AIPM Online Training Platform

Policy of Personal Data Processing

1. General Provisions

1.1. This Policy of the Branch of the Association of International Pharmaceutical Manufacturers (Switzerland) (hereinafter referred to as the "Association","Operator") regarding the personal data processing (hereinafter referred to as the "Policy") has been developed in the pursuance of the requirements of Clause 2, Part 1 of Article 18.1 of Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" (hereinafter referred to as the "Personal Data Law") in order to ensure the protection of human and civil rights and freedoms when processing personal data.

1.2. The Policy applies to all personal data processed by the Operator using websites aipm.org, code.aipm.org, information systems analytics.aipm.org, vote.aipm.org, reg.aipm.org, digital.aipm.org.

1.3. In the pursuance of the requirements of the Personal Data Law, this Policy is published in free access on the information and telecommunications network Internet on the Operator's websites.

1.4. The basic concepts used in the Policy:

1.4.1. Personal data means any information that relates directly or indirectly to a specific or identifiable individual (personal data subject);

1.4.2. Personal data processing means any action (operation) or a set of actions (operations) with personal data performed using automation tools or without using such tools;

1.4.3. Blocking of personal data means a temporary termination of personal data processing (unless the processing is necessary to clarify personal data);

1.4.4. Destruction of personal data means actions as a result of which it becomes impossible to restore the content of the personal data in the personal data information system and/or as a result of which material carriers of the personal data are destroyed.

1.4.5. Roskomnadzor-the federal service for supervision of communications, information technology and mass media

1.5. If changes are made to the Policy, the Operator will publish its updated version on the Operator's websites pages indicating the date of the last update. Where personal data processing involves processing of contact details, we may give notice of significant changes to the Policy by sending such notice by email (if users submitted it) or by posting a corresponding notice on the pages of the Operator's websites. However, we would recommend to regularly check the Policy for updates.

2. Basic Rights and Obligations of the Personal Data Subject

2.1. The personal data subject shall have the right to:

1) receive information on the personal data processing, except for the cases provided for by the federal laws. The information is provided to the personal data subject by the Operator in an accessible form, and it should not contain the personal data relating to other personal data subjects unless there are legal grounds for disclosing such personal data. The list of information and procedure for obtaining it is established by the Personal Data Law;

2) demand that the operator clarify, block, or destruct the personal data of the personal data subject if the personal data is incomplete, outdated, inaccurate, or not necessary for the stated purpose of processing as well as to take protective measures provided for by the law;

3) withdraw the consent to process his/her personal data.

In order to exercise the above rights, the subject may send a request to the Operator at dataprotection@aipm.org.

4) appeal to Roskomnadzor or to a court against unlawful actions or inaction of the Operator when processing his/her personal data.

5) exercise other rights granted to him/her by the Personal Data Law.

2.2. The personal data subject is responsible for ensuring the relevance and reliability of his/her data when it is provided to the Operator as well as in cases where the functionality of the Operator's services allows the personal data subject to update his/her data.

3. Information on the Personal Data Processing

Purpose of processing: use of websites functionality, including user's registration on the website aipm.org, and their use of the closed segment of the website accessible to the members of the Association, as well as passing the AIPM Code of Practice training at code.aipm.org

Categories and the list of personal data processed

Personal data:

· Full name

· name of the Association member employer

· position

· e-mail

· telephone

· login

· password

· other information received by the Operator in the course of using the relevant functionality of the websites by users (for example, information about the results of passing training according to the AIPM Code of Practice)

Categories of personal data subjects whose data is processed

Registered web-site users.

Legal basis for data processing

Consent.

By completing the relevant forms and/or submitting their personal data, the user consents to the personal data processing as provided for by the Policy.

Processing and storage methods and terms

Processing and storage methods: automated processing.

Processing and storage terms: Operator stores information about the user for 3 years. Upon the expiry of 3 years, the operator erases all personal data associated with the user.

Procedure for destroying personal data upon achieving the goals of its processing or upon the occurrence of other legal grounds.

When the data processing goals are achieved or the processing period is expired, or at the request of the personal data subject (including the withdrawal of consent), the Operator shall ensure the destruction of personal data within 30 days (unless a shorter period is stipulated by the law). If the law requires any personal data to be stored for a longer period or if the Operator has the right to continue processing on other lawful grounds, the Operator may continue to process the personal data after the consent is withdrawn.

Purpose of the processing: emailing (newsletters and invitations)

Categories and the list of personal data processed

Personal data:

· Full name

· name of the Association member employer

· position

· e-mail

· telephone

Categories of personal data subjects whose data is processed

Users of information system reg.aipm.org, digital.aipm.org., employees of AIPM member-companies, who have explicitly expressed a desire or authorized in the company to receive the newsletter emails.

Legal basis for data processing

Consent.

By completing the relevant forms and/or submitting their personal data, the user consents to the personal data processing as provided for by the Policy.

Processing and storage methods and terms

Processing and storage methods: automated processing.

Processing and storage terms: until consent is withdrawn.

The user can opt out of receiving the newsletter emails any time by contacting an authorized person in the company responsible for working with the digital.aipm.org information system and / or by sending a written request to the operator.

Procedure for destroying personal data upon achieving the goals of its processing or upon the occurrence of other legal grounds.

Purpose of processing: registration for participation in events.

Categories and the list of personal data processed

Personal data:

· Full name

· name of the Association member employer

· position

· e-mail

· telephone

Categories of personal data subjects whose data is processed

Individuals who register for events at reg.aipm.org information system.

Legal basis for data processing

Consent.

By completing the relevant forms and/or submitting their personal data, the user consents to the personal data processing as provided for by the Policy.

Processing and storage methods and terms

Processing and storage methods: automated processing.

Processing and storage terms: The Operator shall store the details regarding event participants no more than 3 years after the event has taken place.

Procedure for destroying personal data upon achieving the goals of its processing or upon the occurrence of other legal grounds.

Purpose of processing: information exchange, including responses to queries sent to the Association, surveys and analytics carried out by the Association

Categories and the list of personal data processed

Personal data:

· Full name

· name of the Association member employer

· position

· e-mail

· telephone

Categories of personal data subjects whose data is processed

Users of aipm.org and code.aipm.org websites, information systems analytics.aipm.org, vote.aipm.org, reg.aipm.org, digital.aipm.org, and employees of member-companies of the Association making enquiries or taking part in surveys and analytics carried out by the Association.

Legal basis for data processing

· Consent.

By completing the relevant forms and/or submitting their personal data, the user consents to the personal data processing as provided for by the Policy.

· Exercising the rights and legitimate interests of the Operator.

Processing and storage methods and terms

Processing and storage methods: automated processing.

Processing and storage terms: until the purpose of processing is achieved (for example, during the time period needed to respond to a request or to summarize the results of an analytics or survey, unless a longer storage period is required by the law).

Procedure for destroying personal data upon achieving the goals of its processing or upon the occurrence of other legal grounds.

Purpose of processing: to manage and improve the website aipm.org and user experience

Categories and the list of personal data processed

Personal data:

· cookie files,

· web beacons,

· IP address,

· URL page,

· page header and referrer,

· suggested geolocation,

· time zone,

· browser version and language,

· display resolution,

· version of the operating system and supporting software,

· registry of website experience,

· device module,

· search engine,

· list of downloaded files,

· user interests,

· list of visited pages,

· time spent on the website and other similar information.

We do not correlate the name, contact information or other information that a user may provide to us for other purposes with activities on the site tracked using cookies.

We do not use programs to analyze the data stored in cookies and do not create an individual profile of your activities on the website.

Categories of personal data subjects whose data is processed

All users of aipm.org website

Legal basis for data processing

· Consent.

The Operator may process cookies if the user's browser settings allow it (cookie saving and JavaScript technology use are enabled).

If the user does not consent to automated cookie processing, the browser settings can be modified respectively and cookies can be disabled or deleted.

When the user visits the website for the first time, he/she is warned about the use of cookies by displaying a pop-up notice or in a similar way.

· Exercising the rights and legitimate interests of the Operator.

Processing and storage methods and terms

Processing and storage methods: automated processing.

Processing and storage terms: Cookie files used by the Operator are stored on the user's device for a period appropriate for the file type, for example:

· "Session" cookies are valid from the moment you log in to the website until the end of the specific browsing session. These cookies are automatically deleted when you close the browser.

· "Persistent" cookies are stored on the device between browsing sessions and are not deleted when the browser is closed. Storage term for persistent cookies on devices varies and can vary from one day (for example, site optimization cookies) to two years (for example, cookies that remember that the user has previously agreed to the use of cookies) depending on their type and purpose.

Procedure for destroying personal data upon achieving the goals of its processing or upon the occurrence of other legal grounds.

Cookies and other similar data are automatically deleted once the goals of the processing have been achieved.

4. Personal Data Processing Procedure

4.1. When processing personal data, the Operator performs the following actions or operations with such personal data: collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (provision, access), deletion or destruction of personal data.

4.2. The Operator does not distribute personal data. If such distribution is necessary, the Operator will obtain separate consent in accordance with Article 10.1 of the Personal Data Law.

4.3. The Operator shall take appropriate technical, physical and organizational measures to protect personal data against its unforeseen or unlawful destruction or unforeseen loss, alteration, unauthorized disclosure or access to such personal data, taking into account that any information security system cannot guarantee the absolute security of personal data.

4.4. The Operator shall take all necessary steps to ensure the integrity of the processed Personal Data for the purposes for which they are used and that the Personal Data is reliable, complete and up-to-date.

4.5. The Operator generally processes personal data received directly from personal data subjects. Where a member of the Association transfers the personal data of a personal data subject to the Operator (e.g. by registering for an event or adding such person as a representative of a member of the Association), the member guarantees that it has obtained the consent of such personal data subject for such transfer in accordance with the applicable laws of the Russian Federation.

5. Data Transfer

5.1. The Operator shall take the necessary measures to ensure adequate protection of the personal data transferred and shall organize personal data transfer in accordance with the requirements of the applicable laws.

5.2. The Operator shall have the right to transfer personal data for the above-mentioned purposes:

1) to service providers in connection with the websites and information systems usage, including hosting the websites and information systems, providing technology-related services (including web analytics services), and distributing information materials; or

2) to the Government officials, regulatory officials, or other law enforcement and court officials in the manner prescribed by the law or as required by a binding order; or

3) to the Members of the Association and partners within the framework of the Operator's activities in connection with the purposes for which the personal data was collected.

5.3. No cross-border transfer of personal data to foreign countries is carried out.

6. Feedback

Should the personal data subject have any questions about this Policy, please contact: dataprotection@aipm.org.

Personal data processing policy dated March 29, 2023