PRIVACY POLICY OF THE RUSSIAN INSTITUTE OF MODERN ARBITRATION FOR THE PROCESSING OF PERSONAL DATA
General Provisions
1. This Privacy Policy (Policy) defines the procedures for processing and protecting personal data of various categories of data subjects (subjects)[1] by the Autonomous Non-Commercial Organisation "Russian Institute of Modern Arbitration" (TIN 7707371500, Primary State Registration Number 1167700062804, address: 14, bldg 3, Kadashevskaya embankment, 119017, Моscow) and its structural division – the Russian Arbitration Center (RIMA).
2. RIMA’s primary goal and condition for the performance of its activities is to respect the rights and freedoms of individuals and citizens when processing their personal data, including the protection of rights to privacy, personal, and family secrets.
3. RIMA may amend this Policy. The new version of the Policy takes effect upon its publication, including on RIMA's websites: https://modernarbitration.ru; https://centerarbitr.ru .
4. This Policy applies to all information RIMA may obtain about visitors of the websites with the domain names modernarbitration.ru; centerarbitr.ru (and third-level domains).
Purposes, Categories of Personal Data and Grounds for Processing
5. RIMA may process personal data solely for the purposes for which it was collected or obtained. The purposes for processing personal data by RIMA are specified in the Appendix to this Policy.
6. RIMA has the right to process personal data for the specified purposes by any means that do not contradict the law, through automated, non-automated, and mixed processing methods. Upon achieving the processing goals or in the event of losing the necessity to achieve these goals, unless otherwise stipulated by law or agreed upon by the parties, the processed personal data must be destroyed.
7. RIMA does not process biometric data, as well as information concerning racial or national origin, political views, religious or philosophical beliefs, personal life of the subjects of personal data, and information about criminal records.
8. The processing of personal data for the purposes specified in the Appendix is carried out by RIMA on the following legal grounds:
• The conclusion and execution of a contract, where the subject is a party or a beneficiary or guarantor;
• With the consent of the subject of personal data, provided when filling out web forms, sending requests to RIMA, or in any other manner;
• To fulfill the functions and obligations imposed on RIMA by applicable legislation, including Federal Law No. 382-FZ of December 29, 2015 “On Arbitration (Arbitral Proceedings) in the Russian Federation” (Law on Arbitration);
• To exercise the rights and legitimate interests of RIMA or third parties or to achieve socially significant goals, provided that the rights and freedoms of the subject are not violated.
Principles of Personal Data Processing
9. The processing of information is carried out by RIMA in accordance with this Policy, bylaws of RIMA, as well as the legislation of the Russian Federation, in particular Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” (Personal Data Law).
10. RIMA processes personal data based on the following principles:
• The processing of personal data is carried out on a lawful and fair basis;
• The processing of personal data is limited to achieving specific, predetermined, and lawful purposes;
• The processing of personal data incompatible with the purposes of collecting personal data is not permitted;
• The merging of databases containing personal data processed for incompatible purposes is not allowed;
• Only personal data that corresponds to the purposes of their processing is subject to processing;
• The content and volume of processed personal data correspond to the stated purposes of processing. Redundancy of processed personal data in relation to the stated purposes is not allowed;
• When processing personal data, accuracy, sufficiency, and, where necessary, relevance to the purposes of processing are ensured, and necessary measures are taken to remove or clarify incomplete or inaccurate personal data;
• The storage of personal data is carried out in a form that allows for the identification of the subject of personal data, no longer than required by the purposes of processing personal data, unless the storage period is established by federal law, consent for processing, or a contract where the subject is a party, beneficiary, or guarantor;
• Processed personal data is destroyed upon achieving the purposes of processing or when there is no longer a need to achieve these purposes unless otherwise provided by federal law;
• The processing of personal data is not used for causing property and/or moral harm to subjects of personal data or hindering the realisation of their rights and freedoms.
Conditions for Processing Personal Data
11. The processing of personal data is carried out by RIMA, as well as by other third parties engaged by RIMA for processing or to whom personal data is transferred in accordance with the applicable legislation. Such third parties may include:
• RIMA's counterparties providing services, including support services for the information systems used;
• Co-organisers of events held by RIMA;
• State/municipal authorities in cases established by law.
12. Data collected by the web analytics systems used may also be received and processed by third-party providers of such systems (in particular, Yandex Metrika).
13. RIMA may carry out cross-border transfer of personal data in accordance with the applicable legislation.
14. RIMA has the right to engage third parties in the processing of received personal data and/or transfer received data to them, as well as to receive data from them for the purposes specified in the Appendix, without additional consent from the subject, provided that these third parties ensure the confidentiality and security of personal data during processing. The processing of personal data by these third parties may be carried out with or without the use of automation tools, as well as any actions related to the processing of personal data that do not contradict the applicable legislation. The processing of personal data by a third party can only be carried out based on a contract that defines the list of actions (operations) that will be performed with the personal data and the purposes of processing, as well as provisions for ensuring the security of personal data, including requirements not to disclose or distribute personal data without the consent of the subject unless otherwise provided by the applicable legislation, as well as requirements in accordance with Article 19 of the Personal Data Law.
15. RIMA undertakes to take necessary legal, organisational, and technical measures to protect received personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, dissemination, and other unlawful actions regarding personal data, and to comply with the principles and rules for processing personal data stipulated by the Personal Data Law and other relevant regulations.
16. RIMA is prohibited from making decisions that produce legal consequences for the subject or otherwise affect their rights and legitimate interests solely based on automated processing of personal data.
17. RIMA does not place personal data in publicly accessible sources without the consent of the subject of personal data.
18. If RIMA disseminates personal data of subjects among an indefinite circle of individuals, including on its websites, RIMA collects consent from the subjects for processing personal data permitted by the subjects for dissemination in accordance with Article 10.1 of the Personal Data Law. If subjects establish additional conditions/prohibitions on further processing of their personal data, RIMA communicates this information by posting conditions/prohibitions on the relevant pages of its websites where personal data is disseminated.
Measures to Ensure the Security of Personal Data
19. RIMA takes all necessary organisational and technical measures to protect personal data of subjects from unlawful or accidental access, destruction, alteration, blocking, dissemination, as well as from other unlawful actions regarding such data.
20. The measures to ensure the security of personal data at RIMA include, but are not limited to, the following:
• Keeping records of the categories of personal data processed by RIMA, the categories of subjects whose personal data is processed, the storage periods, and the procedures for the destruction of such personal data;
• Keeping records of machine carriers of personal data and information systems at RIMA in which personal data is processed;
• Determining the necessary level of protection for personal data processed in RIMA’s information systems;
• Identifying security threats to personal data during processing in information systems;
• Determining and implementing technical and organisational measures to ensure the protection of personal data before introducing new personal data processing processes and new personal data information systems;
• Conducting and documenting an assessment of the harm that may be caused to subjects of personal data in the event of a violation of the Federal Law "On Personal Data," and correlating this harm with the measures taken by RIMA;
• Establishing rules for access to personal data processed in information systems, as well as ensuring the registration and accounting of actions performed with personal data in information systems;
• Applying information protection means that have undergone the established procedure for conformity assessment;
• Detecting unauthorised access to personal data and other incidents, taking measures to eliminate and mitigate consequences;
• Restoring personal data that has been modified or destroyed due to unauthorised access;
• Keeping records of positions of RIMA employees whose access to personal data, both with and without the use of automation tools, is necessary for the performance of their official (labor) duties;
• Ensuring that RIMA employees who directly process personal data acknowledge, by signature, their familiarity with the provisions of Russian legislation on personal data and with legislation of other relevant countries, including requirements for the protection of personal data, this Policy, and other bylaws of RIMA regarding the processing and protection of personal data, as well as training for RIMA employees;
• Monitoring and evaluating the efficiency of measures taken to ensure the security of personal data before putting a personal data information system into operation;
• Conducting regular internal control/audits of compliance with the processing and security of personal data according to current legislation in the Russian Federation and internationally recognised standards regarding the processing and security of personal data.
21. RIMA appointed a person responsible for protection of personal data.
22. Bylaws that are mandatory for all RIMA employees to comply with, as well as relevant agreements with partners, counterparties, and other third parties concerning their obligations, specify:
• Procedures for granting access to information;
• Procedures for altering personal data to ensure their accuracy, reliability, and relevance, including concerning the purposes of processing;
• Procedures for destroying or blocking personal data if necessary;
• Procedures for dealing with requests from subjects of personal data (and their legal representatives) in cases provided for by the Personal Data Law, in particular, the procedure for preparing information about the existence of personal data related to a specific subject, the information necessary to provide the subject (or their legal representatives) with access to their personal data, as well as procedures for processing requests for clarification of personal data, their blocking, or destruction if they are incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the established purpose of processing;
• Procedures for processing requests from authorised bodies for the protection of the rights of subjects of personal data;
• Procedures for obtaining consent from the subject of personal data for the processing of personal data;
• Procedures for transferring personal data to third parties;
• Procedures for working with physical carriers of personal data;
• Procedures necessary for notifying the authorised body for the protection of the rights of subjects of personal data within the timeframes established by the Personal Data Law.
23. When collecting personal data, RIMA ensures the collection, recording, systematisation, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), blocking, deletion, and destruction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation.
Use of Cookies and Other Web Analytics Tools
24. A cookie is a small file that is created and stored by the browser when visiting RIMA websites. Cookies are stored on the device for no more than a year and allow for tracking the quality of the website's performance and its usage characteristics, as well as optimising online marketing activities.
25. Visiting and using the websites by default involves the generation and storage of cookies. However, the user can delete cookies from their device at any time through the settings of their browser. The user can also decline to accept cookies; however, this may prevent all functions of the websites from working properly.
26. The following types of web analytics tools are used on RIMA websites:
| Technical and Functional Cookies | These files, generated by the website engines, are used to ensure the smooth operation of the websites, as well as to remember the settings selected by the user (in particular, pop-up banners and the memoRIMAtion of provided consents and permissions). |
| Analytical Cookies | These files allow for counting the number of users on the website; determining what actions users take on the site (visited pages, time spent, and number of pages viewed). The collection of analytical data is conducted through Yandex Metrika. |
Rights of Personal Data Subjects and Contacts Regarding Personal Data Processing
27. When processing personal data, subjects have the right to:
• Request information regarding the processing of their personal data;
• Obtain any clarifications on issues concerning the processing of their personal data;
• Demand the clarification, destruction, or blocking of their personal data if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing;
• Refuse the processing of personal data for receiving informational messages from RIMA;
• Withdraw the consents provided to RIMA for the processing of personal data;
• Challenge RIMA’s actions in administrative or judicial proceedings.
28. If you have any questions or inquiries regarding the processing of personal data, particularly for withdrawing consent for personal data processing, you can contact us at the email address info@centerarbitr.ru or send a written request to the following address: 14, bldg 3, Kadashevskaya embankment, 119017, Моscow or Unit 804B, Emirates Financial Towers, Dubai International Financial Centre, Dubai.
29. RIMA responds to requests from subjects within the timeframes established by the legislation of the Russian Federation or any other applicable legislation. In cases where circumstances require additional information to be established, RIMA has the right, in cases specified by the legislation, to extend the response time to a subject’s request by up to 5 working days, provided that a reasoned notification about the reasons for the extension is sent to the subject.
Appendix
Purposes for Data Processing by RIMA
| Purpose for Processing | Categories of Personal Data | Categories of Subjects | Processing Period | Destruction Procedure |
| Ensuring the participation of the subject in events and projects organised by RIMA (including registration, access to the venue, sending information about the event concerned) | · full name; · email; · other data that the subject considered necessary to provide | Attendees of events or projects organised or supported (co-organized) by RIMA | Until the purposes of personal data processing are achieved or until withdrawal of consent | Destruction of data stored in electronic medium; recycling of paper documents |
| Ensuring the participation of the subject as a speaker of the event, including payment or reimbursement of the speaker’s expenses | · full name; · email; · affiliation and position; · bank details, passport details and TIN (if participation involves remuneration); · other data that the subject considered necessary to provide | Speakers of events or projects organised or supported (co-organized) by RIMA | Until the purposes of personal data processing are achieved or until withdrawal of consent | Destruction of data stored in electronic medium; recycling of paper documents |
| Responses to requests from subjects, including regarding the functioning of RIMA, projects, administration of arbitration, arbitration clauses | · full name; · email; · affiliation and position; · phone number; · other data that the subject considered necessary to provide | Subjects who submitted requests to RIMA by email or by filling out web forms on the websites | Until the purposes of personal data processing are achieved or until withdrawal of consent | Destruction of data stored in electronic medium; recycling of paper documents |
| Ensuring the participation of the subject in arbitrations administered by the Russian Arbitration Center | · full name; · passport details; · date of birth; · email; · phone number; · other data that the subject considered necessary to provide | Parties to arbitration and their representatives | 10 years after termination of arbitration (the period established by the Arbitration Rules of the Russian Arbitration Center in accordance with Article 39 of the Law on Arbitration) | Destruction of data stored in electronic medium; recycling of paper documents |
| Taking part as an arbitrator in arbitrations administered by the Russian Arbitration Center, including appointment, payment of arbitrator’s fees, attending the hearings | · full name; · email; · phone number; · post address; · passport details; · date of birth; · TIN; · bank details; · information about work experience, qualifications and education; · other data that the subject considered necessary to provide | Arbitrators and former arbitrators in arbitrations administered by the Russian Arbitration Center | 10 years after termination of arbitration (the period established by the Arbitration Rules of the Russian Arbitration Center in accordance with Article 39 of the Law on Arbitration) | Destruction of data stored in electronic medium; recycling of paper documents |
| Enrollment of the subject into the United recommended list of Arbitrators and Databases of Specialists of the Russian Arbitration Center and posting information about the subject on the relevant sections of the website (with restrictions) | · full name; · date of birth; · email; · phone number; · post address; · information about work experience, qualifications and education; · membership in professional associations; · other data that the subject considered necessary to provide | Specialist enrolled into the United recommended list of Arbitrators and Databases of Specialists of the Russian Arbitration Center | Until the purposes of personal data processing are achieved or until withdrawal of consent | Destruction of data stored in electronic medium; recycling of paper documents |
| Concluding of contracts | · full name; · date of birth; · email; · phone number; · bank details; · other data that the subject considered necessary to provide | Counterparties and their representatives | 3 years after fulfillment of all obligations under the contract | Destruction of data stored in electronic medium; recycling of paper documents |
| Sending newsletters and updates | · full name; · email; · affiliation and position; · other data that the subject considered necessary to provide | Subjects who have agreed to receive newsletters | Until the purposes of personal data processing are achieved or until withdrawal of consent | Destruction of data stored in electronic medium; recycling of paper documents |
[1] Not including employees, former employees and their relatives.