Privacy Policy

Date: January 24, 2019

This Privacy Policy (hereinafter the Policy) is used by JSC Positive Technologies, located at room 30, office V, 23A, Schelkovskoe shosse, Moscow, 107241, Russian Federation (hereinafter the Company, "we," or "us"), for the website of the International Information Security Forum Positive Hack Days 9 (hereinafter the Forum), located at phdays.com (hereinafter the Website), and the website of the contractor RUVENTS LLC  (hereinafter the Contractor or RUVENTS LLC).

In this Policy we openly explain all methods of personal data processing when using the Website. The Policy was developed by the Company in compliance with Federal Law No.152-FZ On Personal Data of July 27, 2006 (hereinafter the Law). As an international company, we take into account provisions of other regulatory acts on personal data, including the General Data Protection Regulation (GDPR).

1. General provisions

1.1.  Personal data is any information relating to an identified or identifiable natural person. For instance, a person's last name, first name, middle name, or patronymic, his or her job title, company name, email address, phone number, and other information shall be deemed personal data.

Technical information shall be deemed personal data too, if it can be referred to an individual. For instance, IP address, type of operating system, type of device (PC, cell phone, tablet), browser type, geolocation, web form fill-in, Internet provider.

If we cannot in any way refer information to an individual, we shall not consider this information personal data.

1.2.  You understand that the Company is the operator only for personal data we get from you as an individual, using the Website and the platform of the Contractor (hereinafter the Services).

1.3.  This document determines the Company’s personal data policy and can be found at  https://www.phdays.com/en/privacy-policy/. Also the Company grants unlimited access to the Policy for any individual making a respective request in person.

1.4.  Primary goal of the Company is to ensure protection of the citizen's rights and freedoms during processing of personal data, including protection of one's right to personal and family privacy, clear and strict compliance to the  requirements primarily of the Russian legislation on personal data.

1.5.  This Policy applies to all personal data of individuals processed by the Company, as well as to processes related to personal data processing. The Company may process personal data with or without automated data processing tools. The processes may include, without limitation, gathering, recording, classification, accumulation, storage, rectification (updating, editing), making electronic copies, retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of persona data.

1.6.  The Company and Contractor process personal data, including data storage, on servers located in the Russian Federation.

1.7.  The Company has the right to update this Policy as necessary. The Policy must be revised in case of significant changes in the international or national legislation on personal data. If we process personal data, we undertake to notify you of any such changes by email.

1.8.  The Company does not check validity of personal data or the legal capacity of the person providing such data. You guarantee that all data is valid, up-to-date, compliant with Russian and applicable EU legislation on personal data protection.

2. Third-party services (Contractor)

RUVENTS LLC

2.1.  The Company uses the Contractor's platform for the Forum. This is why RUVENTS LLC shall process your personal data listed in the Policy, including data collection and storage. Such processing of personal data is governed by the Terms of Use of RUVENTS LLC.

2.2.  We use RUVENTS LLC services to arrange your participation as a speaker. Therefore we process only the data collected by RUVENTS LLC which we can access through the platform of RUVENTS LLC.

2.3.  If you have questions regarding processing of your personal data by RUVENTS LLC or your information that RUVENTS LLC stores, please send an email to users@runet-id.com.

3. Purposes of personal data processing

The Company shall be guided by sufficiency, reasonableness, and feasibility when processing personal data. We carry out processes related to personal data processing in cases and for purposes listed in this section.

3.1. When accessing Services, for proper performance of obligations by the Company, proper provision of services, receipt and processing of requests for such services, registration on the Services, and in any other cases related to such actions. Your use of the Services shall mean unconditional acceptance of this Policy and personal data processing conditions stated therein. If you disagree with this policy, stop using the Services immediately.

3.2. When participating in events held by the Company, for registration as a participant. Participation in events held by the Company or performance of actions related to participation shall mean unconditional acceptance of this Policy and personal data processing conditions stated therein. If the Subject of personal data disagrees with this policy, he or she must participating in events immediately.

3.3. When contacting you, to receive feedback and to provide you with any accurate and complete information related to the Company's activities. Including, but not limited to, provision of information of the Services and services, emailing information on Services, events and promotional activities arranged by the Company and/or by authorized third parties. The Company shall have the right to use the email you provide to contact you.

3.4. When receiving your feedback for the following purposes:

  • receiving information on loyalty and satisfaction with Services, for further review and processing of that information;
  • analysis to improve quality of Services;
  • performance of any type of study.

3.5. When ensuring protection and confidentiality of your personal data, to ensure operability and security of Services, to confirm actions you perform, for actions aimed at preventing fraud, cyberattacks, and other abuse, as well as for investigation of such cases.

4. List of processed personal data

4.1. We can process the following personal data using the Contractor's platform:

4.1.1. General personal data: full name, email address.

4.1.2. Other personal data: job title, employer, industry.

4.2. Other information processed by the Company and Contractor:

4.2.1. Data on devices: IP address, type of operating system, type of device (computer, cell phone, tablet), browser type, geolocation, web form fill-in, and Internet provider.

4.2.2. Information received automatically when accessing Services, including Internet sites using cookies. Cookies are text fragments automatically saved in your Internet browser memory by means of  our Website. This allows the Website to refer to saved data on your computer and retrieve it when necessary. We use cookies to remember the language you use to access the Website. When you visit our Website again, we will be able to take into account your preferences about using our Website.  Most Internet browsers save cookies automatically, but you can always change your browser settings and stop saving cookies.

4.2.3. Information obtained as a result of your actions, including data on submitted inquiries, comments, and questions.

5. Principles of personal data processing

Sufficiency is the main principle we follow when processing personal data. Your personal data will not be processed unless really necessary.

When processing personal data, we are also governed by the following principles.

5.1. Lawfulness, fairness and transparency of personal data processing (“lawfulness, fairness and transparency”).

5.2. Processing of personal data in compliance with specified, explicit and legitimate purposes (“purpose limitation”).

5.3. Prevention of merging of databases containing personal data processed for incompatible reasons.

5.4. Processing of only such types of personal data that fit the purpose of their processing including their volume and content (“data minimization”).

5.5. Accuracy, applicability, and reliability of personal data (“accuracy”).

5.6. Lawfulness of technical measures aimed at personal data processing. Processing of personal data in a secure manner, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).

5.7. Reasonableness and feasibility of personal data processing.

5.8. Storage of personal data in a format allowing to identify the individual is possible only for the time required for their processing, or for as long as the individual's consent is valid (“storage limitation”).

5.9. Processed personal data shall be destroyed or depersonalized immediately in cases listed in the Policy.

6. Processing personal data

6.1. Personal data collection

Personal data can be collected in the following ways.

  • You provide personal data by filling in forms, including online forms on the Services.
  • Data is collected automatically using technologies and services, such as web protocols, cookies, web markers launched only when you fill in your data.
  • You provide personal data in writing, including the use of communication means.

6.2. Storage and use of personal data.

  • Personal data shall be stored only on properly secured media, including electronic media, and processed with or without automated data processing tools.
  • The Company and the Contractor perform automated processing of personal data, using databases located in the Russian Federation.

6.3. Handover of personal data

  • The Company may provide your personal data to third parties, including, but not limited to, consultants, partners, providers under agreements, contractors, and agents (hereinafter Consultants) for proper performance of their obligations to you as per Clause 2.9 of the Terms of Use, and also in cases when data is provided to ensure compliance with the terms and conditions of the agreement and regulatory requirements, as well as to prevent or stop illegal actions or to protect the interests of the Company and third parties;
  • personal data is provided to Consultants in order to achieve the goals stated earlier and data transfer shall be based on the agreement with the respective Consultant. Consultants undertake to use personal data strictly in compliance with this Policy to achieve the stated goals and to provide services under an agreement.

6.4. Destroying personal data.

Company shall destroy personal data if copies of such data are stored in the Company, or send a request to third parties, including Contractor, to remove the data in the following cases:

  • there is a threat to security of Services;
  • the goal of personal data processing is achieved, or it is no longer necessary to achieve it;
  • you violated the Policy;
  • personal data storage period has expired;
  • the agreement has expired or was terminated;
  • at your request or if the individual revokes his/her consent for personal data processing.

7. Your rights

7.1. You have the right to receive information on processing of your personal data, including the following:

  • confirming the fact of your personal data processing;
  • legal grounds for your personal data processing;
  • Purposes and methods the Company uses to process your personal data;
  • what personal data of yours we process and where we get it from;
  • time of your personal data processing, including storage time;
  • procedure for exercising the rights provided for by the legislation of the Russian Federation;
  • information on actual or planned cross-border data transfer;
  • information on persons to whom your personal data may be provided under an agreement with the Company or in compliance with the legislation of the Russian Federation ;
  • name of the entity or full name and address of the individual processing personal data at the Company's request, if such entity or individual is tasked or will be tasked with processing;
  • other information provided for by the legislation of the Russian Federation;
  • You have the right to receive such information any number of times. Just send a request to the Company as provided for by Section 12 of this Policy.

8. Obligations of the Company

8.1. As required by the Law, the Company is obligated to do the following:

8.1.1. At your request, provide information on processing of your personal data listed in Item 7.1 of the Policy, or a justified refusal.

8.1.2. Take necessary and sufficient measures to fulfill obligations provided for by the Law.

8.1.3. At your request, update processed personal data, block or remove it if it's incomplete, outdated, obtained illegally, or not required for the stated purpose of processing.

8.1.4 Ensure that personal data is processed with due diligence. If personal data cannot be processed with due diligence, the Company shall destroy or ensure destruction of personal data within 10 (ten) workdays after discovering that data was processed without due diligence, by sending an appropriate request to third parties, including Contractor.

8.1.5. If the agreement with you expires of your consent for personal data processing is revoked, we stop processing your personal data and destroy it immediately. Exception can be made when processing continues by virtue of legislation.

9. Information on personal data protection

9.1 All personal data you provide shall be confidential by default. Protection of personal data processed by the Company is ensured by implementation of legal, organizational, and technical measures necessary and sufficient to ensure compliance with requirements of the Russian Federation legislation on personal data protection. However, we always strive to ensure maximum protection of your data and apply more measures to protect personal data than required by legislation. Here are some of the measures the Company takes to protect personal data.

9.2. Legal measures

9.2.1. Development of local Company regulations to fulfill requirements of the Russian legislation, including this Personal Data Processing and Protection Policy, and placing it at https://www.phdays.com/en/privacy-policy/.

9.2.2. Refusal to use any personal data processing methods not fit for the purpose predetermined by the Company.

9.3. Organizational measures:

9.1. Assigning a person responsible for arrangement of personal data processing. You can contact that person using the following email: privacy@ptsecurity.com.

9.3.2. Limiting the number of Company employees having access to personal data, and arranging a system of permits for access.

9.3.3. Regular assessment of risks related to personal data processing.

9.3.4. Internal investigations to identify any facts related to unauthorized access to personal data

9.3.5. Using encryption when processing personal data

9.3.6. Monitoring and security assessment of Company's network infrastructure

9.3.7. Educating Company employees on provisions of the Russian Federation legislation on personal data, the EU legislation on personal data, including personal data protection requirements, local regulations of the Company on personal data protection. Training the employees.

9.3.8. Arranging security of premises storing media with personal data, to prevent unauthorized access or presence of individuals who have no right to access such premises

9.3.9 Arranging trainings for Company employees in various aspects of personal data processing

9.4. The Company undertakes, and obligates third parties if they are given the right to process personal data, to maintain confidentiality of personal data and not use personal data without a legal basis for its processing.

10. Cross-border data transfer

10.1.  We are an international company. Therefore, for purposes stated in this Policy, we may transfer your personal data to countries other than those where it was originally obtained. This is called cross-border data transfer. Before cross-border data transfer the Company shall ensure that the country to which personal data is transferred will provide adequate protection of your rights as a personal data subject . In case of cross-border personal data transfer, we protect your data in compliance with the Policy.

11. Limited effect of the Policy

11.1.  You must also be reasonable and responsible when making your personal data publicly available, including feedbacks and comments on the Services.

11.2.  The Company shall not be responsible for actions of third parties who gain access to your personal data as a result of your actions.

12. Inquiries of personal data subject

12.1  You have the right to send inquiries to the Company, including inquiries regarding the use of your personal data.

12.1.1. In writing to Preobrazhenskaya Sq. 8, Moscow, 107061

12.1.2. Electronically by emailing to privacy@ptsecurity.com

12.2.  To respond to your inquiry, including inquiries regarding the use of your personal data, the Company must first confirm your identity to avoid unauthorized transfer of data to third parties. Therefore your inquiry must contain the following information:

12.2.1. Number of your ID

12.2.2. Date of ID issue and issuing authority

12.2.3. Information confirming your participation in dealings with the Company

12.2.4. Your signature

12.3.  The Company undertakes to process your inquiry and respond within 30 (thirty) calendar days of inquiry receipt.

12.4.  All correspondence received by the Company (written or electronic inquiries) is considered restricted information and will not be disclosed without your written consent.