;
- name.
3.1.3. Providing the User with feedback, including: sending notifications, requests, and information regarding the use of the Site, the execution of agreements and contracts, as well as processing requests and applications from the User, responding to the User's comments on the Site, responding to messages, calls, and letters from the User, and considering the User's claims - the PDPO collects the following Personal Data:
- Email address - when receiving an email from the User to the OOPD address;
- Telephone number - when receiving a message or call from the User;
- Last name, first name, and patronymic (if available);
- Passport information (in cases stipulated by law);
- Address for replying to an email or request;
- Other Personal Data that the User voluntarily provides or discloses to the PDPO during communication.

3.1.4. To provide the User with the opportunity to publish works (articles, materials, content) on the Website, PDPO collects the following personal data:
- last name, first name, patronymic (if any),
- email address,
- telephone number,
- gender,
- place of work
3.1.5. To carry out some marketing research and targeting using the software of the Site, PDPO collects statistical anonymized data that does not identify the User as the subject of Personal data.
3.2. The PDPO processes the Personal Data of the following categories of Personal Data subjects: Website Users, Authors, and reviewers of scientific articles.

4. PROCEDURE AND CONDITIONS FOR PROCESSING PERSONAL DATA

4.1. The OOPD collects and processes the following types of information:

- information that the User knowingly provides to the PDPO while using the Site
- technical information automatically collected by the software of the Site during the User's visit. 



4.2. Technical information automatically collected by the software of the Site during the visit includes:
· IP address;
· information from cookies;
· browser information;
· information about the device type (mobile or PC);
· access time;
· other technical and statistical information collected by the software of the Site.
Technical information also includes analytical data without identifying the subject of the Personal Data, obtained through the use of web analytics services. This information is used solely for internal and external marketing purposes—to analyze website traffic trends and improve the service of the Site.

4.3. The Site implements a user identification technology based on the use of cookies. Cookies may be saved on the device used by the User to access the Site, which will subsequently be used to collect statistical data, in particular on the Site traffic and to automatically fill in fields in the Site forms. The PDPO may use and disclose information about the Site usage, for example, to determine the extent of the Site usage, improve its content, explain the usefulness, and expand the functionality of the Site. By accepting this Privacy Policy, the User consents to the PDPO transmitting the technical data specified in Section 4.2 collected from the Site over the Internet. Anonymized User data collected through internet statistics services is used to collect information about User actions on the Site and improve the quality of the Site and its content.

4.4. The PDPO does not store Personal Data in cookies. The PDPO uses information stored in cookies, which does not identify individual Users, to analyze trends, administer the Site, track User movements within the Site, and collect demographic information about the general User base.

4.5. If the User does not want the PDPO to collect technical information about them using cookies, the User must stop using thSite or disable the storage of cookies on their device used to access the Site by configuring their browser accordingly. Please note that the Site services that use this technology may become unavailable.  

4.6. The User confirms their consent to the collection and processing of Personal Data by completing the newsletter subscription form on the Site, by completing the registration form on the Site, or by completing the comment form under an article on the Site by checking the box located after the relevant form and clicking the button below the form on the Site. The User confirms their consent to the dissemination of Personal Data by providing the PDPO with written consent to the dissemination of personal data.

4.7. Consent to the processing of Personal data provided when submitting a claim or application to the PDPO is granted by completing the form provided by the PDPO. The user is required to submit the completed and signed consent form along with the text of the claim or application.

4.8. The PDPO carries out the following actions (operations) or a set of actions (operations) with Personal data using automation tools or without using such tools: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of Personal data.

4.9. The PDPO processes Personal Data in the following ways: 

·       using automation tools of processing Personal data;
·       without the use of automation tools of processing Personal Data 4.10. The transfer of the User's Personal Data to third parties (if necessary) is carried out with the consent of the User for the purposes specified in Section 3.

4.10. The PDPO guarantees that it will never provide Personal Data to third parties, except in cases where:
· this is directly required by law (for example, at the written request of a court or law enforcement agency);
· The User has consented to the transfer of Personal Data;
· the transfer is necessary for the conclusion of agreements and/or within the framework of agreements between the PDPO and the User;
· the transfer occurs as part of the sale or other transfer of the Site or business;
· the transfer occurs within the framework of the transfer of the Personal Data base from one service to another in accordance with the contractual relations of the PDPO;
· this is required to provide support for the services provided to Users or to assist in the protection and security of the PDPO systems.

4.11. The User's Personal data may be transferred to authorized state authorities of the Russian Federation, inquiry and investigation agencies, and other authorized bodies only on the basis of and in the manner established by the current legislation of the Russian Federation.

5. LEGAL BASIS FOR PERSONAL DATA PROCESSING

5.1. The PDPO processes Personal Data on the basis of the following legal grounds:
· Constitution of the Russian Federation;
· Civil Code of the Russian Federation;
· Law of 07.02.1992 No. 2300-1 "On the Protection of Consumer Rights";
· Federal Law of 02.05.2006 No. 59-FZ "On the procedure for considering appeals from citizens of the Russian Federation";
· Federal Law of 27.07.2006 No. 149-FZ "On Information, Information Technologies and Information Protection";
· Federal Law of 06.04.2011 No. 63-FZ "On Electronic Signature";
· Federal Law of 27.07.2006 No. 152-FZ "On Personal Data";
· Resolution of the Government of the Russian Federation of 01.11.2012 No. 1119 "On approval of requirements for the protection of personal data when processing them in personal data information systems";
· Resolution of the Government of the Russian Federation of 15.09.2008 No. 687 “On approval of the Regulation on the specifics of personal data processing carried out without the use of automation tools”;
· agreements concluded between the PDPO and third parties for the purposes specified in Section 3;
· internal local documents of the PDPO;
· consent to the processing of Personal data (in cases not expressly provided for by the legislation of the Russian Federation, but corresponding to the powers of the PDPO), consent to the distribution of personal data.

6. MEASURES TO ENSURE THE SECURITY OF PERSONAL DATA DURING ITS PROCESSING

6.1. The PDPO protects the User's Personal Data using generally accepted security methods to ensure protection against loss, unauthorized or accidental access, distortion, unauthorized distribution, destruction, modification, blocking, copying, and any other illegal actions involving Personal Data by third parties. Security is ensured through network security software, access verification procedures, the use of cryptographic information security tools, and compliance with the Privacy Policy and other internal documents governing the processing of the Personal Data by PDPO.

6.2. In case Personal Data has been lost or disclosed, the PDPO is obliged to inform the User.

6.3. The PDPO, together with the User, takes all necessary legal, organizational and technical measures to prevent losses or other negative consequences caused by the loss or disclosure of the User's Personal Data.

6.4. Personal data are kept confidential by the PDPO, except in cases where the User voluntarily posts information for public access in messages or comments on the Site.

6.5. Ensuring the security of Personal Data processed in the Personal Data Information Systems of the OOPD is achieved by eliminating unauthorized, including accidental, access to Personal Data, as well as by taking the following security measures:
6.5.1. identification of threats to the security of Personal data when processing them in the personal data information systems of the PDPO;
6.5.2. taking organizational and technical measures to ensure the security of Personal Data when processed in the Personal Data Information Systems of the PDPO, which are necessary to meet the requirements for the protection of Personal Data, the implementation of which ensures the levels of protection of Personal Data established by the Government of the Russian Federation;
6.5.3. application of procedures for assessing the conformity of information security tools that have been completed in accordance with the established procedure;
6.5.4. assessment of the effectiveness of measures taken to ensure the security of Personal Data prior to the commissioning of the Personal Data information system;
6.5.5. accounting of machine-readable media of Personal Data;
6.5.6. detection of facts of unauthorized access to Personal data and taking measures;
6.5.7. restoration of Personal data that has been modified, deleted, or destroyed due to unauthorized access;
6.5.8. establishing rules for access to Personal data processed in the Personal data information systems of the PDPO, as well as ensuring the registration and accounting of all actions performed with Personal data in the Personal data information systems of the PDPO;
6.5.9. control over the measures taken to ensure the security of Personal Data and the levels of protection of Personal Data information systems.

6.6. Measures aimed at ensuring the fulfillment by the PDPO of its obligations under current legislation in the field of personal data. The PDPO is obligated to take measures necessary and sufficient to ensure the fulfillment of its obligations under current Russian legislation. The PDPO independently determines the composition and list of measures necessary and sufficient to ensure the fulfillment of these obligations. Such measures include, in particular:

1) appointment the head of the OOPD a person responsible for organizing the processing of Personal Data;
2) issuance of the documents defining the PDPO policy regarding the processing of Personal data, the Privacy Policy, local acts on the processing of Personal data, defining for each purpose of processing Personal data the categories and list of Personal data being processed, the categories of subjects whose Personal data are processed, the methods and terms of their processing and storage, the procedure for the destruction of Personal data upon achieving the purposes of their processing or upon the occurrence of other legal grounds, as well as local acts establishing procedures aimed at preventing and identifying violations of the legislation of the Russian Federation, eliminating the consequences of such violations;
3) application of legal, organizational and technical measures to ensure the security of Personal Data;
4) implementation of internal control and (or) audit of compliance of the processing of Personal Data with the legislation and regulatory legal acts adopted in accordance with it, requirements for the protection of Personal Data, the policy of the PDPO regarding the processing of personal data, the Privacy Policy, local acts of the PDPO;
5) assessment of the harm that may be caused to personal data subjects in case of a violation of the law, the relationship between the said harm and the measures taken by the PDPO aimed at ensuring the fulfillment of obligations stipulated by law;
6) familiarization of the PDPO staff directly involved in the processing of Personal Data with the provisions of the legislation of the Russian Federation on personal data, including the requirements for the protection of Personal Data, documents defining the PDPO policy regarding the processing of personal data, the Privacy Policy, local acts on the processing of Personal Data, and (or) training of these employees;
7) posting the Privacy Policy on the Site to ensure unrestricted access to it.

7. PERSONAL DATA PROCESSING PERIODS

7.1. The processing of Personal Data provided by the User on the Site is carried out from the moment of sending the completed form on the Site until the moment of termination of the Site operation, until the moment of revocation of the consent sent to the PDPO, until the moment of deletion of the personal account on the Site.

7.2. Unless otherwise provided by other clauses of this Privacy Policy or by current Russian legislation, the condition for termination of the processing of Personal Data is the achievement of the purposes of processing Personal Data, the expiration of the consent or the revocation of consent to the processing of Personal Data, the detection of unlawful processing of Personal Data, or when the PDPO is requested to destruct Personal Data.

7.3. The transfer (distribution, provision, access) of Personal Data permitted for distribution must be terminated at any time at the request of the User.

7.4. The User has the right to request the PDPO to cease the transfer (dissemination, provision, or access) of their Personal Data previously permitted for distribution in case of non-compliance with the provisions of current legislation, or to file such a request with the court. The PDPO is obligated to cease the transfer (dissemination, provision, or access) of Personal Data within 3 (three) working days of receipt of the request or within the time period specified in a final and binding court decision, or, if such time period is not specified in the court decision, within 3 (three) working days since the decision of the court comes into force.

7.5. The User independently determines the subscription period for the newsletter and unsubscribes from the newsletter by clicking the unsubscribe link, which is included in every received email, or by sending a free-form request to the PDPO of the journal to journal@kniish.ru with the subject line "Unsubscribe from the newsletter."

8. UPDATING, CORRECTION, DELETION AND DESTRUCTION OF PERSONAL DATA, RESPONSES TO USER REQUESTS FOR ACCESS TO PERSONAL DATA

8.1. In case of confirmation of the fact of inaccuracy of Personal data or illegality of their processing, the Personal data are subject to updating by the PDPO, and the processing must be accordingly terminated.

8.2. The User's Personal data provided on the Site, stored and processed by the PDPO, may be deleted/anonymized by contacting the PDPO. To do so, please send a letter (Appendix No. 3 to this Privacy Policy) to the PDPO at journal@kniish.ru . In this case, the User will not be able to use certain Site features. The request will be processed within 10 (ten) working days.

8.3. Upon achieving the purposes of processing Personal Data, the PDPO shall cease processing the Personal Data (or ensure its termination if the processing of Personal Data is carried out by another person acting on behalf of the PDPO) and destroy the Personal Data (or ensure its destruction if the processing of Personal Data is carried out by another person acting on behalf of the PDPO) within a period not exceeding 30 (thirty) days from the date of achieving the purpose of processing, unless:

· otherwise provided by the agreement to which the User is a party, beneficiary or guarantor;
· the PDPO has the right to process Personal data without the consent of the User on the grounds provided for by the Federal Law "On Personal Data" or other federal laws;
· otherwise provided by another agreement between the PDPO and the User.

If it is not possible to destroy Personal Data within the period specified in this clause, the PDPO blocks such Personal Data or ensures its blocking (if the processing of Personal Data is carried out by another person acting on behalf of the PDPO) and ensures the destruction of Personal Data within a period of no more than 6 (six) months, unless another period is established by federal laws.

8.4. If the PDPO has received a revocation of consent to the processing of Personal Data, the PDPO shall cease processing the Personal Data (or ensure its termination if the processing of Personal Data is carried out by another person acting on behalf of the PDPO) and, if the storage of Personal Data is no longer required for the purposes of processing the Personal Data, shall destroy the Personal Data (or ensure its destruction if the processing of Personal Data is carried out by another person acting on behalf of the PDPO) within a period not exceeding 30 (thirty) days from the date of receipt of the said revocation, unless:
· otherwise provided by the agreement to which the User is a party, beneficiary or guarantor;
· the PDPO has the right to process Personal data without the consent of the User on the grounds provided for by the Federal Law "On Personal Data" or other federal laws;
· otherwise provided by another agreement between the PDPO and the User.

If it is not possible to destroy Personal Data within the period specified in this clause, the PDPO blocks such Personal Data or ensures its blocking (if the processing of Personal Data is carried out by another person acting on behalf of the PDPO) and ensures the destruction of Personal Data within a period of no more than 6 (six) months, unless another period is established by federal laws.

8.5. If the PDPO receives a request to cease processing Personal Data, the PDPO is obliged to cease processing the Personal Data or ensure the cessation of such processing (if such processing is carried out by the person processing the Personal Data) within a period not exceeding 10 (ten) working days from the date of receipt of the relevant request, except in cases stipulated by current Russian legislation. This period may be extended, but no longer than 5 (five) working days, if the PDPO sends a reasoned notice to the Personal Data subject stating the reasons for extending the period for providing the requested information. If it is impossible to destroy the Personal Data within the period specified in this paragraph, the PDPO will block such Personal Data or ensure its blocking (if the Personal Data is processed by another person acting on behalf of the PDPO) and ensure the destruction of the Personal Data within a period not exceeding 6 (six) months, unless another period is established by federal laws. 

8.6. The PDPO blocks Personal Data if it detects unlawful processing of Personal Data or inaccurate Personal Data from the moment of the User's request or appeal (Appendix No. 1 to this Privacy Policy) or from their legal representative or authorized body for the protection of the rights of Personal Data subjects during the verification period. If it is impossible to destroy Personal Data within the period specified in this clause, the PDPO blocks such Personal Data or ensures its blocking (if the Personal Data is processed by another person acting on behalf of the PDPO) and ensures the destruction of Personal Data within a period of no more than 6 (six) months, unless another period is established by federal laws.

8.7. The PDPO updates, corrects, and clarifies Personal Data within 7 (seven) working days from the date of the request or appeal of the personal data subject (Appendix No. 2 to this Privacy Policy) or their legal representative or authorized body for the protection of the rights of personal data subjects, in case of detection of incomplete, inaccurate, or outdated Personal Data. 

8.8. The PDPO deletes and destroys the User's Personal Data within 7 (seven) working days since getting the request or appeal from the Personal Data Subject (Appendix No. 3 to this Privacy Policy) or their legal representative or authorized body for the protection of the rights of Personal Data Subjects, if it receives information confirming that the Personal Data was obtained illegally or is not necessary for the stated processing purpose. The PDPO will notify the Personal Data Subject or their representative of the changes made and the measures taken and will take reasonable measures to notify third parties to whom the Personal Data of this subject was transferred.

8.9. In case of detection of unlawful processing of Personal Data by the PDPO or a person acting on behalf of the PDPO, the PDPO is obligated to cease the unlawful processing of Personal Data within a period not exceeding three (3) working days from the date of such detection or to ensure that the person acting on behalf of the PDPO ceases the unlawful processing of Personal Data. If it is impossible to ensure the lawfulness of the processing of Personal Data, the PDPO is obligated to destroy such Personal Data or ensure its destruction within a period not exceeding ten (10) working days from the date of detection of the unlawful processing of Personal Data. The PDPO is obligated to notify the subject of Personal Data or their representative, or the authorized body for the protection of the rights of subjects of Personal Data, of the rectification of the violations committed or the destruction of Personal Data.

8.10. The PDPO responds to requests from Users, their representatives, and the authorized body for the protection of personal data subjects regarding Personal Data within 10 (ten) working days of the request being submitted or received by the PDPO. This period may be extended, but not longer than 5 (five) working days, if the PDPO sends the Personal Data subject a reasoned notice stating the reasons for the extension.

8.11. In case of detection of an unlawful or accidental transfer (provision, distribution, access) of Personal Data, resulting in the violation of the User's rights, the PDPO is obliged, from the moment of detection of such an incident, to notify the authorized body for the protection of the rights of personal data subjects:

1) within 24 (twenty-four) hours about the incident that occurred, about the alleged reasons that led to the violation of the rights of personal data subjects, and the alleged harm caused to the rights of personal data subjects, about the measures taken to eliminate the consequences of the relevant incident, and also provide information about the person authorized by the PDPO to interact with the authorized body for the protection of the rights of personal data subjects on issues related to the identified incident;
2) within 72 (seventy-two) hours on the results of the internal investigation of the identified incident, and also provide information on the persons whose actions caused the identified incident (if any).

9. FINAL PROVISIONS

9.1. The PDPO reserves the right to make any changes or additions to the Privacy Policy at any time at its sole discretion.

9.2. Amendments and additions come into force upon posting the amended Privacy Policy on the Site. By continuing to use the Site after the posting of the updated Privacy Policy, the User confirms their acceptance of it.