1. General Provisions

The present policy of compliance with the requirements for personal data processing and protection (hereinafter referred to as the policy) is an internal and normative document defining the general provisions of the non-governmental organization, regulating the procedure and conditions of personal data processing by the organization and ensuring the protection of processed personal data, as well as the main means of compliance with the relevant requirements and the responsibility for them of the officials and competent persons of the organization:

2. terms and definitions

Personal data – any information relating to a natural person, which allows or may allow to identify the person directly or indirectly.

Processing of personal data, regardless of the form and manner of implementation (including automation, use of any technical means or without them), any action or group of actions related to the collection, fixation, input, coordination, systematization, storage, use, transformation, recovery, transfer, rectification, blocking, destruction or performance of other actions related to the collection, fixation, input, systematization, storage, use, transformation, recovery, transfer, rectification, blocking, blocking, destruction or other actions related to the processing of personal data.

Data subject: citizens (natural persons), employees, service providers, partners who establish a contractual and/or other relationship with a non-governmental organization.

Database: a set of personal data systematized according to certain characteristics: Information system: a set of information technologies or technical means used to process personal data included in a database, in electronic or non-electronic form.

Personal data protection – a set of technical, organizational, organizational and technical measures aimed at protecting information related to the subject of personal data, determined on the basis of certain or similar information.

Publicly available personal data is information which, with the consent of the data subject or as a result of conscious actions aimed at making his/her personal data publicly available, becomes available to a certain or indefinite number of persons, as well as information stipulated by law as publicly available information.

Provision of personal data-actions aimed at disclosing personal data to a certain person or a certain circle of persons: Employees-staff members of the organization, fully or partially employed, regardless of their position in the organization.

3. Measures to Ensure the Security of Personal Data Processed

1. To ensure the protection of processed personal data, the organization takes the necessary legal, organizational, technical protection measures in accordance with the regulatory requirements of the competent public authorities (regulatory bodies).

2 The requirements and rules for processing and protection of personal data shall be stipulated in the preparation of corporate documents related to all areas of the organization’s activities, including:

• all types of civil law contracts, agreements on transfer and acceptance of physical and information objects protected by copyright and related rights, as well as the rights of their owners, including information protection rights,
• internal and external agreements, rules, procedures (charters), orders,
• design and evaluation, procurement, structural, technological, program and operational documentation for information systems, automated systems and/or databases

Personal data protection measures are developed in accordance with the possibilities of the RA legislation.

4. requirements for processing and ensuring security of personal data, which must be observed by employees of the organization-individuals responsible for processing of personal data.

– the consent of the data subject to the processing of personal data in all cases provided for by law, especially in the case of transferring and receiving data by third parties.

5. The Organization is guided by the following Requirements when Processing Personal Data:

• lawfulness of the purposes, means of processing and reliability of data,
• ensuring the legality of personal data processing, which implies data processing with the subject’s consent, – compliance with the real and declared purposes of development,
• correspondence of the amount and nature of personal data, means and purposes of processing.
• sufficiency of data for the purposes of processing and inadmissibility of excessive data processing beyond the purposes of processing,
• notification of users of information systems about lawful and safe methods of personal data processing,
• accuracy, integrity, reliability and security of personal data in information systems,
• informing the data subject about the processing of his/her personal data and the significant consequences of such processing from the legal point of view, providing him/her with the possibility to influence the accuracy and integrity of these data.

6. Purpose of Personal Data Processing

Processing of personal data is carried out for the purpose of cooperation within the framework of concluded contracts, fulfillment of requirements of legislative acts, regulatory documents:

7. Consent of the data subject and rights of personal data subjects

1 The processing of personal data is lawful if:

• the data has been processed in accordance with the requirements of the law and the data subject has given his or her consent, except in cases expressly provided for by this law or other laws, or
• the processed data was obtained from publicly available sources of personal data.

2. The consent of the data subject shall be deemed to have been obtained and the organization shall be entitled to process it when:

• the personal data are indicated in a document addressed to the non-governmental organization and signed by the data subject, unless the document by its content constitutes an objection to the processing of personal data,
• The organization has obtained the data on the basis of a contract concluded with the data subject and uses them for the purposes of the actions defined in that contract,
• The data subject voluntarily communicates information about his/her personal data to the organization orally or in writing for the purposes of its use.

3. The data subject may give his or her consent in person or through a representative, if such authority is provided for in a power of attorney.

4. The consent of the data subject shall be given in writing or electronically with a verified electronic digital signature, or in the case of verbal consent, through credible actions that clearly indicate the data subject’s consent to the use of personal data.

5. Personal data may be processed without the data subject’s consent if the processing is expressly provided for by law.

6. The data subject has the right to receive information about the processing of his/her personal data, including information that will contain:

• confirmation of the fact of processing and the purpose of personal data processing,
• means of personal data processing,
• subjects to whom personal data have been or may be provided,
• list of processed personal data and sources of their obtaining,
• terms of personal data processing,
• possible legal consequences arising for the data subject as a result of personal data processing.

8. Confidentiality of Personal Data

Information about personal data that became known to the non-governmental organization is confidential information and is protected by law. the organization can provide this information only to the granting organization, if necessary. The employees of the organization and other persons who have access to the processed personal data have signed an obligation of non-disclosure of confidential information, as well as have been warned about possible disciplinary, administrative, civil and criminal liability in case of violation of norms and requirements of the current legislation of the Republic of Armenia in the field of personal data processing.

9. Final Regulations

1. This policy, as well as all amendments to it, shall be approved by the president of the non-governmental organization and shall enter into force in the non-governmental organization onecredit.am after publication on the website.

2. From the moment when further amendments to this Policy come into force, the previous versions of this Policy shall be deemed null and void.

3. If the provisions of this Policy contradict the legislation of the Republic of Armenia, the relevant provisions of the legislation of the Republic of Armenia shall apply.