Committee on Regulatory Affairs
Head: Artem Sheikin – Senator of the Russian Federation, member of the Federation Council Committee on Constitutional Legislation and State Building, Ph.D. in Economics.

The Committee participates in forming the regulatory environment for the IT industry, considering state tasks, software and equipment implementation practices, and state measures to stimulate the IT industry.

Committee objectives:
Preparation of proposals for draft regulatory legal acts in the IT sector
Participation in expert councils on regulatory policy issues in the field of information technology
Interaction with government authorities to improve the regulatory framework
Formation and provision of legal expertise
Committee activities:
Proposals have been sent to more than 20 draft regulatory acts, including:
  • Decision of the Government of the Russian Federation "On approval of the regulation on state accreditation of Russian organizations engaged in the field of information technology";
  • Decision of the Government of the Russian Federation "On preferential mortgages for employees of accredited IT organizations";
  • Decision of the Government of the Russian Federation "On the Rules for Granting Deferment from Military Service for Citizens of Russia working in accredited IT organizations";
  • Draft fundamentals of state policy on ensuring technological independence of the critical information infrastructure of the Russian Federation;
  • Draft concept of the Federal Law "Digital code of the Russian Federation" and others.
Representatives of the Association joined the Expert Council on Regulatory Policy at Digital economy NPO.
At the CIPR-2023 conference, the Map of key regulatory acts in the field of critical information infrastructure was presented.
POLICY

Policy of the Association of Major Software and Hardware Consumers Regarding the Processing of Personal Data

1. General Provisions

1.1. The Policy of the Association of Major Software and Hardware Consumers (hereinafter referred to as "the Policy" or "the Association") outlines the Association’s approach to the processing, security, and protection of personal data. It establishes the core principles for handling this information within the Association.

1.2. Key definitions used in the Policy:
— Personal Data: Any information related to an identified or identifiable natural person (data subject), such as surname, first name, patronymic, date of birth, place of birth, address, marital status, social status, education, occupation, job title, place of employment, phone number, email address, login, and password.
— Personal Data Operator (Operator): The Association, which either independently or in collaboration with others, organizes and/or carries out the processing of personal data, determines the purposes of data processing, the composition of personal data to be processed, and the actions (operations) performed on the personal data.
— Personal Data Processing: Any action (operation) or set of actions (operations) performed with or without the use of automated means, including the collection, recording, organization, accumulation, storage, updating (modification), retrieval, usage, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data.
— Automated Processing of Personal Data: Processing of personal data by means of computer technology.
— Distribution of Personal Data: Actions aimed at disclosing personal data to an unspecified group of people.
— Provision of Personal Data: Actions aimed at disclosing personal data to a specific person or a specific group of people.
— Blocking of Personal Data: Temporary suspension of data processing (except in cases where processing is necessary for data verification).
— Destruction of Personal Data: Actions resulting in the permanent irrecoverability of personal data in an information system and/or the destruction of physical media containing personal data.
— Anonymization of Personal Data: Actions resulting in the inability to determine, without additional information, the identity of the data subject.
— Personal Data Information System: A set of personal data contained in databases and the information technologies and technical means that ensure their processing.
— Transborder Transfer of Personal Data: Transfer of personal data to the territory of a foreign state, a foreign authority, a foreign individual, or a foreign legal entity.

1.3. The Policy governs the relationships between the Association and:
- Any natural person (applicant for a vacant position, employee or former employee of the Association, member of the Association’s governing bodies, committees, and working groups, representative of a member organization of the Association, representative of an organization applying for membership, partner or representative of a partner, client or their representative, partner’s client, contractor or their representative, office visitor, or participant in a webinar/seminar and conference) regarding the processing of their personal data provided to the Association.
- Any natural person, individual entrepreneur, or legal entity, users of the Association’s official website in the information and telecommunications network "Internet" (hereinafter referred to as "User" or "Official Website") regarding the processing of personal data provided by the User and/or collected from the User.

1.4. The Policy applies to all personal data processing operations carried out by the Association, as well as to all information the Association and/or its affiliated or authorized representatives may obtain about the User during their use of the Official Website.

1.5. The data subject has the following rights:
- The right to access information regarding the processing of their personal data.
- The right to have their data corrected, blocked, or destroyed if the data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing.
- The right to withdraw previously given consent to the processing of personal data.
- The exercise of other rights as provided by the legislation of the Russian Federation.

1.6. To obtain information regarding the processing of their personal data, the data subject may send a written request to the address: 115 230, Moscow, 1st Nagatinsky Passage, 10, building 1, floor 10, room 6, in accordance with Article 14 of the Federal Law No. 152-FZ "On Personal Data" dated 27.07.2006 (hereinafter referred to as Federal Law No. 152-FZ).

1.7. To exercise the right to withdraw consent to the processing of personal data, the data subject must send a notification to the Association’s email address: info@a-kppoo.ru with the subject "Withdrawal of Consent to the Processing of Personal Data." Termination of data processing by the Association may render further use of the Official Website and interaction with the Association impossible for the data subject.

1.8. If inaccuracies in personal data are discovered, the data subject can update (correct) their data by sending a notification to the Association at the email address: info@a-kppoo.ru with the subject "Data Update."

1.9. The data subject is required to inform the Association in a timely manner about any changes to their personal data.

1.10. The Policy is mandatory for familiarization and execution by all persons authorized to process personal data within the Association and those involved in organizing processes for the processing and ensuring the security of personal data in the Association.

1.11. Unlimited access to the Policy is provided by its publication in the information and telecommunications network "Internet" on the Official Website, in accordance with Article 18 of Federal Law No. 152-FZ.

1.12. The Policy applies to relationships regarding the processing of personal data that arose both before and after the publication of the Policy.

1.13. The Policy is subject to updating in the following cases:
- Changes in the legislation of the Russian Federation on personal data.
- Identification of discrepancies affecting the processing and/or protection of personal data based on the results of compliance monitoring.
- Decisions made by the Association’s management bodies.

1.14. Control over compliance with the Policy is carried out by the authorized person responsible for organizing the processing of personal data in the Association.

2. Purposes of Collecting Personal Data

2.1. The purpose of processing personal data is to ensure the User’s interaction with the Official Website (such as submitting an application for membership in the Association, sending notifications to the User about new services, special offers, and events), managing documentation regarding individuals listed in clause 1.3 of the Policy, and concluding agreements and contracts that involve cooperation between the data subjects or the organizations they represent and the Association for activities specified in the Association’s Charter.

3. Legal Basis for Processing Personal Data

3.1. The legal basis for processing personal data includes a set of legal acts in accordance with which the Association processes personal data: the Association’s Charter, the Policy, agreements on personal data processing, consents for personal data processing, and contracts between the Association and the data subjects.

4. Scope and Categories of Processed Personal Data, Categories of Data Subjects

4.1. The Association processes certain categories of personal data listed in clause 1.2 of the Policy based on the data subject’s separate consent. This includes data allowed by the data subject for dissemination and access to an unlimited number of persons by publishing it on the Official Website, including in presentations, articles, photos, audio, and other works, in printed, outdoor advertising, and online advertising, in social networks — in the official groups or accounts of the Association.

4.2. The personal data specified in clause 4.1 of the Policy are published with the data subject’s separate consent to increase awareness and foster a positive attitude towards the Association’s activities.

4.3. When the User visits the Official Website, data may be stored in their browser or transmitted by the browser in the form of cookies to provide relevant advertisements, combat fraud, analyze the operation of the Official Website, and carry out other lawful procedures.

4.4. The User can change the cookie settings via their web browser settings. All data is aggregated and thus remains anonymous.

5. Procedure and Conditions for Processing Personal Data

5.1. Personal data processing includes the actions specified in the respective definition in clause 1.2 of the Policy, namely: collection, recording, systematization, accumulation, storage, updating (modification), retrieval, usage, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction.

5.2. The Association takes or ensures the taking of legal, organizational, and technical measures necessary to fully comply with the requirements of the current legislation of the Russian Federation on the protection of personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, dissemination, as well as from other unlawful actions regarding personal data, in accordance with Article 19 of Federal Law No. 152-FZ.

5.3. The Association ensures the security of personal data and takes all possible measures to prevent unauthorized access.

5.4. The Association processes personal data when provided directly by the data subject through forms on the Official Website or by sending their data to the Association. By filling out these forms and/or submitting their personal data, the data subject agrees to this Policy.

5.5. Personal data processing is carried out both on paper and electronically by:
- Receiving original documents.
- Copying original documents.
- Entering information into records on paper and electronic media.
- Generating personal data during HR work.
- Entering personal data into information systems.

5.6. The transfer of personal data to third parties, in accordance with the confidentiality requirements set forth in Article 7 of Federal Law No. 152-FZ, is not performed, except in cases:


- Where the data subject has given explicit consent for their data to be transferred.
- Specified in the legislation of the Russian Federation.

5.7. Personal data may be disclosed to law enforcement agencies and other authorized governmental bodies in cases stipulated by the legislation of the Russian Federation.

5.8. Automated decision-making processes using personal data are not applied.

5.9. Personal data will be processed for no longer than necessary for the stated purpose of processing. Upon achieving the stated purposes, the data will be destroyed, unless otherwise provided by the legislation of the Russian Federation and/or by agreement with the data subject.

5.10. Personal data is processed in compliance with the principles and rules established by Federal Law No. 152-FZ.

5.11. All employees, contractors, and other individuals who process personal data on behalf of the Association are bound by this Policy and must adhere to its provisions.

6. Security Measures

6.1. The Association implements the following measures to ensure the security of personal data:
- Limiting access to personal data to only those employees, contractors, and other individuals who require access to perform their duties.
- Using security technologies to protect data stored on computer systems and databases.
- Regularly reviewing and updating security practices to protect against unauthorized access or breaches.
- Conducting training for employees, contractors, and other individuals on data protection and the handling of personal data.

6.2. The Association undertakes to notify data subjects and the relevant regulatory authorities in the event of a data breach or unauthorized access to personal data, as required by applicable laws and regulations.

6.3. Security measures are regularly reviewed and updated to maintain the confidentiality, integrity, and availability of personal data.

By implementing this Policy, the Association aims to protect the rights and freedoms of individuals whose personal data it processes, in accordance with the current legislation of the Russian Federation.

For further information, data subjects can contact the Association at:
Address: 115 230, Moscow, 1st Nagatinsky Passage, 10, building 1, floor 10, room
Email: info@a-kppoo.ru