The Institute of Metacognitive Programming

POLICY
regarding the processing of personal data

1. General provisions

1.1. The current Policy on the processing of personal data (hereinafter referred to as the Policy) is developed in order to ensure the protection of the rights and freedoms of individuals when processing their personal data, including the protection of the rights to privacy, personal and family secrets.

1.2. The policy applies to all personal data processed by INSTITUTE OF METACOGNITIVE PROGRAMMING INC. (hereinafter referred to as the Operator).

1.3. The policy applies to the relationships in the field of personal data processing that have arisen for the Operator both before and after the approval of this Policy.

1.4. In accordance with the requirements of the Law on Personal Data, this Policy is published freely accessible on the Operator’s website imcp.org.

1.5. The main concepts used in the Policy:

Personal data – any information relating to an identified or identifiable natural person (subject of personal data).

Data Operator (Operator) – Individual entrepreneur INSTITUTE OF METACOGNITIVE PROGRAMMING INC, independently or jointly with other persons organizing and/or carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data subject to processing, actions (operations) performed with personal data.

The processing of personal data is any action (operation) or set of actions (operations) with personal data, carried out using automation tools or without their use. The processing of personal data includes, in particular:

collection;
record;
systematization;
accumulation;
storage;
clarification (updating, changing);
extraction;
usage;
transmission (distribution, provision, access);
depersonalization;
blocking;
deletion;
destruction;

Automated processing of personal data – processing of personal data using computer technology tools;

The dissemination of personal data is actions aimed at disclosing personal data to an indefinite circle of persons;

Provision of personal data – actions aimed at disclosing personal data to a specific person or a specific group of people;

Blocking personal data – temporary suspension of processing personal data (except in cases where processing is necessary to clarify personal data);

Destruction of personal data – actions that make it impossible to restore the content of personal data in the personal data information system and/or result in the destruction of physical media containing personal data;

Personal data anonymization – actions that make it impossible, without the use of additional information, to determine the ownership of personal data to a specific subject of personal data;

Information system of personal data – a set of personal data contained in databases and ensuring their processing by information technologies and technical means.”

1.6. Main rights and responsibilities of the Operator.

1.6.1. The Operator has the right to:

to independently determine the composition and list of measures necessary and sufficient to ensure the proper Data Protection;
to entrust the processing of personal data to third party with the consent of the data subject, unless otherwise provided by federal law, based on a contract concluded with this person. The person processing personal data on behalf of the Operator must comply with the principles and rules of personal data processing provided by the Law on Personal Data, maintain the confidentiality of personal data, and take necessary measures to ensure compliance with the obligations provided by the Law on Personal Data;
In the event of withdrawal of consent by the data subject for the processing of personal data, the Operator may continue processing personal data without the consent of the data subject if there are grounds specified in the Law on Personal Data.

1.6.2. The Operator is obliged to:

organize the processing of personal data;
to respond to requests and inquiries from subjects of personal data and their legal representatives in accordance with the requirements of the Canadian Law;
to provide the necessary information to the authorized body for the protection of the rights of personal data subjects within 10 working days from the date of receiving such a request. This period can be extended, but not more than five working days. To do this, the Operator must send a motivated notification to Roskomnadzor stating the reasons for extending the deadline for providing the requested information;
In accordance with the order of the federal executive authority responsible for ensuring security, it is necessary to ensure interaction with the state system for detecting, warning, and eliminating the consequences of computer attacks on information resources of the Canada, including informing it about computer incidents that have resulted in the unauthorized transfer (provision, distribution, access) of personal data.

1.7. Main rights of the personal data subject. The personal data subject has the right to:

to receive information regarding the processing of their personal data. The information is provided to the data subject by the Operator in an accessible form and should not contain personal data related to other data subjects, unless there are legitimate grounds for disclosing such personal data;
to demand from the Operator clarification of their personal data, their blocking or destruction in case the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing, as well as to take measures provided by law to protect their rights;
to give preliminary consent for the processing of personal data for the purpose of promoting goods, works, and services on the market;

1.8. The subjects of personal data give their consent to the processing of personal data in accordance with this Policy by checking the box or a similar action during registration, payment for the Operator’s services, or other actions or by clicking on another interface when there is an indication that data submission is subject to the terms of this Policy.

1.9. Compliance with the requirements of this Policy is monitored by the Operator.

2. Purposes of collecting personal data

2.1. The processing of personal data is limited to achieving specific, predetermined, and lawful purposes. The processing of personal data that is incompatible with the purposes of collecting personal data is not allowed.

2.2. Only personal data that is relevant to the purposes of its processing shall be subject to processing.

2.3. The processing of personal data is carried out by the Operator for the following purposes:

Conclusion and execution of contracts and/or other agreements;
Providing access to any materials of the Operator and/or its partners or conducting any oral or written consultations, discussions by the Operator regarding the personal data subject or the person specified by them in the absence of a concluded agreement/agreement;
Statistical and other research (including improving the quality of services provided by the Operator and/or the methods and ways of providing services);
Directions to the subjects of personal data of information mailings and other messages, making calls, including, but not limited to: special offers, promotions, sweepstakes, contests, surveys, new products, events of the Operator and/or its partners, advertising messages, as well as targeting of these messages;
Placement on websites, messengers/communities/groups of the Operator of reviews, case studies, problem-solving methods or other outcomes or processes of interaction between the Operator and the personal data subject and/or the person represented by the personal data subject.

3. Scope and categories of processed personal data,
categories of personal data subjects

3.1. The content and volume of processed personal data must correspond to the stated purposes of processing. The processed personal data should not be excessive in relation to the stated purposes of their processing. However, the Operator has the right to process personal data in a smaller volume than specified in this Policy.

3.2. The Operator processes personal data for the following purposes:

Conclusion and execution of contracts and/or other agreements

the following subjects of personal data:
Subjects of personal data who have contacted the Operator regarding the conclusion and execution of contracts and/or other agreements, consultation in the professional or other sphere of the Operator’s activities, with whom no contract and/or other agreement has been concluded (clients of the Operator),
Counterparties of the Operator – subjects of personal data with whom a contract and/or other agreement has been concluded (in written, oral or other form, including by joining the contract-offer),
Subjects of personal data who are representatives of the Operator’s counterparties with whom a contract and/or other agreement has been concluded (in written, oral or other form, including by joining the contract-offer).

the following personal data:

Last name, first name, and patronymic,
Year and date of birth,
Email address,
Phone number,
Telegram username and in social networks,
Information about employment history (including work experience, current employment status with the name and bank account details of the organization),
Position,
Bank card details,
Account number,
Account number,
Marital status,
Registration address,
Residential address.

Provision of access to any materials of the Operator and/or its partners or conducting any oral or written consultations, discussions by the Operator regarding the personal data subject or the person indicated by them in the absence of a concluded contract/agreement.

the following subjects of personal data:

Subjects of personal data who have contacted the Operator regarding the conclusion and execution of contracts and/or other agreements, consultation in the professional or other sphere of the Operator’s activities, with whom no contract and/or other agreement has been concluded (clients of the Operator),
Counterparties of the Operator – subjects of personal data with whom a contract and/or other agreement has been concluded (in written, oral or other form, including by joining the contract-offer),
Subjects of personal data who are representatives of the Operator’s counterparties with whom a contract and/or other agreement has been concluded (in written, oral or other form, including by joining the contract-offer)
the following personal data:

Last name, first name, and patronymic,
Phone number,
Email address,
Telegram username and social media handles.

Statistical and other research (including improving the quality of services provided by the Operator and/or methods and ways of providing services)

the following subjects of personal data:
Individuals who have contacted the Operator regarding the conclusion and execution of contracts and/or other agreements, consultation in the professional or other sphere of the Operator’s activities, with whom no contract and/or other agreement has been concluded (clients of the Operator),
Counterparties of the Operator – subjects of personal data with whom a contract and/or other agreement has been concluded (in written, oral or other form, including by joining the contract-offer),
Subjects of personal data who are representatives of the Operator’s counterparties with whom a contract and/or other agreement has been concluded (in written, oral or other form, including by joining the contract-offer)
the following personal data:

Last name, first name, and patronymic ,
Phone number,
Email address,
Telegram username and social media handles.

Directions to subjects of personal data of informational mailings and other messages, making calls, including, but not limited to: about special offers, promotions, giveaways, contests, surveys, new products, events of the Operator and/or its partners, advertising messages, as well as targeting of the mentioned messages.

The following subjects of personal data:
– Individuals who have contacted the Operator regarding the conclusion and execution of contracts and/or other agreements, consultation in the professional or other sphere of the Operator’s activities, with whom no contract and/or other agreement has been concluded (clients of the Operator).
– Counterparties of the Operator – subjects of personal data with whom a contract and/or other agreement has been concluded (in written, oral, or other form, including by joining the offer agreement).
– Subjects of personal data who are representatives of the Operator’s counterparties with whom a contract and/or other agreement has been concluded (in written, oral, or other form, including by joining the offer agreement).
The following personal data:

Last name, first name, and patronymic ,
Phone number,
Email address,
Telegram username and in social networks.

Placements on websites, messengers/communities/groups of the Operator of reviews, case studies, problem-solving methods, or other outcomes or processes of interaction between the Operator and the personal data subject and/or the person represented by the personal data subject.

The following subjects of personal data:

Individuals who have contacted the Operator regarding the conclusion and execution of contracts and/or other agreements, consultation in the professional or other sphere of the Operator’s activities, with whom no contract and/or other agreement has been concluded yet (clients of the Operator).
Counterparties of the Operator – subjects of personal data with whom a contract and/or other agreement has been concluded (in written, oral, or other form, including by joining an offer agreement).
Subjects of personal data who are representatives of the Operator’s counterparties with whom a contract and/or other agreement has been concluded (in written, oral, or other form, including by joining an offer agreement).
The following personal data:

Surname, first name, and patronymic,
Non-biometric photo and video images of the subject.

4.3. Processing of biometric personal data (information that characterizes the physiological and biological features of a person, based on which their identity can be established) is not carried out.

4.4. The Operator does not process special categories of personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, health, intimate life, criminal convictions, or other special categories of personal data.

5. Order and conditions for processing personal data

5.1. The processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of Canada.

5.2. Processing of personal data is carried out with the consent of the data subjects for the processing of their personal data, as well as without it in cases provided for by the legislation of Canada.

5.3. The Operator processes personal data for each purpose of their processing, specified in this Policy, by means of mixed processing of personal data.

5.4. Processing of personal data is allowed for the Operator, as well as for the counterparties of the Operator with whom the corresponding contract/agreement has been concluded, provided that the data subject has given consent.

5.5. Processing of personal data for each purpose of processing specified in this Policy is carried out by:

obtaining personal data in oral and written form directly from data subjects;
entering personal data into the logs, registers, and information systems of the Operator;
obtaining personal data using the Internet.

5.6. Disclosure of personal data to third parties and distribution of personal data without the consent of the data subject is not allowed, unless otherwise provided by federal law. Consent to the processing of personal data allowed by the data subject for distribution shall be separately documented from other consents of the data subject to the processing of his personal data.

5.8. Measures aimed at ensuring the operator’s compliance with the obligations provided for by the Personal Data Protection

The Operator independently determines the composition and list of measures necessary and sufficient to ensure the fulfillment of obligations

Such measures include:

1) the purpose of appointing a data processing officer responsible for organizing the processing of personal data.

2) the publication by the Operator of the operator’s policy on the processing of personal data, other local acts on the processing of personal data, determining for each purpose of processing personal data the categories and list of processed personal data, categories of subjects whose personal data are processed, methods, terms of their processing and storage, procedure for the destruction of personal data upon achieving the purposes of their processing or upon the occurrence of other legal grounds.

3) application of legal, organizational, and technical measures to ensure the security of personal data;

4) Familiarization of employees of the Operator directly involved in the processing of personal data with the provisions of the legislation of the Canada on personal data, including requirements for the protection of personal data, documents defining the policy of the Operator regarding the processing of personal data, local acts on the processing of personal data, and/or training of said employees.

5.8.1. Measures to ensure the security of personal data during their processing.

The operator, when processing personal data, takes the necessary legal, organizational, and technical measures or ensures their adoption to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions with regard to personal data.
Ensuring the security of personal data is achieved by:

1) taking into account machine carriers of personal data;

2) by detecting instances of unauthorized access to personal data and taking measures, including measures to detect, prevent, and mitigate the consequences of computer attacks on personal data information systems, as well as responding to computer incidents within them;

3) recovery of personal data that has been modified or destroyed as a result of unauthorized access to them.

4) control over the measures taken to ensure the security of personal data and the level of security of personal data information systems.

The Operator is responsible for ensuring the security of personal data.

5.9. The Operator stores personal data in a form that allows identifying the data subject for no longer than is necessary for each purpose of personal data processing. If the period of personal data storage is not established by federal law or a contract, it is stored throughout the term of the operator’s entrepreneurial activity.

5.10. The Operator terminates the processing of personal data in the following cases:

The fact of their unlawful processing has been identified. The deadline is within three working days from the date of identification;
The goal of their processing has been achieved;
The expiration date has passed or the consent of the data subject for the processing of the specified data has been revoked, when the processing of this data is only allowed with consent according to the Law on Personal Data.

5.11. When the goals of personal data processing are achieved, as well as in case the data subject withdraws their consent for processing, the Operator terminates the processing of this data if:

nothing else is provided for by the agreement, in which the party, beneficiary, or guarantor of which is the personal data subject;
The Operator is not entitled to process personal data without the consent of the data subject on the grounds provided by the Law on Personal Data or other federal laws;
No other provisions are provided for by any other agreement between the Operator and the data subject.

5.12. When a data subject requests an Operator to cease processing their personal data within a period not exceeding 10 working days from the date of receiving such request by the Operator, the processing of personal data shall be terminated, except in cases provided by Law. This period may be extended, but not more than five working days. In order to do so, the Operator must send a motivated notification to the data subject stating the reasons for extending the deadline.

5.13. The Operator carries out cross-border transfer of personal data. Personal data is transferred exclusively for the purposes and to the extent provided for in this Policy on the processing of personal data. The basis for the cross-border transfer of personal data is the Instruction for the processing of personal data. Personal data is transferred to third parties exclusively in foreign countries that provide adequate protection of the rights of personal data subjects.

5.14. When collecting personal data, the Operator assumes that the data subject has provided completely accurate information. The Operator does not verify its authenticity. All risks associated with providing inaccurate or insufficient information lie with the data subject.

6. Updating, correcting, deleting, destroying personal data, responding to requests from data subjects for access to personal data

6.1. Confirmation of the fact of processing personal data by the Operator, legal grounds and purposes of processing personal data, as well as other information specified in the Law on Personal Data, shall be provided by the Operator to the personal data subject or his representative within 10 working days from the date of the request or receipt of the request from the personal data subject or his representative. This period may be extended, but not more than five working days. To do this, the Operator should send a motivated notification to the personal data subject indicating the reasons for extending the deadline for providing the requested information.
The provided information does not include personal data related to other personal data subjects, except in cases where there are legitimate grounds for disclosing such personal data.
The request should include:

the number of the main document certifying the identity of the personal data subject or their representative, information about the date of issuance of the specified document, and the issuing authority;
information confirming the individual’s participation in a relationship with the Operator (contract number, date of contract conclusion, conditional verbal designation, and/or other information), or information otherwise confirming the fact of personal data processing by the Operator;
signature of the data subject or their representative.

The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of Canada.
The Operator provides the information specified in the Personal Data Law to the personal data subject or their representative in the same format as the corresponding request or inquiry, unless otherwise specified in the request or inquiry.
If the request (inquiry) from the personal data subject does not contain all the necessary information in accordance with the requirements of the Personal Data Law, or if the subject does not have access rights to the requested information, a reasoned refusal is sent to them.
The right of the personal data subject to access their personal data may be restricted in accordance with the legislation of Canada.

6.2. In case of identification of inaccurate personal data upon the request of the data subject or their representative, the Operator shall block the personal data relating to this data subject from the moment of such request or receipt of the specified request for the period of verification, if the blocking of personal data does not violate the rights and legitimate interests of the data subject or third parties.

If the fact of inaccuracy of personal data is confirmed, the Operator, based on the information provided by the subject of personal data or his representative, or Roskomnadzor, or other necessary documents, clarifies the personal data within seven working days from the date of submission of such information and removes the blocking of personal data.

6.3. If unlawful processing of personal data is detected in a request from the data subject or their representative, the Operator shall block the unlawfully processed personal data related to that data subject from the moment of such request or receipt.

6.4. Order of destruction of personal data by the Operator.

6.4.1. Conditions and deadlines for the destruction of personal data by the Operator:

The achievement of the goal of personal data processing or the loss of the need to achieve this goal – within 30 days;
Achieving the maximum storage period for documents containing personal data within 30 days;
providing by the data subject (or their representative) confirmation that the personal data has been obtained unlawfully or is not necessary for the stated purpose of processing, within seven working days. ;
Review by the data subject of consent to the processing of his personal data, if their retention for the purpose of processing is no longer required, within 30 days.

6.4.2. When the goal of processing personal data is achieved, as well as in case of withdrawal of consent by the data subject for their processing, personal data shall be destroyed if:

nothing else is provided for by the contract, in which the party, beneficiary or guarantor of which is the subject of personal data;
the Operator is not entitled to process personal data without the consent of the data subject on the grounds provided by the Law on Personal Data or other federal laws;
otherwise not provided by another agreement between the Operator and the data subject.

6.4.3. The destruction of personal data is carried out by the Operator by deleting information containing personal data from databases or other electronic media (including electronic documents and tables), as well as by destroying completely or partially the physical media where personal data is indicated, if such media exist.