Regulations on the Processing of Personal Data at National Research University Higher School of Economics

Версия на русском языке

1. General Provisions

1.1. These Regulations on the Processing of Personal Data at National Research University Higher School of Economics (hereinafter referred to as the "Regulations" and "HSE University" or the "University," respectively) have been drafted in accordance with the requirements of Federal Law No. 152-FZ "On Personal Data", dated July 27, 2006  (hereinafter, the "Personal Data Law"), and set forth HSE University's policies with respect to the processing of personal data, including:

1.1.1. the purposes and objectives of the personal data processing;

1.1.2. the legal grounds for the processing of personal data;

1.1.3. the contents and categories of the personal data that is subject to processing;

1.1.4. the categories of personal data owners or personal data subjects;

1.1.5. actions (procedures) carried out with personal data;

1.1.6. pcessing requests submitted by personal data owners or subjects.

1.2. When processing personal data, HSE University shall proceed based on the imperative need to ensure the protection of the rights and freedoms of the indivdual person and citizen in accordance with the requirements of Russian Federation law.

1.3. Compliance with these Regulations is the primary obligation in processing personal data by the University and is mandatory for all HSE University employees.

1.4. These Regulations govern the relations between HSE University and other parties that arise in connection with the processing of such parties' personal data by the University.

1.5. HSE University shall take all legal, organisational and technical measures necessary for ensuring due compliance with legislation on personal data, or shall ensure that such measures are taken.

1.6. These Regulations may be amended without prior notification to personal data owners or subjects, and other relevant parties. The relevant text of these Regulations will be posted on the official HSE University website at the following address: https://www.hse.ru/data_protection_regulation.

2. Terms and Definitions

2.1. The terms and definitions used in these Regulations shall be applied in accordance with the meanings and interpretations set forth below.

2.1.1. personal data (hereinafter also referred to as "PD") shall mean any information that pertains, directly or indirectly, to a specifically identified or identifiable individual person (hereinafter, the "PD owner or subject" or the "PD owner/subject").
PD and their categories may differ by the degree of definability and identifiability of the PD owner/subject and depend on the actual possibility of identifying a specific person and citizen (PD owner/subject) on the basis of such PD.

Data that does not enable the identification of an individual person and citizen, or that does not enable making such an identification even with the application of some sort of special procedures[1], is not deemed to be PD, and the processing of such data does not imply any need to comply with Russian Federation legislation on personal data. Such data may include such frequently requested information items as sex (or gender), age, position[2], profession, and hobby, among others, as well as other information items that may emerge, due to the ubiquitous penetration of the Internet in daily life[3], for as long as the relevant information items do not enable the identification of an individual person and citizen.

2.1.2. PD owners/subjects shall mean specifically identified or identifiable (subject to identification) individuals. Such individuals may include employees, prospective students/applicants, students and graduates/alumni of HSE University, and participants in olympiad academic competitions and other events conducted by the University, as well as other individuals;

2.1.3. candidate shall mean an individual who has expressed an interest in entering into an employment relationship with the University;

2.1.4. employee shall mean an individual who has entered into an employment relationship with the University;

2.1.5. former employee shall mean an individual who previously had an employment relationship with the University;

2.1.6. student shall mean an individual that is engaged in pursuing an educational or degree programme. For the purposes of the Regulations, students include Bachelor's degree (undergraduate) and Master's degree students[4], doctoral students, learners/attendees, and other categories of students at the University, including its regional campuses, regardless of their citizenship. These Regulations shall also apply to individuals registered for interim assessments at the University, and individuals registered for writing a dissertation in pursuit of a Candidate of Sciences (PhD) degree without having pursued a doctoral programme at the University, including at its regional campuses.

2.1.7. prospective student/applicant shall mean an individual who is entitled to receive an education at a specific level and in a specific field of study or discipline offered by HSE University, and who has submitted an application for admission to an educational programme in accordance with the established procedure.

2.1.8. graduate/alumnus shall mean an individual who has been disenrolled as a student from HSE University in connection with the attainment of their education (completion of their studies);

2.1.9. contractor shall mean a person of full legal age who has concluded an independent contractor agreement with the University, or intends to conclude such an agreement, as well as an individual acting as the representative of a legal entity that has concluded or intends to conclude an independent contractor agreement with the University;

2.1.10. participants in olympiad academic competitions and other events shall mean individuals who are participating in olympiad academic competitions; exhibitions; festivals, parades and public showings; sporting and athletic events, including official sports competitions; promotional events (e.g., contests, drawings, lotteries and games; polling questionnaires and surveys; research studies; and other similar events) and other mass events;

2.1.11. members of governing bodies shall mean persons of full legal age who are members of the University's corporate governing bodies, as well as their close relatives, whose personal data should be processed in accordance with the requirements of Russian legislation currently in effect;

2.1.12. processing of personal data (hereinafter referred to as "PD processing") shall mean any action (procedure) or the sum total of actions (procedures) performed, with or without the use of computer equipment, involving personal data, including the gathering, recording, classification, accumulation, storing, refining (updating, amending), retrieval, use, transfer (distribution, submission, granting access to), depersonalisation, blocking, deletion, and destruction of personal data;

2.1.13. automated processing of personal data shall mean the processing of personal data with the aid of computer equipment;

2.1.14. distribution of personal data shall mean actions directed at the disclosure of personal data to an undetermined set of persons;

2.1.15. submission of personal data shall mean actions directed at the disclosure of personal data to a defined individual or a defined set of persons;

2.1.16. blocking of personal data shall mean the temporary suspension of personal data processing (with the exception of cases when such processing is necessary for the purpose of refining the personal data);

2.1.17. destruction of personal data shall mean actions that make it impossible to restore the contents of the personal data in the personal data information system and/or that result in the destruction of the physical media containing the personal data;

2.1.18. depersonalisation of personal data shall mean actions that make it impossible to determine that the personal data belongs to a specific personal data owner/subject without having access to or use of any additional information;

2.1.19. personal data information system (hereinafter, "PDIS")shall mean the aggregate of all personal data contained in PD databases and the information technology and technical equipment required for processing it;

2.1.20. operator shall mean a state or municipal body, a legal entity or individual person, which, acting either independently or jointly with other such bodies, legal entities or individuals, organises and/or carries out the processing of personal data, and also determines the purposes of PD processing, the content of the PD to be processed, and the actions (procedures) to be taken with respect to the personal data. For the purposes of these Regulations, HSE University is the operator;

2.1.21. PD legislation shall mean the Constitution of the Russian Federation, the Personal Data Law, and other laws and regulations governing relations pertaining to PD processing.

3. Conditions for the Processing of Personal Data

3.1. The University shall carry out the processing of personal data strictly with the goal of attaining the purposes and objectives set forth by these Regulations. Processing of personal data that is inconsistent with the stated purposes and objectives of PD processing is not permitted.

3.2. The following items are established for each PD processing purpose as appropriate to the given purpose:

3.2.1. categories and list of the personal data being processed;

3.2.2. categories of PD owners/subjects whose personal data may be subject to processing;

3.2.3. methods and timeframes for processing and storing personal data;

3.2.4. the procedure for destroying personal data.

3.3. The list of the University's purposes for processing personal data is presented in Annex 1 to these Regulations.

3.4. For each PD processing purpose, Annex 1 to these Regulations establishes a list of personal data items being processed for each category of PD owner/subject in the following categories:

3.4.1. special;

3.4.2. biometric;

3.4.3. other personal data.

3.5. A list of personal data being processed is established with respect to the following main categories of PD owners/subjects:

3.5.1. Prospective students/applicants;

3.5.2. Graduates/alumni;

3.5.3. Employees;

3.5.4. Students;

3.5.5. Candidates;

3.5.6. Contractors;

3.5.7. Participants in olympiad academic competitions and other events;

3.5.8. Members of University governing bodies.

3.6. The PD owner/subject categories established by p. 3.5 herein are not exhaustive. Annex 1 may also establish additional categories of PD owners/subjects whose personal data must be processed in order to attain the relevant processing purpose.

3.7. The following PD processing methods may be applied for each PD processing purpose:

3.7.1. automated processing of personal data in the University's PDIS with the aid of computer equipment;

3.7.2. non-automated processing of personal data without the aid of computer equipment by using physical media to record personal data.

3.8. The timeframes for processing and storing personal data are established based on the specific terms of the legal grounds for PD processing while factoring in the need to attain certain processing purposes, while at the same time the processing and storage of personal data may not be carried out for a period longer than that required by the stated PD processing purposes, unless otherwise stipulated by current PD legislation.

3.9. Personal data is destroyed in the following cases:

3.9.1. upon attainment of the relevant PD processing purposes, or if there is no longer any necessity for attaining said purposes, unless otherwise stipulated by the rules set forth in these Regulations and the requirements of current PD legislation;

3.9.2. upon expiration of the term of validity of the legal grounds for PD processing;

3.9.3. upon the identification of an instance of PD processing that does not correspond to the relevant requirements of these Regulations and/or the requirements of current PD legislation;

3.9.4. upon the withdrawal by the PD owner/subject of their consent to the processing of their personal data, unless otherwise stipulated by the requirements of current PD legislation;

3.9.5. upon the submission by the PD owner/subject of a request to suspend the processing of their personal data if the relevant PD is incomplete, outdated, inaccurate, was obtained illegally, or is not necessary for the stated processing purpose, unless otherwise stipulated by the requirements of current PD legislation;

3.9.6. upon receipt from a regulatory body of a ruling requiring that the relevant PD be destroyed, including a regulatory ruling prohibiting or restricting the cross-border transfer of the PD.

3.10. Personal data is destroyed by means of taking actions that make it impossible to restore the contents of the personal data in personal data information systems and/or that result in the destruction of the physical media containing the personal data. A certificate attesting to the destruction of the personal data is drawn up in accordance with the results of the process of destroying the relevant PD and a relevant entry is made in the electronic log for recording events in the PDIS.

4. The Legal Grounds for the Processing of Personal Data

4.1. The legal grounds for the processing of the personal data of PD owners/subjects are established with due regard for the conditions for the processing of personal data, as defined by the Personal Data Law. The specific legal grounds for the processing of personal data based on which PD processing is permitted at the University are:

4.1.1. the University's receipt of the PD owner/subject's consent to the processing of their personal data with due regard for the requirements of PD legislation for the relevant category of personal data. The obtained consent form must state the relevant PD category and contain a list of the personal data being processed, as well as the processing purpose and the term of validity of the consent. Processing the personal data of an under-age or minor PD owner/subject also requires obtaining the consent to such PD processing of the individual acting as the legal representative (parent or guardian) of the given under-age PD owner/subject;

4.1.2. laws and regulations, and international treaties or conventions, in compliance with which and through the implementation of which the University carries out the processing of personal data as part of its day-to-day operations;

4.1.3. court orders and rulings, and rulings by another body or official, that the University must carry out in accordance with the provisions of Russian Federation legislation concerning enforcement proceedings;

4.1.4. agreements being carried out by the University, to which a PD owner/subject is a party and either a beneficiary or a guarantor, and agreements concluded with the University at the initiative of the PD owner/subject, as well as agreements under which the PD owner/subject will be a beneficiary or a guarantor;

4.1.5. The University's Charter and bylaws that establish the requirements for PD processing if such processing does not contravene the requirements of PD legislation and these Regulations, including for publication or mandatory disclosure of personal data in accordance with current legislation. The relevant versions of the University Charter and bylaws may be posted online on HSE University's website at the following address: https://www.hse.ru/docs/index.html.

5. Participants in the System for Managing the Personal Data Processing and Protection Process

5.1. For the purpose of ensuring effective management over the organisation of the personal data processing and protection process, as well as the performance of obligations under Russian Federation law for personal data operators, the key participants within the University in this management system and their specific functions have been determined.

5.2. The HSE University Rector:

5.2.1. determines, reviews and approves these Regulations;

5.2.2. designates the University corporate officer responsible for organising personal data processing and protection procedures at HSE University.

5.3. The University corporate officer responsible for organising personal data processing procedures at HSE University:

5.3.1. manages the process of organising personal data processing and protection procedures at the University in accordance with the requirements of Russian Federation law, these Regulations and other HSE University bylaws pertaining to the processing and protection of personal data;

5.3.2. initiates the drafting and updating of HSE University bylaws pertaining to the processing and protection of personal data;

5.3.3. provides for the development and organisation of the application of legal, organisational and technical measures for the protection of personal data from unauthorised, illegal or accidental access to it, the destruction, alteration, blocking, copying, provision or submission, and distribution of personal data, as well as other unauthorised or illegal actions with respect to personal data;

5.3.4. provides for and evaluates the effectiveness of measures taken for ensuring the safekeeping and security of personal data;

5.3.5. organises the creation of University-wide databases of procedures for processing personal data (hereinafter, the "Register of PD Processing Procedures") and essential digital tools for supporting the system for managing PD processing procedures;

5.3.6. provides methodological support for the personal data processing procedures registered in the Register of PD Processing Procedures with respect to developing rules, requirements and recommendations for carrying out procedures for the gathering, processing and protection of personal data;

5.3.7. organises monitoring of compliance with the provisions of Russian Federation law and HSE University bylaws of the personal data processing carried out as part of the University's procedures registered in the HSE University Register of PD Processing Procedures;

5.3.8. organises monitoring of compliance by the University's corporate officers delegated to carry out personal data processing with the requirements stipulated by the Personal Data Law, as well as with the terms of concluded agreements;

5.3.9. manages interactions with the relevant regulatory agency or agencies, and other competent authorities (e.g., state agencies, state institutions, state extra-budgetary funds, and municipal agencies), on questions pertaining to the processing and protection of personal data at HSE University, including responding to queries and requests from such agencies;

5.3.10. ensures that the relevant regulatory agency is (agencies are) properly notified of changes in information on PD processing, as well as HSE University's intention to make cross-border transfers of PD for the purpose of ensuring that the rights of the relevant PD owners/subjects are protected;

5.3.11. notifies the relevant regulatory agency (agencies) concerning any of the circumstances provided for under the Personal Data Law in cases where it is established that instances occurred of the illegal, unauthorised or accidental transfer (e.g., submission, distribution, granting of access) of personal data that resulted in a violation of the relevant PD owner/subject's rights;

5.3.12. provides analytical and consulting support for the activities of individuals designated as being responsible for personal data processing procedures within specific HSE University subdivisions.

5.3.13. performs internal monitoring over the compliance of HSE University and its employees with Russian Federation PD legislation, including personal data protection requirements;

5.3.14. makes HSE University employees aware of the provisions of Russian Federation PD legislation and University bylaws concerning personal data processing issues, including personal data protection requirements;

5.3.15. organises and oversees the receipt, handling and processing of requests and inquiries by PD owners/subjects or their representatives;

5.3.16. organises and conducts an evaluation of the potential damage that PD owners/subjects may incur should the University violate the requirements of Russian Federation law, and the correlation between the relevant damage and the measures taken by the University for ensuring the fulfilment of its obligations under the Personal Data Law.

5.4. The HSE University first vice rectors and vice rectors, who the rector has duly authorised to exercise coordinating oversight over the respective activities and focus areas in University operations in accordance with the established procedure at the University, shall:

5.4.1. organise the implementation of the rules enshrined in these Regulations for the respective focus areas of University operations under their coordinating oversight and by the respective University subdivisions under their purview;

5.4.2. designate individuals responsible for organising personal data processing procedures in the respective University subdivisions under their purview.

5.5. The University corporate officers responsible for personal data processing procedures within HSE University subdivisions shall carry out the management of personal data processing procedures in the University subdivisions under their respective purviews and shall monitor compliance with the requirements of these Regulations and HSE University bylaws on issues pertaining to the processing and protection of personal data within the framework of the personal data processing procedures registered in the HSE University Register of PD Processing Procedures.

5.6. The functions of such University corporate officers responsible for personal data processing procedures within HSE University subdivisions shall encompass the following:

5.6.1. identifying personal data processing procedures within the framework of the respective University subdivision's functional processes (or changes in its current functional processes that have a significant impact on the parameters and features of the personal data processing procedures);

5.6.2. organise the submission and/or submission of information about the PD processing procedures carried out within the respective University subdivisions for entry in the HSE University Register of PD Processing Procedures;

5.6.3. organise the introduction and implementation of the requirements of HSE University bylaws on issues pertaining to the processing and protection of personal data within the functional processes of the respective subdivision within the framework of which personal data processing procedures are carried out;

5.6.4. organising measures to familiarise the owners of functional processes and the employees of subdivisions with the provisions of PD legislation, these Regulations and other HSE University bylaws on issues pertaining to the processing and protection of personal data;

5.6.5. exercising oversight and monitoring of the receipt, handling and processing of requests and inquiries by PD owners/subjects or their representatives, who are duly authorised to represent the interests of the relevant PD owners/subjects, on issues pertaining to the processing of the personal data of such PD owners/subjects;

5.6.6. interacting with PD owners/subjects as regards responses to requests and inquiries.

5.7. The University corporate officer responsible for organising personal data processing procedures within the given University subdivision under their purview shall be entitled, when carrying out the functions assigned to them, to issue instructions and assign tasks with respect to issues pertaining to the processing and protection of personal data, in accordance with the procedure stipulated by the relevant HSE University bylaws, to those employees of the given University subdivision who are engaged in personal data processing and/or who have access to personal data. The implementation of such instructions and tasks is mandatory for the employees of the given HSE University subdivision.

5.8. The owners of the given University subdivision's functional processes shall provide for the development and functioning of the processes and information systems to be used in the relevant work and which will be utilised in processing the personal data, in accordance with the provisions of Russian law and HSE University bylaws on issues pertaining to the processing and protection of personal data.

5.9. The HSE University Office for Legal Affairs shall:

5.9.1. carry out monitoring of legislation and keep all relevant stakeholder HSE University subdivisions informed upon the latter's request about information on changes and amendments in legal and regulatory standards governing questions pertaining to PD processing and protection;

5.9.2. ensure the legal protection of HSE University's interests when considering administrative affairs, as well as in civil law, employment-related and other legal disputes concerning issues pertaining to the processing and protection of personal data;

5.9.3. identify risks inherent in the PD processing procedures, including those registered in the HSE University Register of PD Processing Procedures. 

6. Organising the Management of Personal Data Processing

6.1. In processing personal data, the University shall be guided by the principles established by the provisions of Russian Federation law, these Regulations and other HSE University bylaws, as well as the procedural requirements for the terms for processing personal data.

6.2. Gathering (obtaining) and further actions (procedures) involving the processing of personal data are carried out in compliance with the rights and legal interests of PD owners/subjects within the framework of approved processes and/or HSE University bylaws, which determine, in particular:

6.2.1. the legal grounds (terms) and sources for the gathering (obtaining) of personal data;

6.2.2. the purposes of the processing of personal data, the categories and list of the personal data being processed, and the categories of personal data owners/subjects;

6.2.3. the timeframes for processing and storing personal data;

6.2.4. the obligations of the owners of functional processes in the respective University subdivision, and the stages/procedures (actions) and methods of processing personal data;

6.2.5. the procedure for granting HSE University employees access to personal data and for processing such data;

6.2.6. the procedure for transferring personal data to third parties/HSE University contractors/other parties (including, if applicable, state agencies and/or state institutions, state extra-budgetary funds, and municipal agencies), and the procedure for distributing personal data with respect to an undetermined set of persons;

6.2.7. the procedure for refining (updating, amending) personal data;

6.2.8. the procedure for archiving personal data;

6.2.9. the procedure for suspending processing and for destroying personal data or ensuring the destruction of such data, if the processing of personal data is being carried out by another party, acting on the instructions of HSE University.

6.3. Within the University, a list is compiled of the individuals engaged in carrying out personal data processing. Access to personal data being processed is granted only to those University employees who have a need for such access in order for them to carry out specific functions as part of performing their job responsibilities. The formal job descriptions of University employees and/or employment agreements, including, if applicable, addenda to employment agreements, stipulate the obligation to ensure the confidentiality and security of personal data and liability measures for non-compliance with these obligations. Prior to the beginning of personal data processing, University employees, whose employment functions and duties include carrying out PD processing, must familiarise themselves, with signed acknowledgement, with the provisions of PD legislation, including with the requirements for protecting personal data, as well as with the requirements of HSE University bylaws governing issues pertaining to the processing and protection of personal data.

6.4. With respect to the processing of the personal data of HSE University employees, the University shall be guided, among other documents, by the requirements of the Labour Code of the Russian Federation.

6.5. When processing personal data, the University shall provide for the timely refinement (updating, amending) of the personal data of PD owners/subjects, which is carried out, in particular, if it is confirmed that a set of personal data contains inaccuracies or discrepancies on the basis of:

6.5.1. a relevant request submitted to the University by a PD owner/subject, or their representative (duly authorised to represent the interests of the given PD owner/subject), or by a regulatory agency, with documents attached confirming the existence of inaccuracies or changes in the relevant set of personal data;

6.5.2. the determination by the University of the existence of discrepancies between the previously obtained personal data of a PD owner/subject and the personal data submitted by the given PD owner/subject, or their representative (duly authorised to represent the interests of the given PD owner/subject), or by a regulatory agency, together with attached confirmation documents.

6.6. The receipt by the University of personal data from a third party/contractor/other parties (if applicable) and/or the transfer (submission, granting of access to) of personal data to a third party/contractor/other party (if applicable), as well as the issuing of instructions to a third party/contractor/other party (if applicable) mandating the processing of personal data, are permitted with the consent of the relevant PD owner/subject to the processing of their personal data, including consent given to the third party/contractor, or given the existence of other grounds as provided for by Russian Federation law. The receipt by the University of personal data from a third party/contractor/other party (if applicable) and/or the transfer (submission, granting of access to) of personal data to a third party/contractor/other party (if applicable), as well as the issuing of instructions to a third party/contractor/other party (if applicable) mandating the processing of personal data, are performed on the basis of a relevant agreement with the given third party/contractor/other party (if applicable), including the terms of PD processing, the requirements for ensuring the confidentiality and security of the personal data during its processing, and other relevant requirements in accordance with the Personal Data Law.

6.7. The transfer of personal data to state agencies and institutions, municipal agencies, and state extra-budgetary funds, as well as the receipt of personal data from state agencies and institutions, municipal agencies, and state extra-budgetary funds are permitted without the consent of the relevant PD owner/subject to the processing of their personal data in accordance with the procedure and in those cases provided for by Russian Federation law.

6.8. The cross-border transfer of personal data is carried out with due regard for the conditions and restrictions stipulated by the Personal Data Law. Before the commencement of a cross-border transfer of personal data, an evaluation is conducted of the measures to be applied to the third party/other party (if applicable), to which the given cross-border transfer of personal data will be made, for the purpose of ensuring the confidentiality and security of the relevant personal data. The procedure for conducting such an evaluation is established by HSE University bylaws. The University musty notify the relevant regulatory agency concerning any planned cross-border transfer of personal data in accordance with the procedure stipulated by Russian Federation law and HSE University bylaws.

6.9. The processing of personal data is terminated upon the attainment of the purposes of such processing, as well as upon expiration of the timeframe provided for under Russian Federation law, the relevant agreement, or the PD owner/subject's consent to the processing of their personal data. If the PD owner/subject withdraws or revokes their consent to the processing of their personal data and/or requests that the processing of their personal data be terminated, the University shall be entitled to continue to process the personal data without the consent of the PD owner/subject if the grounds (PD processing terms and conditions) exist for doing so provided under the Personal Data Law.

6.10. If the University lacks legal grounds for processing personal data (PD processing terms and conditions), the University shall, in accordance with the procedure stipulated by the Personal Data Law, carry out the destruction of the personal data or ensure its destruction (if the PD processing is being carried out by a party that is acting on the instructions of the University) in accordance with the procedure stipulated by p. 3.10 of these Regulations.

7. The Procedure for Considering Requests and/or Inquiries Submitted by Personal Data Owners or Subjects

7.1. The receipt, handling and processing of requests submitted by PD owners/subjects, as well as monitoring over the performance of such receipt, handling and processing, will be carried out for the purposes of upholding the rights and legal interests of PD owners and subjects, complying with the required timeframes for processing requests and inquiries by PD owners/subjects, ensuring the quality and completeness of measures taken with respect to the legitimate requests of a PD owner/subject, and providing the necessary information in response to such a request and/or inquiry.

7.2. When considering requests and/or inquiries from the owners or subjects of personal data, the University shall be guided by the provisions of Russian Federation law, according to which a request and/or inquiry submitted by a PD owner/subject must contain the information stipulated by the Personal Data Law.

7.3. The University will provide information and/or take other measures in connection with the receipt of requests and/or inquiries from PD owners/subjects within the scope and timeframes stipulated by Russian Federation law. The timeframe established by Russian Federation law for responding to a PD owner/subject's request and/or inquiry for the provision of information concerning the processing of their personal data may be extended on the basis of the restrictions established under the Personal Data Law, with a notification sent to the relevant PD owner/subject providing substantiated reasons for the extension of the timeframe for providing the requested information.

7.4. The University, upon receipt of a request and/or inquiry from an owner or subject of personal data and having confirmed its legitimacy, will provide the given PD owner/subject, and/or their representative duly authorised to represent the interests of the PD owner/subject, with the information indicated in the relevant request/inquiry in the form in which the relevant request/inquiry was initially submitted, unless indicated otherwise in the relevant request/inquiry, and/or will take other measures depending on the specific circumstances (particular features) of the given request and/or inquiry. The information provided by the University may not contain any personal data belonging to any other PD owners/subjects, with the exception of cases where legal grounds exist for disclosing such personal data.

7.5. The University is entitled to decline to satisfy the demands or fulfil the requests of the PD owner/subject, as indicated in the latter's request and/or inquiry, by means of sending a substantiated refusal to the PD owner/subject, or their representative, if the University has, under Russian Federation law, legal grounds to refuse to fulfil/satisfy the received requests or demands.

8. Measures for Ensuring the Confidentiality and Security of Personal Data

8.1. The University shall take the necessary legal, organisational and technical measures, in accordance with the Personal Data Law, to ensure the confidentiality and security of the personal data of the owners or subjects of personal data, and to protect such personal data from the illegal, unauthorised or accidental access to it, destruction, alteration, blocking, copying, provision or submission, or distribution of such personal data, as well as other unauthorised or illegal actions with respect to personal data, or shall ensure that such measures are taken (if the personal data processing is being carried out by a party acting on the instructions of HSE University). In particular, the following measures will be taken:

8.1.1. the relevant threats to the security of personal data being processed in the PDIS will be defined, and relevant organisational and technical protective measures will be taken required for the established level of secure protection of personal data;

8.1.2. in order to neutralise the relevant threats to the security of personal data, information security tools will be applied that are commensurate to the required level of secure personal data protection and that have undergone an assessment of such tools' compliance in accordance with the established procedure;

8.1.3. an efficiency assessment or audit will be conducted of the effectiveness of the applied/implemented data protection measures and of the personal data security thereby provided, including before the commissioning or launch of the relevant information systems (the efficiency assessment or audit may be conducted independently and/or by contracting with legal entities duly licensed to engage in providing technical protection solutions for confidential information);

8.1.4. a pass control system will be set up for managing access to personal data and the technical means utilised in processing personal data, as well as access to information protection tools, and information system operating infrastructure (hardware and software), as well as a pass control system for managing access to the premises and facilities where such equipment and tools are installed and physically housed;

8.1.5. all actions carried out with personal data in the PDIS will be duly registered and logged;

8.1.6. an equipment log will be established for registering all technical equipment and tools comprising the PDIS, as well as machine-based media;

8.1.7. a list will be compiled, and updated when necessary, of HSE University employees who, for carrying out their job responsibilities, require access to the personal data that is processed in the PDIS, and as well access to personal data being processed will be given to those HSE University employees who require such access in connection with carrying out their respective job duties;

8.1.8. all security-related events pertaining to changes in access rights to personal data will be automatically registered;

8.1.9. PDIS auditing subsystems will be implemented, which will be used to register and log all actions carried out with personal data;

8.1.10. access to the contents of security events will be granted only to a limited group of people, and, in particular, the University's PDIS will be installed and housed within a protected perimeter located within a monitored access area;

8.1.11. measures will be implemented for warning about and detecting instances of unauthorised access to personal data, and relevant measures will be taken, including for the detection, prevention and elimination of the consequences of computer attacks on the PDIS and for responding to computer incidents in the PDIS;

8.1.12. measures will be taken to recover personal data that was modified, altered or destroyed as a result of unauthorised access to it, measures will be taken to recover personal data that was modified, altered or destroyed as a result of unauthorised access to it;

8.1.13. approved and authorised software and/or its components will be used, and as well the installation and upgrading of such software will be subject to monitoring and control;

8.1.14. all system incidents and the responses to them will be detected and identified, and measures will be taken to eliminate such identified incidents should they arise;

8.1.15. cooperative interactions will be conducted in the necessary scope with the State System for the Detection, Prevention and Elimination of the Consequences of Computer Attacks on the Information Resources of the Russian Federation (GosSOPKA);

8.1.16. external and internal instrumental monitoring and verification will be conducted of the level of protection of the information infrastructure systems components for the presence of weaknesses and vulnerabilities;

8.1.17. approved and authorised software and/or its components will be used, and as well the installation and upgrading of such software will be subject to monitoring and control;

8.1.18. monitoring and control will be exercised over the measures taken for ensuring the security of the personal data and the level of security of the PDIS.

8.2. In addition, an evaluation will be conducted of the potential damage that PD owners/subjects may incur in case of violations of the Personal Data Law, and the correlation between the relevant damage and the measures taken for ensuring the fulfilment of obligations under the Personal Data Law.

9. The Rights and Obligations of the University, and the Rights of a Personal Data Owner or Subject

9.1. The University is obligated to:

9.1.1. comply with the requirements of Russian Federation law when processing personal data as regards the processing and protection of personal data, including requirements stipulated for the gathering of personal data;

9.1.2. provide for, when gathering personal data, including through the Internet, the recording, systematisation, accumulation, storing, refining (updating, amending), and extraction of the personal data of PD owners/subjects (Russian Federation citizens) by using databases physically located within the Russian Federation, with the exception of those cases provided for under Russian Federation law;

9.1.3. when gathering personal data through data telecommunications networks, publish a document in the relevant data telecommunications network, including on those webpages of the University's Internet website that are used to gather personal data, which sets forth the University's policy on personal data processing and contains information on implemented personal data protection requirements, as well as provide opportunities to access this document via the relevant data telecommunications network;

9.1.4. if the provision of personal data and/or consent to its processing is mandatory under the requirements of Russian Federation law and the relevant PD owner/subject refuses to provide their personal data and/or give their consent to its processing, give a clear explanation of the legal consequences of the failure to provide personal data and/or consent to its processing;

9.1.5. if personal data is obtained from a source other than the relevant PD owner/subject, before processing the given set of personal data, provide the PD owner/subject with the information stipulated under the Personal Data Law, with due regard for the exceptions provided for under Russian Federation law;

9.1.6. fulfil the obligations stipulated for personal data operators upon the receipt of requests and/or inquiries on personal data-related questions from the relevant PD owner/subject and/or their representative (duly authorised to represent the interests of the given PD owner/subject), and/or from a regulatory agency;

9.1.7. take measures for ensuring compliance with the requirements of the Personal Data Law;

9.1.8. take measures for ensuring the security of personal data during its processing;

9.1.9. fulfil obligations for the elimination of violations of Russian Federation law if such violations were committed during the processing of personal data, as well as fulfil obligations for the refining, blocking and destruction of personal data in those cases stipulated by Russian Federation law;

9.1.10. fulfil the obligations stipulated by the Personal Data Law for personal data operators in case of the receipt of a demand from a PD owner/subject to terminate the processing of their personal data and/or the revocation of their consent to the processing of their personal data;

9.1.11. cooperate with the relevant regulatory agency on issues pertaining to the processing and protection of personal data in those cases stipulated by the Personal Data Law;

9.1.12. fulfil other obligations stipulated by Russian Federation law.

9.2. The University is entitled to:

9.2.1. process the personal data of PD owners/subjects in the absence of consent to such PD processing in those cases provided for under the Personal Data Law;

9.2.2. perform the transfer of the personal data of PD owners/subjects to third parties/contractors, state and municipal agencies, state institutions, and state extra-budgetary funds, or other parties (if applicable), as well as to delegate the processing of the personal data of the relevant PD owners/subjects to third parties/contractors or other parties engaged for such processing given the existence of appropriate legal grounds and compliance with the requirements of the Personal Data Law;

9.2.3. decline to provide the personal data owner/subject with information on the processing of their personal data in those cases stipulated under the Personal Data Law;

9.2.4. independently determine the composition and list of measures necessary and sufficient for ensuring compliance with the obligations mandated by the Personal Data Law and the laws and regulations adopted in accordance with it, unless otherwise stipulated by Russian Federation law;

9.2.5. independently, and with due regard for the requirements of the Personal Data Law, determine the list of the legal, organisational and technical measures necessary for protecting personal data from unauthorised, illegal or accidental access to it, the destruction, alteration, blocking, copying, provision or submission, and distribution of personal data, as well as other unauthorised or illegal actions with respect to personal data, on the basis of an evaluation of the relevant threats to the security of personal data, as well as determine the procedure for implementing the indicated measures and conducting an evaluation of the effectiveness of the measures taken;

9.2.6. exercise other rights provided for under Russian Federation law.

9.3. The owner/subject of personal data is entitled to:

9.3.1. freely give consent, by their own volition and in their own interest, to the processing of their personal data, with due regard for the requirements of the Personal Data Law, and to the format and content of consents to PD processing;

9.3.2. send requests and/or inquiries, including repeat requests and/or inquiries, and receive information on questions pertaining to the processing of the personal data belonging to the PD owner/subject, in accordance with the procedure, format, scope and timeframes established by Russian Federation law;

9.3.3. require that the University refine their personal data, as well as its blocking or destruction, if such personal data is incomplete, outdated, inaccurate, was obtained illegally, or is not necessary for the stated processing purpose, as well as to take the measures stipulated under Russian Federation law for protecting their rights, with due regard for the exceptions allowed under the Personal Data Law;

9.3.4. require that the University terminate the processing of their personal data, as well as withdraw or revoke their previously provided consent to the processing of their personal data;

9.3.5. exercise other rights provided for under Russian Federation law.

Annex 1 to the Regulations on the Processing of Personal Data at National Research University Higher School of Economics

The list of personal data processing purposes and corresponding categories and the list of personal data being processed, and the categories of PD owners/subjects whose personal data is being processed, as well as the processing methods and timeframes, means of storing the personal data, and the procedure for destroying it

1. The purpose of personal data processing is: "Carrying out admissions procedures for studying under educational programmes offered by the University"

The purpose of personal data processing covers processes and measures for conducting competitive selections for state-funded places, subsided by allocations from either the federal budget and/or the budget of a constituent region of the Russian Federation, in educational programmes offered by the University, as well as for concluding agreements for paid educational services with individuals intending to study on a fee-paying basis.

The purpose of personal data processing is deemed to have been attained when the given individual either enrols or opts not to enrol in an educational programme.

1.1. The following personal data is subject to processing for prospective students/applicants:

The "other personal data" category includes: surname; name; patronymic [if applicable]; contact information (email address; telephone number); data from identification documents (data from a passport and other documents categorised as identification documents by Russian law); age; date of birth; place of birth; city of residence; address (depending on the process and/or product, or service(s), including registration address at place of residence/place of stay; actual [de facto] residential address; delivery address; work address); citizenship; sex; information on educational attainments, individual insurance account number (known in Russian as "SNILS") (if applicable); migration card data (if applicable); data on the existence of individual accomplishments, data on the results from taking the Unified State Examination (for citizens of the Republic of Belarus: centralised testing and/or centralised examination), or entrance examinations.

The "special categories of personal data" category includes: information on disabilities; and information on health status.

The "biometric personal data" category includes: a colour, digital photographic image of the document owner's face. Processed without use of the University's information systems.

1.2. The following personal data is subject to processing for the legal representatives of prospective students/applicants and the customers of educational services intended for prospective students/applicants:

The "other personal data" category includes: surname; name; patronymic [if applicable]; contact information (email address; telephone number); data from identification documents (data from a passport and other documents categorised as identification documents by Russian law); data on the grounds for legal representation with respect to a prospective student/applicant, city of residence; address (depending on the process and/or product, or service(s), including registration address at place of residence/place of stay; actual [de facto] residential address; delivery address; work address); citizenship; sex; information on educational attainments, individual insurance account number (known in Russian as "SNILS") (if applicable); migration card data (if applicable); and data on olympiads, or academic competitions, in which the relevant prospective student/applicant was awarded a prize or held an award-winning place.

The "special categories of personal data" category includes: information on health status.

No items under the "biometric personal data" category are processed.

1.3. The applied methods of processing personal data include: automated processing and non-automated processing.
1.4. Personal data processing and data retention periods are in accordance with p. 3.8 of the Regulations.
1.5. The procedure for destroying personal data is in accordance with p. 3.9 of these Regulations.

2. The purpose of personal data processing is: "Providing educational services to individuals studying under educational programmes offered by the University."

The purpose of personal data processing covers processes for engaging in studies under degree programmes and continuing education programmes, including processes for the provision of housing in dormitories provided by the University.

The purpose of personal data processing is deemed to have been attained upon the expiration of the legally established data retention period for storing a student's personal file, or the dismissal/expulsion of the student given the absence of specific data retention time requirements for storing the student's personal file.

2.1. The following personal data is subject to processing for students:

The "other personal data" category includes: surname; name; patronymic [if applicable]; photographic image; contact information (personal [or corporate] email address; home [and/or mobile] telephone number); data from identification documents (data from a passport and other documents categorised as identification documents by Russian law); information on a name change (if applicable); age; date of birth; place of birth; city of residence; address (depending on the process and/or product, or service(s), including registration address at place of residence/place of stay; actual [de facto] residential address; delivery address; work address); citizenship; sex; information on educational attainments at all levels, individual insurance account number ([known in Russian as] "SNILS") (if applicable); taxpayer identification number (TIN) ([known in Russian as] "INN"); migration card data (if applicable); data on the results from taking the Unified State Examination (if applicable), data on courses taken, as well as on academic performance, data on applications or requests submitted during the period of study, data on practical training [internship] elements undergone, data on changes in enrolment (transfer, exceptional leave of absence, maternity leave, childcare and parental leave, expulsion or dismissal), data on the application of disciplinary measures (if applicable), documents confirming the existence of distinctive achievements in academic, scientific research, community service (including volunteer and patriotic), cultural, creative and sports activities (if applicable), documents confirming a student's status as an orphaned child, a child without parental care, individuals from among orphaned children and children without parental care, or individuals who lost both parents or their only parent (if applicable) during their periods of study, documents confirming the receipt of state social assistance (if applicable), documents confirming status as a person with a disability resulting from a military injury or a medical condition acquired during the period of military service, and the status of a war veteran (if applicable), documents confirming an individual's status as a person exposed to radiation as a result of the disaster at the Chernobyl Nuclear Power Plant and other radiological accidents, or resulting from nuclear weapons testing at the Semipalatinsk proving grounds (if applicable), documents certifying the individual as the winner of the annual competition for the awarding of the Golden HSE Award in the Silver Nestling category (if applicable), documents confirming that an individual was the winner of or a prize recipient in olympiad academic competitions, other competitions, and tests or examinations, as well as documents confirming other grounds for granting discounts, documents on the provision of subsidised rent for housing and utilities payments (if applicable), documents verifying the income for the past six months of a student's parents/legal representatives (if applicable), students' marriage certificates (if applicable), documents verifying the income for the past six months of a student's spouse (if applicable), birth certificate(s) of a student's child (children) (if applicable), a document from the public employment service that they are registered with the employment service (if applicable), data on the parents' pensioner ID cards (if applicable), data from the certificate of a family with many children (if applicable), death certificate of a parent (if applicable), data from a document for a single mother/father (if applicable), document confirming the fact of medical treatment, the occurrence of an accident causing injuries, and the incurring of related material expenses (if applicable), documents issued by state and local government agencies, as well as relevant state institutions, confirming the loss of or damage to personal property, as well as documents confirming the existence of related material expenses (if applicable), documents confirming the appointment of a legal guardian for minor children without parental care, or copies of other documents confirming the absence of parents or of the existing parents' inability to raise their own children, documents confirming the student's right to transfer from fee-based education to free education, a certificate from the child protection (guardianship) authority for the place of residence of the minor child under the care of a guardian, or of the storage of the personal file of the child under the care of a guardian who has reached the age of 18 years old, containing the requisite details of documents attesting to the circumstances of the loss (absence of) parental care (or the care of a single parent) (if applicable), a court ruling recognising a mother (father) to be deceased (if applicable), a birth certificate confirming that the information about a child's father has been duly entered and recorded in the official registry of births based on аn affidavit filed by the mother, tickets for travel by rail, air, sea, water [river], or auto transport (if applicable), and information on the provision of stipends and compensation under full state support to students upon graduation.

The "special categories of personal data" category includes: documents confirming a disability, including certificates on the disabilities of parents, a spouse, and adult brothers and sisters (if applicable), as well as an individual rehabilitation and habilitation programme, and health status information.

The "biometric personal data" category includes: a colour, digital photographic image of the document owner's face. Processed without use of the University's information systems.

2.2. The following personal data is subject to processing for the legal representatives of students and the customers of educational services intended for students:

The "other personal data" category includes: surname; name; patronymic [if applicable]; contact information (email address; telephone number); data from identification documents (data from a passport and other documents categorised as identification documents by Russian law); data on the grounds for legal representation with respect to a student, city of residence; address (depending on the process and/or product, or service(s), including registration address at place of residence/place of stay; actual [de facto] residential address; delivery address; work address); citizenship; sex; information on educational attainments, individual insurance account number ([known in Russian as] "SNILS") (if applicable); and migration card data (if applicable).

The "special categories of personal data" category includes: information on the disabilities of family members.

No items under the "biometric personal data" category are processed.

2.3.  The applied methods of processing personal data include: automated processing and non-automated processing.
2.4.  Personal data processing and data retention periods are in accordance with p. 3.8 of these Regulations.
2.5.  The procedure for destroying personal data is in accordance with p. 3.9 of these Regulations.

3. The purpose of personal data processing is: "Holding olympiad academic competitions and working with gifted youth."

The purpose of personal data processing covers processes for the organisation of olympiad academic competitions and other competitive events, as well as the gathering of data on studying at general educational and specialised secondary general educational institutions for the purposes of identifying and providing preferential study conditions for gifted youth.

The purpose of personal data processing is deemed to have been attained upon the enrolment of the prospective student/applicant in a degree programme offered by the University or the completion of studies by the student.

 3.1. The following personal data is subject to processing for prospective students/applicants:

The "other personal data" category includes: surname; name; patronymic [if applicable]; contact information (email address; telephone number); age; date of birth; city of residence; sex; and information on educational attainments.

The "special categories of personal data" category includes: information on health status.

The "biometric personal data" category includes: a colour, digital photographic image of the document owner's face. Processed without use of the University's information systems.

3.2. The following personal data is subject to processing for the legal representatives of prospective students/applicants, students, and participants in olympiad academic competitions:

The "other personal data" category includes: surname; name; patronymic [if applicable]; contact information (email address; telephone number); and data on the grounds for legal representation (for minors).

No items under the "special categories of personal data" category are processed.

No items under the "biometric personal data" category are processed.

3.3. The following personal data is subject to processing for students:

The "other personal data" category includes: surname; name; patronymic [if applicable]; contact information (email address; telephone number); age; date of birth; city of residence; sex; and information on educational attainments.

The "special categories of personal data" category includes: information on health status.

No items under the "biometric personal data" category are processed.

3.4. The following personal data is subject to processing for participants in olympiad academic competitions and other educational events:

The "other personal data" category includes: surname; name; patronymic [if applicable]; contact information (email address; telephone number); age; date of birth; city of residence; sex; and information on educational attainments.

No items under the "special categories of personal data" category are processed.

No items under the "biometric personal data" category are processed.

3.5. The applied methods of processing personal data include automated processing only.

3.6. Personal data processing and data retention periods are in accordance with p. 3.8 of these Regulations.

3.7.  The procedure for destroying personal data is in accordance with p. 3.9 of these Regulations.

4. The purpose of personal data processing is: "Organising an association or network of University graduates/alumni."

The purpose of personal data processing covers processes aimed at organising events and the work of referral services oriented toward individuals who have studied at the University, as well as the promotion of the alumni association/network within the framework of the University's work with contractors and potential employers.

4.1. The following personal data is subject to processing for graduates/alumni:

The "other personal data" category includes: surname; name; patronymic [if applicable]; contact information (email address; telephone number); age; date of birth; city of residence; sex; information on educational attainments, information on employment and the focus areas of professional activities, and information on hobbies and personal preferences.

No items under the "special categories of personal data" category are processed.

No items under the "biometric personal data" category are processed.

4.2. The applied methods of processing personal data include automated processing only.

4.3. Personal data processing and data retention periods are in accordance with p. 3.8 of these Regulations.

4.4. The procedure for destroying personal data is in accordance with p. 3.9 of these Regulations.

5. The purpose of personal data processing is: "Recruiting and selecting candidates for concluding employment agreements with the University."

The purpose of personal data processing covers processes for selecting and assessing candidates for employment at the University.

The purpose of personal data processing is deemed to have been attained upon the conclusion of an employment agreement with a candidate, or the rejection of a given candidate as ineligible to conclude an employment agreement, based on the results of an assessment of the given candidate's suitability for the relevant vacant position.

5.1. The following personal data is subject to processing for candidates/individuals seeking to conclude an employment agreement with the University:

The "other personal data" category includes: surname; name; patronymic [if applicable]; photographic image; contact information (email address; telephone number); date of birth; age; address (including registration address at place of residence/place of stay; actual [de facto] residential address); citizenship; information on employment, including about the place of employment, employment and teaching years of service; profession; information on education (including qualifications, academic degree/title, educational institution, year of study, concentration/field of study); sex; information on whether the individual holds a driver's license and its category; information on entrepreneurial activity and participation in the charter [equity] capital of corporate entities; the results of professional testing and testing of other business capabilities and qualities; and the results of testing and an interview.

The "special categories of personal data" category includes: information on any existing disabilities.

No items under the "biometric personal data" category are processed.

5.2. The applied methods of processing personal data include: automated processing and non-automated processing.

5.3. Personal data processing and data retention periods are in accordance with p. 3.8 of these Regulations.

5.4. The procedure for destroying personal data is in accordance with p. 3.9 of these Regulations.

6. The purpose of personal data processing is: "Organising and regulating employment relations and other directly related relations."

The purpose of personal data processing covers hiring and employment processes and the performance of employment functions, as well as all relations directly pertaining thereto.

The purpose of personal data processing is deemed to have been attained upon the expiration of the legally established data retention period for storing the employee's personal file.

6.1. The following personal data is subject to processing for employees:

The "other personal data" category includes: surname; name; patronymic [if applicable]; photographic image; address (including registration address at place of residence/place of stay; actual [de facto] residential address); contact information (email address; telephone number); date of birth/age; city of residence; citizenship/residency; data from identification documents (documents categorised as identification documents by Russian law); information on changes in a previously issued identification document, including a change in the requisite details; migration card data (if applicable); data on tax deductions; place of birth; data on death certificate; audio or video recordings, including those made for the purpоses of securing the University's facilities/campus, taxpayer identification number (TIN) ([known in Russian as] "INN"); information on the individual’s income; place of birth; information on employment, including about the place of employment, years of service and employment activity; profession; information on education (including qualifications, academic degree/title, educational institution, year of study, concentration); sample signature; sex; information on tax status; individual insurance account number ([known in Russian as] "SNILS") (if applicable); information on marital status; information on children (including the child's birth certificate); information from the individual's marriage certificate; information on judicial enforcement orders/court orders, including information on alimony payments; driver's license information; information on social and other benefits; military conscription status; information contained in military registration documents; level of proficiency in foreign languages; information from the SKUD controlled access system obtained while the individual was performing their employment duties; data on categories for bonus payments; ratios and amounts of bonus payments; salary information; information on achievements; and information on awards and incentives.

The "special categories of personal data" category includes: information on any existing disabilities; health status information; and criminal record information.

No items under the "biometric personal data" category are processed.

6.2. The following personal data is subject to processing for former employees:

The "other personal data" category includes: surname; name; patronymic [if applicable]; photographic image; address (registration address at place of residence/place of stay; actual [de facto] residential address); contact information (email address; telephone number); date of birth/age; city of residence; citizenship/residency; data from identification documents (documents categorised as identification documents by Russian law); information on changes in a previously issued identification document, including a change in the requisite details; migration card data (if applicable); data on tax deductions; place of birth; data on death certificate; audio or video recordings, including those made for the purpоses of securing the University's facilities/campus, taxpayer identification number (TIN) ([known in Russian as] "INN"); information on the individual’s income; place of birth; information on employment, including about the place of employment, years of service and employment activity; profession; information on education (including qualifications, academic degree/title, educational institution, year of study, concentration); sample signature; sex; information on tax status; individual insurance account number ([known in Russian as] "SNILS"); information on marital status; information on children (including the child's birth certificate); information from the individual's marriage certificate; information on judicial enforcement orders/court orders, including information on alimony payments; driver's license information; information on social and other benefits; military conscription status; information contained in military registration documents; level of proficiency in foreign languages; information from the University's controlled access system obtained while the individual was performing their employment duties; data of categories for bonus payments; ratios and amounts of bonus payments; salary information; information on achievements; and information on awards and incentives.

The "special categories of personal data" category includes: information on any existing disabilities; health status information; and criminal record information.

No items under the "biometric personal data" category are processed.

6.3. The following personal data is subject to processing for employees' close relatives:

The "other personal data" category includes: surname; name; patronymic [if applicable]; contact information (email address; telephone number); date of birth/age; city of residence; and family relationship.

The "special categories of personal data" category includes: information on health status.

No items under the "biometric personal data" category are processed.

6.4. The applied methods of processing personal data include: automated processing and non-automated processing.

6.5. Personal data processing and data retention periods are in accordance with p. 3.8 of these Regulations.

6.6. The procedure for destroying personal data is in accordance with p. 3.9 of these Regulations.

7. The purpose of personal data processing is: "Organising access to the University's campus and buildings."

The purpose of personal data processing covers processes involving the receipt of passes for accessing the University's campus and buildings by individuals with no employment or civil law/contractual relationship with the University.

The purpose of personal data processing is deemed to have been attained upon the expiration of the data retention period for storing information on visits to the University campus and buildings, as established by HSE University bylaws.

7.1. The following personal data is subject to processing for individuals with no permanent pass who are initiating required procedures for visiting the University campus or buildings:

The "other personal data" category includes: surname; name; patronymic [if applicable], and contact information (email address; telephone number).

No items under the "special categories of personal data" category are processed.

The "biometric personal data" category includes: a colour, digital photographic image of the document owner's face. Processed without use of the University's information systems.

7.2. The applied methods of processing personal data include: automated processing and non-automated processing.

7.3. Personal data processing and data retention periods are in accordance with p. 3.8 of these Regulations.

7.4. The procedure for destroying personal data is in accordance with p. 3.9 of these Regulations.

8. The purpose of personal data processing is: "Implementing corporate governance procedures."

The purpose of personal data processing covers processes and procedures pertaining to the activities of the HSE University Academic Council and other collective governing bodies of the University, as well as relations pertaining to membership in such bodies.

The purpose of personal data processing is deemed to have been attained upon the expiration of the data retention period established by current Russian law and University bylaws for storing information on the members of collective governing bodies, or the rejection of candidates for such membership.

8.1. The following personal data is subject to processing for candidates for membership in the University's collective governing bodies:

The "other personal data" category includes: surname; name; patronymic [if applicable]; position; contact information (email address; telephone number); place of employment; address (including registration address at place of residence/place of stay; actual [de facto] residential address); date of birth; information on education; information on employment, including information on profession, place of employment, and position; information on marital status; information on expenses; information on income; information on awards and incentives; data from identification documents (documents categorised as identification documents by Russian law); information on legal competency unrelated to health status; information on existing representatives; and information on changes in a previously issued identification document.

The "special categories of personal data" category includes: information on any existing disabilities; health status information; and criminal record information.

No items under the "biometric personal data" category are processed.

8.2. The following personal data is subject to processing for members of the University's collective governing bodies:

The "other personal data" category includes: surname; name; patronymic [if applicable]; position; contact information (email address; telephone number); place of employment; address (including registration address at place of residence/place of stay; actual [de facto] residential address); date of birth; signature; information on education; information on employment, including information on profession, place of employment, and position; information on marital status; information on expenses; information on income; information on awards and incentives; data from identification documents (documents categorised as identification documents by Russian law); information on legal competency unrelated to health status; information on existing representatives; and information on changes in a previously issued identification document.

The "special categories of personal data" category includes: information on any existing disabilities; health status information; and criminal record information.

No items under the "biometric personal data" category are processed.

8.3. The following personal data is subject to processing for former members of the University's collective governing bodies:

The "other personal data" category includes: surname; name; patronymic [if applicable]; position; contact information (email address; telephone number); place of employment; address (including registration address at place of residence/place of stay; actual [de facto] residential address); date of birth; signature; information on education; information on employment, including information on profession, place of employment, and position; information on marital status; information on expenses; information on income; information on awards and incentives; data from identification documents (documents categorised as identification documents by Russian law); information on legal competency unrelated to health status; information on existing representatives; and information on changes in a previously issued identification document.

The "special categories of personal data" category includes: information on any existing disabilities; health status information; and criminal record information.

No items under the "biometric personal data" category are processed.

8.4. The following personal data is subject to processing for close relatives of members of the University's collective governing bodies:

The "other personal data" category includes: surname; name; patronymic [if applicable]; position; contact information (email address; telephone number); place of employment; address (including registration address at place of residence/place of stay; actual [de facto] residential address); date of birth; family relationship; information on education; information on employment, including information on profession and position; information on marital status; information on expenses; information on income; information on awards and incentives; data from identification documents (documents categorised as identification documents by Russian law); unrelated to health status; information on existing representatives; and information on changes in a previously issued identification document.

No items under the "special categories of personal data" category are processed.

No items under the "biometric personal data" category are processed.

8.5. The applied methods of processing personal data include: automated processing and non-automated processing.

8.6. Personal data processing and data retention periods are in accordance with p. 3.8 of these Regulations.

8.7. The procedure for destroying personal data is in accordance with p. 3.9 of these Regulations.

9.  The purpose of personal data processing is: "Concluding and performing independent contractor agreements for carrying out teaching services."

 The purpose of personal data processing covers processes and procedures pertaining to the conclusion and performance of independent contractor agreements, under which individuals carry out teaching activities in accordance with educational programmes offered by the University, as well as procedures for building up a candidate pool for the University's teaching staff.

9.1. The following personal data is subject to processing for candidates seeking to conclude an independent contractor agreement with the University for carrying out teaching services:

The "other personal data" category includes: surname; name; patronymic [if applicable]; position; contact information (email address; telephone number); place of employment; address (including registration address at place of residence/place of stay; actual [de facto] residential address); date of birth; information on education; information on employment, including information on profession, place of employment and position; information on marital status; information on awards and incentives; data from identification documents (documents categorised as identification documents by Russian law); information on legal competency unrelated to health status; and information on changes in a previously issued identification document.

The "special categories of personal data" category includes: information on any existing disabilities; health status information; and criminal record information.

No items under the "biometric personal data" category are processed.

9.2. The following personal data is subject to processing for individuals who have concluded an independent contractor agreement with the University for carrying out teaching services:

The "other personal data" category includes: surname; name; patronymic [if applicable]; position; contact information (email address; telephone number); place of employment; address (including registration address at place of residence/place of stay; actual [de facto] residential address); date of birth; signature; information on education; information on employment, including information on profession, place of employment, position; information on marital status; information on awards and incentives; data from identification documents (documents categorised as identification documents by Russian law); information on legal competency unrelated to health status; information on existing representatives; and information on changes in a previously issued identification document.

The "special categories of personal data" category includes: information on any existing disabilities; health status information; and criminal record information.

No items under the "biometric personal data" category are processed.

9.3. The following personal data is subject to processing for individuals who previously concluded an independent contractor agreement with the University for carrying out teaching services and who have been included in the candidate pool for the University's teaching staff:

The "other personal data" category includes: surname; name; patronymic [if applicable]; position; contact information (email address; telephone number); place of employment; address (including registration address at place of residence/place of stay; actual [de facto] residential address); date of birth; signature; information on education; information on employment, including information on profession, place of employment, position; information on marital status; information on awards and incentives; data from identification documents (documents categorised as identification documents by Russian law); information on legal competency unrelated to health status; information on existing representatives; and information on changes in a previously issued identification document.

The "special categories of personal data" category includes: information on any existing disabilities; health status information; and criminal record information.

No items under the "biometric personal data" category are processed.

9.4. The applied methods of processing personal data include: automated processing and non-automated processing.

9.5. Personal data processing and data retention periods are in accordance with p. 3.8 of these Regulations.

9.6. The procedure for destroying personal data is in accordance with p. 3.9 of these Regulations.

10.  The purpose of personal data processing is: "Ensuring cooperation with third parties regarding concluding and performing agreements not pertaining to providing educational services or carrying out teaching services."

The purpose of personal data processing covers processes and procedures for concluding and performing independent contractor agreements with individuals and legal entities within the scope of the University's operations.

10.1. The following personal data is subject to processing for individuals seeking to conclude an independent contractor agreement with the University not pertaining to providing educational services or obtaining teaching services:

The "other personal data" category includes: surname; name; patronymic [if applicable]; position; contact information (email address; telephone number); place of employment; address (including registration address at place of residence/place of stay; actual [de facto] residential address); date of birth; information on education; information on employment, including information on profession, place of employment and position; information on marital status; information on awards and incentives; data from identification documents (documents categorised as identification documents by Russian law); information on legal competency unrelated to health status; information on the applicable tax regime; and information on changes in a previously issued identification document.

The "special categories of personal data" category includes: criminal record information.

No items under the "biometric personal data" category are processed.

10.2. The following personal data is subject to processing for individuals who have concluded an independent contractor agreement with the University not pertaining to providing educational services or obtaining teaching services:

The "other personal data" category includes: surname; name; patronymic [if applicable]; position; contact information (email address; telephone number); place of employment; address (including registration address at place of residence/place of stay; actual [de facto] residential address); date of birth; signature; information on education; information on employment, including information on profession, place of employment and position; information on marital status; information on awards and incentives; data from identification documents (documents categorised as identification documents by Russian law); information on legal competency unrelated to health status; information on the applicable tax regime, information on income earned from the University; and information on changes in a previously issued identification document.

The "special categories of personal data" category includes: criminal record information.

No items under the "biometric personal data" category are processed.

10.3. The following personal data is subject to processing for individuals who previously concluded an independent contractor agreement with the University not pertaining to providing educational services or obtaining teaching services:

The "other personal data" category includes: surname; name; patronymic [if applicable]; position; contact information (email address; telephone number); place of employment; address (including registration address at place of residence/place of stay; actual [de facto] residential address); date of birth; signature; information on education; information on employment, including information on profession, place of employment and position; information on marital status; information on awards and incentives; data from identification documents (documents categorised as identification documents by Russian law); information on legal competency unrelated to health status; information on the applicable tax regime, information on income earned from the University; and information on changes in a previously issued identification document.

No items under the "special categories of personal data" category are processed.

No items under the "biometric personal data" category are processed.

10.4. The following personal data is subject to processing for individuals who are representatives of individuals or legal entities that are concluding or have concluded an agreement with the University not pertaining to providing educational services or obtaining teaching services:

The "other personal data" category includes: surname; name; patronymic [if applicable]; position; contact information (email address; telephone number); place of employment; data on the document authorising the given individual to act as a representative; signature; information on legal competency unrelated to health status; and information on changes in a previously issued identification document.

No items under the "special categories of personal data" category are processed.

No items under the "biometric personal data" category are processed.

10.5. The applied methods of processing personal data include: automated processing and non-automated processing.

10.6. Personal data processing and data retention periods are in accordance with p. 3.8 of these Regulations.

10.7. The procedure for destroying personal data is in accordance with p. 3.9 of these Regulations.

11. The purpose of personal data processing is: "Generating personalised offerings of the University's educational products."

The purpose of personal data processing covers processes for the gathering of data on the specific interests of those individuals who have expressed an interest in the products and services offered by the University.

11.1. The following personal data is subject to processing for individuals who have anonymously expressed interest in acquiring products and services from the University:

The "other personal data" category includes: data on visits to the University's corporate website; data on search queries on the corporate website; data on interactions with the University's advisory chat bots; and data on localisation of IP addresses.

No items under the "special categories of personal data" category are processed.

No items under the "biometric personal data" category are processed.

11.2. With respect to those registered in the University's MyHSE Services Account (SmartPoint) system at the following address: lk.hse.ru:

The "other personal data" category includes: surname; name; patronymic [if applicable]; date of birth; sex; data on interests and hobbies, as indicated by the individual; data on visits to webpages on the corporate website; data on search queries on the corporate website; data on interactions with the University's advisory chat bots; and data on localisation of IP addresses.

No items under the "special categories of personal data" category are processed.

No items under the "biometric personal data" category are processed.

11.3. The applied methods of processing personal data include: automated processing and non-automated processing.

11.4. Personal data processing and data retention periods are in accordance with p. 3.8 of these Regulations.

11.5. The procedure for destroying personal data is in accordance with p. 3.9 of these Regulations.

12. The purpose of personal data processing is: "Ensuring access to social and medical services, the granting of benefits, material incentives and other incentives."

The purpose of personal data processing covers hiring and employment processes and the performance of employment functions, as well as all relations directly pertaining thereto.

The purpose of personal data processing is deemed to have been attained upon the expiration of the legally established data retention period for storing the employee's personal file.

12.1. The following personal data is subject to processing for employees:

The "other personal data" category includes: surname; name; patronymic [if applicable]; photographic image; address (including registration address at place of residence/place of stay; actual [de facto] residential address); contact information (email address; telephone number); date of birth/age; city of residence; citizenship/residency; data from identification documents (documents categorised as identification documents by Russian law); information on changes in a previously issued identification document, including a change in the requisite details; migration card data (if applicable); data on tax deductions; place of birth; data on death certificate; audio or video recordings, including those made for the purposes of securing the University's facilities/campus, taxpayer identification number (TIN) ([known in Russian as] "INN"); information on the individual’s income; place of birth; information on employment, including about the place of employment, years of service and employment activity; profession; information on education (including qualifications, academic degree/title, educational institution, year of study, concentration); sample signature; sex; information on tax status; individual insurance account number ([known in Russian as] "SNILS") (if applicable); information on marital status; information on children (including the child's birth certificate); information from the individual's marriage certificate; information on judicial enforcement orders/court orders, including information on alimony payments; driver's license information; information on social and other benefits; military conscription status; information contained in military registration documents; level of proficiency in foreign languages; information from the SKUD controlled access system obtained while the individual was performing their employment duties; data on categories for bonus payments; ratios and amounts of bonus payments; salary information; information on achievements; and information on awards and incentives.

The "special categories of personal data" category includes: information on any existing disabilities; health status information; and criminal record information.

No items under the "biometric personal data" category are processed.

12.2. The following personal data is subject to processing for former employees:

The "other personal data" category includes: surname; name; patronymic [if applicable]; photographic image; address (registration address at place of residence/place of stay; actual [de facto] residential address); contact information (email address; telephone number); date of birth/age; city of residence; citizenship/residency; data from identification documents (documents categorised as identification documents by Russian law); information on changes in a previously issued identification document, including a change in the requisite details; migration card data (if applicable); data on tax deductions; place of birth; data on death certificate; audio or video recordings, including those made for the purposes of securing the University's facilities/campus, taxpayer identification number (TIN) ([known in Russian as] "INN"); information on the individual’s income; place of birth; information on employment, including about the place of employment, years of service and employment activity; profession; information on education (including qualifications, academic degree/title, educational institution, year of study, concentration); sample signature; sex; information on tax status; individual insurance account number ([known in Russian as] "SNILS"); information on marital status; information on children (including the child's birth certificate); information from the individual's marriage certificate; information on judicial enforcement orders/court orders, including information on alimony payments; driver's license information; information on social and other benefits; military conscription status; information contained in military registration documents; level of proficiency in foreign languages; information from the University's controlled access system obtained while the individual was performing their employment duties; data on categories for bonus payments; ratios and amounts of bonus payments; salary information; information on achievements; and information on awards and incentives.

The "special categories of personal data" category includes: information on any existing disabilities; health status information; and criminal record information.

No items under the "biometric personal data" category are processed.

12.3. The following personal data is subject to processing for employees' close relatives:

The "other personal data" category includes: surname; name; patronymic [if applicable]; contact information (email address; telephone number); date of birth/age; city of residence; and family relationship.

No items under the "special categories of personal data" category are processed.

No items under the "biometric personal data" category are processed.

12.4. The applied methods of processing personal data include: automated processing and non-automated processing.

12.5. Personal data processing and data retention periods are in accordance with p. 3.8 of these Regulations.

12.6. The procedure for destroying personal data is in accordance with p. 3.9 of these Regulations.

13. The purpose of personal data processing is: "Carrying out incentive measures."

The purpose of personal data processing covers processes for gathering personal data on individuals participating in various incentive measures (competitions, lottery drawings, games, surveys, questionnaires, research studies and other similar measures), including for the purposes of the market promotion of HSE University's goods, work and services .The purpose of personal data processing is deemed to have been attained upon the expiration of the timeframe for conducting the measures in which the given personal data owner or subject is participating.

13.1. The "other personal data" category includes: surname; name; patronymic [if applicable]; date of birth; sex; contact information (email address; telephone number).

13.2. No items under the "special categories of personal data" category are processed.

13.3. The "biometric personal data" category includes: a colour, digital photographic image of the document owner's face. Processed without use of the University's information systems.

14. The purpose of personal data processing is: "Disseminating modern scientific knowledge within Russian society, including within professional associations; carrying out innovation-driven activity and creating an innovation infrastructure for the facilitation and commercialisation of the results of research and development (R&D) work, and the promotion of educational and research programmes in the international educational and academic space."

The purpose of personal data processing covers processes for gathering the personal data of individuals participating in various events driven by the specific objectives of the stated purposes of personal data processing.The purpose of personal data processing is deemed to have been attained upon the expiration of the timeframe for conducting the measures in which the given personal data owner or subject is participating.

14.1. The "other personal data" category includes: surname; name; patronymic [if applicable]; date of birth; sex; contact information (email address; telephone number); autobiographical data and information on professional activity, and educational and academic achievements, which pertain to personal data.

14.2. No items under the "special categories of personal data" category are processed.

14.3. The "biometric personal data" category includes: a colour, digital photographic image of the document owner's face. Processed without use of the University's information systems.

---

[1] In particular, by means of search queries or Internet-based requests, including via social networks, etc.

[2] If the information is not unique without an indication of the place of work.

[3] In particular, information on dynamic IP addresses for non-professional consumers of communications services.

[4] Students of HSE University lyceums and continuing general educational programmes.