PERSONAL DATA PROCESSING POLICY
of the Autonomous Non-Commercial Organization
for Continuing Professional Education
"Academy of Conscious Thinking"

1. General Provisions
1.1. This Personal Data Processing Policy (hereinafter referred to as the “Policy”) of the Autonomous Non-Commercial Organization for Continuing Professional Education “Academy of Conscious Thinking” (hereinafter referred to as the “Academy”) establishes the main principles, purposes, conditions, and methods of personal data processing, the categories of data subjects and the types of personal data processed by the Academy, the functions of the Academy in the context of personal data processing, the rights of data subjects, and the measures taken by the Academy to ensure the protection of personal data.
1.2. This Policy is developed in accordance with the Constitution of the Russian Federation, federal laws, and other regulatory legal acts governing personal data.
1.3. The provisions of this Policy form the basis for local regulations governing the processing of personal data of Academy employees and other data subjects.
1.4. This Policy enters into force upon approval by the General Director of the Academy and remains in effect indefinitely until amended or replaced. Upon adoption of a revised version, the previous version becomes void.

2. Legal and Regulatory Framework
2.1. The Academy’s personal data processing policy is based on the following:
  • The Labor Code of the Russian Federation;
  • Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”;
  • Presidential Decree No. 188 of March 6, 1997 “On Approval of the List of Confidential Information”;
  • Government Decree No. 687 of September 15, 2008 “On Approval of the Regulation on the Specifics of Processing Personal Data without Automation Tools”;
  • Government Decree No. 512 of July 6, 2008 “On Requirements for Biometric Personal Data Carriers and Storage Technologies”;
  • Government Decree No. 1119 of November 1, 2012 “On Requirements for Personal Data Protection in Information Systems”;
  • Order No. 55 by FSTEC of Russia, No. 86 by FSB of Russia, and No. 20 by the Ministry of Communications of February 13, 2008 “On Approval of the Procedure for Classifying Personal Data Information Systems”;
  • Order No. 21 by FSTEC of Russia of February 18, 2013 “On the Composition and Content of Organizational and Technical Measures to Ensure Personal Data Security in Information Systems”;
  • Order No. 996 by Roskomnadzor of September 5, 2013 “On Approval of Requirements and Methods for Personal Data Anonymization”;
  • Other relevant Russian regulations and guidelines of authorized governmental agencies.
2.2. To implement the provisions of this Policy, the Academy develops relevant internal regulations, including a detailed policy on personal data processing.

3. Key Terms and Definitions
  • Personal Data – Any information related directly or indirectly to an identified or identifiable individual (data subject).
  • Information – Data regardless of form.
  • Operator – A state body, municipal authority, legal entity, or individual that independently or jointly determines the purposes, scope, and means of processing personal data.
  • Processing of Personal Data – Any operation or set of operations performed on personal data, with or without the use of automation tools.
  • Automated Processing – Processing using computing equipment.
  • Disclosure – Actions aimed at making personal data available to a specific person or group.
  • Dissemination – Making personal data available to an indefinite group of people.
  • Cross-border Transfer – Transfer of personal data to a foreign state, individual, or entity.
  • Blocking – Temporary suspension of data processing.
  • Destruction – Actions that render personal data irretrievable.
  • Anonymization – Actions that prevent identification of the data subject without additional information.
  • Personal Data Information System – A combination of databases and IT tools used to process personal data.

4. Principles and Purposes of Processing
4.1. As a data operator, the Academy processes personal data of both employees and individuals not in employment relationships.
4.2. The Academy adheres to the following principles:
  • Legality and fairness;
  • Data is processed only for specific, legitimate purposes;
  • No processing for purposes incompatible with data collection;
  • No merging of databases with incompatible purposes;
  • Only data relevant to the stated purposes is processed;
  • Data must be accurate, sufficient, and up-to-date;
  • Inaccurate or incomplete data must be corrected or deleted;
  • Data must not be stored longer than necessary;
  • Data is deleted or anonymized once no longer needed.
4.3. The purposes of data processing include:
  • Compliance with Russian legislation and internal regulations;
  • Fulfillment of legal duties, including reporting to state authorities and social funds;
  • Management of employment relations;
  • Provision of employee benefits and social guarantees;
  • Protection of the life and health of data subjects;
  • Contractual relationships;
  • Internal documentation and information support;
  • Execution of legal decisions and enforcement procedures;
  • Pursuit of legitimate interests or socially significant goals.

5. Data Subjects
The Academy processes data of the following categories:
  • Employees;
  • Clients, students, and other counterparties;
  • Other individuals as required to fulfill the purposes stated in Section 4.

6. Types of Data Processed
6.1. The data processed is defined in accordance with Russian law and internal regulations.
6.2. The Academy does not process special categories of data (racial, ethnic origin, political opinions, religious beliefs, or intimate life).

7. Academy’s Responsibilities
7.1. The Academy:
  • Ensures compliance with applicable laws and internal regulations;
  • Implements legal, organizational, and technical data protection measures;
  • Appoints a Data Protection Officer;
  • Issues internal regulations and policies;
  • Trains employees in data protection rules;
  • Publishes this Policy publicly;
  • Provides data subjects access to their data, unless restricted by law;
  • Stops processing and destroys data as required by law;
  • Takes other legally mandated actions.

8. Conditions of Processing
8.1. Data is processed with the data subject’s consent, unless otherwise stipulated by law.
8.2. Data is not disclosed or shared without consent, unless required by federal law.
8.3. Processing may be delegated to third parties under a formal agreement ensuring confidentiality and data security.
8.4. With written consent, personal data may be included in internal reference materials.
8.5. Only employees whose positions involve data processing are granted access.

9. Methods of Processing
9.1. The Academy performs: collection, recording, systematization, accumulation, storage, updating, retrieval, use, transfer, anonymization, blocking, deletion, and destruction of data.
9.2. Methods include:
  • Manual (non-automated) processing;
  • Automated processing with or without online transmission;
  • Mixed methods.

10. Rights of Data Subjects
10.1. Data subjects have the right to:
  • Full information about their data;
  • Access to and copies of their data;
  • Correction, blocking, or deletion of incomplete or inaccurate data;
  • Withdraw consent at any time;
  • Seek legal protection of their rights;
  • File complaints with supervisory authorities or courts;
  • Exercise other rights under Russian law.

11. Data Protection Measures
11.1. The Academy ensures compliance through:
  • Appointment of a responsible person;
  • Adoption of internal regulations;
  • Staff training;
  • Obtaining consent where required;
  • Separation and secure storage of manual records;
  • Restriction of data transfers via unsecured networks;
  • Secure storage of physical media;
  • Internal audits and monitoring;
  • Additional measures as required by law.
  • 11.2. Measures for securing data in IT systems are defined in separate internal regulations.

12. Compliance Control
12.1. The Academy monitors compliance with laws and internal rules to detect and prevent breaches, data leaks, or unauthorized access.
12.2. Internal audits are conducted by the designated Data Protection Officer.
12.3. The responsible person ensures adherence to all data protection regulations and internal rules.
12.4. Academy staff are personally responsible for compliance with data protection legislation and for maintaining the confidentiality and security of personal data of employees, clients, and other stakeholders.