This document defining the Controller's policy regarding the processing and protection of personal data (hereinafter, the "Policy") is adopted and developed in accordance with the requirements of Federal Law of the Russian Federation dated July 27, 2006 No. 152-ФЗ (152-FZ) "On Personal Data", as well as in accordance with the requirements of the Regulation of the European Parliament and of the Council of the European Union dated April 27, 2016 No. 2016/679 "On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC" (General Data Protection Regulation, hereinafter "GDPR"). 1. Terms "Personal Data"
means any information that refers, directly or indirectly, to an identified or identifiable individual (data subject); "Processing of Personal Data"
means any action (transaction) or a number of actions (transactions) performed with or without automated technologies in regards to the Personal Data, including collection, recording, systematization, accumulation, storage, rectification (updating, change), retrieval, use, transfer (provision, access, distribution) to third parties, depersonalization, blocking, deletion, and destruction of the Personal Data; "Controller"
means Sberbank (address: 19 Vavilova St., Moscow, 117312, Russia, e-mail: email@example.com
, tel: 8 (800) 555-55-50); "Accelerator"
means a program conducted by the Controller to organize the selection and training of participants - startup projects to develop teams and their business projects in order to find synergies to conduct pilot projects and organize cooperation, as well as attract investment, organize other events (Sber500); "Confidentiality of Personal Data"
shall mean obligatory compliance by the Controller or another entity granted with access to Personal Data with the requirement of preventing its disclosure and dissemination without any legal ground; "Website"
means a collection of linked web pages located on the Internet at a unique address (URL): https://sberbank-500.ru
. For the purposes of this Policy, the Website also means the relevant web page where Users submit an application to participate in the Accelerator; "User"
means a representative of a legal entity that has applied for participation in the Accelerator by filling out a questionnaire posted on the Internet at the unique address (URL): https://sberunity.ru
means a small fragment of data which a website requests from the browser used on your PC or mobile device. Cookies allow the website to "remember" the User's actions or preferences. Cookies are stored locally on the User's PC or mobile device. The users can delete saved cookie files at their own wish.
Any terms and definitions used in this Policy that are not mentioned in this section will be interpreted systematically in connection with the other terms, individual conditions, and according to the meaning that follows from the text of the Policy. Where it is not possible to define the content of a term or concept from the text of the Policy, the term or concept in question shall be defined in accordance with the Sber500 Accelerator Participation Rules and applicable law or in accordance with the prevailing law enforcement practice. 2. Subject matter of the Policy
2.1. The Policy shall apply to the processing of Personal Data by the Controller in the following cases:
- conducting the Accelerator;
- use of the Website owned by the Controller;
- sending any appeals by visitors to the Website to the Controller.
2.2. The subjects whose Personal Data is processed under the Policy shall be:
3. Purposes of the Processing of Personal Data and their composition
- representatives and employees of participants, of potential participants in the Accelerator;
- Users, visitors to the Website;
- other persons in the cases specified in clause 2.1 of the Policy.
3.1. Personal Data shall be processed for the following purposes:
- providing information about the Accelerator, including about the various events, presentations and programs as part of it;
- organizing and ensuring participation of Data Subjects in the Accelerator and other related events initiated and held by the Controller, informing them about them;
- concluding agreements with the Accelerator participants, including conducting due diligence procedures (due diligence of the Accelerator participant);
- processing of appeals of Data Subjects and their feedback following the results of the Accelerator;
- conducting analytical, statistical, marketing research and surveys, the formation of personal proposals based on them;
- compliance with the laws of the Russian Federation, the GDPR, and other applicable laws.
3.2. In order to achieve the above purposes, the Controller may process Personal Data provided that it complies with the requirements established by the legislation of the Russian Federation and the GDPR for its processing. The list of processed Personal Data includes the following categories:
- basic information about the individual (full name, contact information (home and/or cell phone number, photos taken during the Accelerator, email address, link to the social media profile);
- social status (in particular, information about the position and place of work, education);
- information about the activities carried out on the Website, as well as information about the devices used (in particular, IP addresses, cookies);
- other data communicated by the User to the Controller at his/her discretion (in particular, the content of the appeal, of the feedback).
3.3. Specific purposes of the Processing of Personal Data, their composition, actions taken with them may also be brought to the attention of the Data Subject during the collection of Personal Data in a manner and form appropriate to the source of receipt and the basis for Processing of such Personal Data (e.g., consent to the Processing of Personal Data). 4. Legal basis for the Processing of Personal Data
4.1. The Controller shall process the Personal Data specified in Section 3 of the Policy only if one of the following legal grounds for such Processing applies:
- the Data Subject has consented to the Processing of such data for the purposes specified in Section 3 of the Policy;
- Processing of Personal Data is necessary in order for the Controller to be able to enter into a contract with the Data Subject and to fulfill its contractual obligations (in particular those set out in the Sber500 Accelerator Participation Rules);
- Processing of Personal Data is necessary in order to fulfill the obligation imposed on the Controller by the legislation of the Russian Federation or the GDPR;
- other applicable legal basis provided for by the laws of the Russian Federation or the GDPR.
If necessary, the Controller may assign the above Processing and/or transfer the above Personal Data (provide access to Personal Data) to a third party - AO Internet Projects (address: 23 Professor Popov Street, building D, room 28n, St. Petersburg, 197022).
4.2. The Controller shall provide Personal Data to the public authorities and local self-governing bodies, courts, law enforcement agencies, and other authorized bodies in the cases and in the manner prescribed by Russian law or the GDPR.
4.3. Provision of Personal Data, if the Processing is supposed to be based on the consent of the Data Subject, is voluntary, the absence of such consent makes it impossible for the Controller to carry out the Processing for specific purposes, in particular for marketing purposes. However, without obtaining certain Personal Data, the Controller will not be able to fulfill its obligations to the relevant startup project in connection with the Accelerator, so failure to provide them will result in the inability of such startup project to participate in the Accelerator.
4.4. Sources of obtaining Personal Data: the Data Subjects directly, as well as authorized representatives of the relevant startup projects. 5. Rights of the Data Subject, obligations of the Controller
5.1. The Data Subject shall have the right, if the relevant right is provided for by the legislation applicable to the relationship between the particular Data Subject and the Controller:
5.1.1. To withdraw consent to process Personal Data by filling out a web form posted on the Internet at the unique address (URL): https://sberunity.ru
/registration, or by sending a scanned copy of a free-form written notice with his/her signature or the signature of his/her representative, containing an explicit withdrawal of consent to process Personal Data, by e-mail: firstname.lastname@example.org
, or the original of such notice to the Controller by registered mail with the list of attachments or by courier service, or by hand delivery under signature to the Controller's authorized representative. The Controller shall cease Processing of Personal Data based on such consent, unless otherwise provided for in the laws of the Russian Federation and the GDPR.
5.1.2. Request the confirmation of his or her Personal Data processing. In case of such Processing the Data Subject has a right to familiarize himself or herself with the Personal Data being processed, as well as with information about the purposes of Processing, the categories of data being processed, the actions with the data, the receivers of the data and the guarantees when the data is transferred to third parties, the period of Processing, the sources of the data, and whether decision-making is fully automated, inclusion of the Data Subject in the marketing mailouts by the Controller. The Data Subject also has the right to obtain the list of the Personal Data being processed.
5.1.3. Demand to modify their Personal Data if inaccuracies are found in the Personal Data processed by the Controller. Taking into account the purposes of the Processing, the Data Subject has the right to supplement the Personal Data, including by submitting an additional application.
5.1.4. Initiate limitations on Processing of his or her Personal Data if one of the following conditions is met:
- the accuracy of Personal Data is being contested by the Data Subject (limitation for the period necessary for the Controller to confirm the accuracy of the Personal Data);
- unlawful Personal Data Processing has been revealed, the data subject opposes deleting the personal data and demand limiting the use thereof instead;
- the Controller does not need the Personal Data for the purposes of Processing any more, but the data subject needs the Personal Data for the purpose of substantiation, performance or defense as part of legal proceedings;
- the data subject opposes the Processing of their personal data (limitation for a period necessary for the Controller to confirm whether the Controller's legal grounds for personal data processing prevail over the lawful claims of the subject in case of the Processing on the relevant ground)
5.1.5. Request deletion (destruction) of his/her Personal Data if one of the following conditions applies:
- the Personal Data are no longer required for the purposes for which they have been obtained;
- the data subject withholds the consent on the basis of which the Processing has been carried out, if there are no other legal grounds for Processing;
- the Personal Data are being processed unlawfully;
- Personal data must be destroyed in order to comply with obligations under applicable law;
- The Personal Data was obtained while delivering information society services.
5.1.6. The Data Subject has a right to demand the list of their personal data to be processed by the Controller in a structured, uniform and machine-readable format, and to instruct the Controller to transfer such data to a third party if the Controller has the technical possibility to do so. In this case the Controller shall not be liable for further actions of a third party related to the Personal Data.
5.1.7. The data subject has the right to oppose Processing of the full list of their Personal Data (of a part thereof) for the purposes indicated in Section 3 of the Policy, except for the cases where the legal grounds for personal data Processing prevail over the interests, rights and freedoms of the data subject or where the Processing of the personal data is necessary for substantiation, execution or defense in legal proceedings.
5.1.8. The data subject has the right to bring a complaint to the supervisory authority if the Controller violates their rights in any way in personal data Processing.
5.2. The Controller shall process personal data of the data subject, as well as ensure confidentiality and protection of processed Personal Data in accordance with the requirements of Federal Law dated July 27, 2006 No. 152-ФЗ (152-FZ) "On Personal Data", as well as of the GDPR. When Processing Personal Data, the Controller shall take the necessary legal, organizational and technical measures to protect Personal Data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution of Personal Data, as well as from other unlawful actions in relation to Personal Data.
5.3. If the Processing of Personal Data is based on the consent of the Data Subject, the Controller shall carry out the Processing within the period specified in the relevant consent for the Processing of Personal Data. Notwithstanding the above, in cases where Personal Data is processed on other legal grounds, the Controller may store Personal Data for the period of time necessary to achieve the purposes specified in Clause 3.1 of the Policy, with the relevant Personal Data to be deleted upon achievement of such purposes. 6. Final provisions
6.1. This Policy shall become effective upon approval and remain in effect until it is amended and/or a new version is adopted by the Controller.
6.2. The Policy may be updated or otherwise modified by the Controller from time to time, and any changes shall be published by the Controller. Such changes shall take effect from the moment of their publication.