Content

1. General Provisions

2. Principles of Processing Personal Data

3. Legal Grounds for Processing Personal Data

4. Transfer of Personal Data

5. Processing of Personal Data

6. Procedure for Processing Personal Data

7. General Measures for Protection of Personal Data

8. Responsibility for Data Protection Violation

9. Consent to Processing of Personal Data

1. General Provisions

1.1. This Policy defines the procedure for handling, protecting and processing personal data, established by the Operator of personal data:

FREEDOM Institute of Higher Education Limited who trade as FREEDOM WELLBEING INSTITUTE, 610 Victoria Street, Central Business District, Hamilton 3204, New Zealand

Appeals to the Operator on the processing and protection of Data may be sent to the e-mail address am@freedom-ihe.ac.nz

1.2. The regulation of handling personal data is intended to ensure observance of the legal rights and interests of the Operator, its employees, clients, contractors and third parties whereas it is necessary to obtain (collect), systematise (combine), process, store and transfer information that constitutes personal data.

1.3. The processing of personal data is carried out in accordance with the current legislation of Operator's country of residence, other applicable laws and regulations, as well as this Policy.

1.4. The Operator is entitled to enact other local regulations (hereinafter the LR) regulating the procedure for processing and protecting personal data by the Operator, its employees and authorised persons.

2. Principles of Processing Personal Data

2.1. This document uses the following general definitions:

Personal data — any information relating, directly or indirectly, to a specific or designated person (the subject of personal data).

Site — the Operator's Internet site is located at the domains freedom-ihe.ac.nz

Personal Data Information System (PDIS) — a set of personal data contained in databases of personal data and ensuring their processing by information technologies and technical means.

Processing of personal data— any action (operation) or a set of actions (operations) performed using automation means or without using such means with personal data, including collection, recording, systematisation, accumulation, storage, refinement (updating, modification), extraction, use, transfer (distribution, provision, access), cross-border transfer, depersonalisation, blocking, deletion, and destruction of personal data.

Distribution of personal data — actions aimed at disclosing personal data to an unspecified range of persons.

Provision of personal data — actions aimed at disclosing personal data to a specific person or a specific range of persons.

Blocking of personal data — temporary suspension of personal data processing (except where processing is necessary for personal data refinement).

Destruction of personal data — actions, as a result of which it becomes impossible to restore the content of personal data in the PDIS and (or) as a result of which material media of personal data are destroyed.

Depersonalisation of personal data — actions, as a result of which it becomes impossible to determine ownership of personal data to a specific person without using additional information.

2.2. The information received by the Operator may take both material and electronic form.

2.3. Processing of personal data shall be limited to achievement of specific, predetermined and lawful purposes. Processing of personal data incompatible with the purposes of personal data collection is not permitted.

2.4. Integration of databases containing personal data that are processed for purposes incompatible with each other is not permitted.

2.5. Only those personal data that answer the purposes of processing are subject to processing.

2.6. Content and volume of the processed personal data shall comply with the stated purposes of processing. The processed personal data shall not be redundant in relation to the stated purposes of their processing.

2.7. Storage of personal data shall be carried out in a form that allows to define the subject of personal data no longer than required by the purposes of personal data processing, unless the period for personal data storage is established by law or by contract, a party or beneficiary of which is the subject of personal data.

2.8. The processed personal data shall be destroyed or depersonalised upon achievement of the processing purposes or if the necessity to achieve these purposes is lost, unless otherwise provided by law.

2.9. If provision of personal data is mandatory according to law, the Operator shall explain legal effects of refusing to provide personal data to the subject of personal data.

3. Legal Grounds for Processing Personal Data

3.1. Information on the sources of personal data shall be specified in the provisions on individual PDIS.

3.1.1. The sources of personal data may be the subject of personal data, publicly available sources of personal data and other sources.

3.1.2. Processing of personal data, the source of which is not directly the subject of personal data, shall be carried out in strict compliance with the current legislation in the field of personal data protection.

3.1.3. When obtaining information on personal data from third parties, the Operator shall take all reasonable measures and receive representations and warranties from third parties providing information that processing of personal data by such parties is carried out in strict compliance with current legislation.

3.2. The Operator is not entitled to obtain and process personal data on race, nationality, political views, religious and philosophical beliefs, health condition, and intimate life of the subject of personal data, except where the subject of personal data has given his written consent to processing of the specified personal data, and in case such personal data are made available to public by the subject of personal data.

3.3. Processing of personal data is permitted only with the consent of the subject of personal data to process his personal data, or without such consent in the following cases:

a. Processing of personal data is necessary to achieve the purposes provided by law, to exercise and perform functions, powers and duties imposed on the Operator by current legislation;

b. Processing of personal data is necessary to perform the contract, a party or beneficiary of which is the subject of personal data, and to enter into the contract upon an initiative of the subject of personal data or the contract, a beneficiary of which will be the subject of personal data;

c. Processing of personal data is necessary to exercise the rights and legitimate interests of the Operator or third parties, provided that it does not violate the rights and freedoms of the subject of personal data;

d. Processing of personal data is carried out for statistical or other research purposes (except for processing of personal data in order to promote goods, works and services), subject to the mandatory depersonalisation of personal data;

e. Processing of personal data, access to which is provided to an unlimited range of persons by the subject of personal data or upon his request;

f. In other cases provided by Law.

3.4. The subject of personal data shall make decision on provision of his personal data and give consent to their processing freely, wilfully and voluntarily. Consent to processing personal data shall be specific, informed and explicit. Consent to processing personal data may be given by the subject of personal data or his representative in any form that allows to confirm the fact of its receipt, unless otherwise established by law.

3.5. Processing of personal data in order to promote goods, works and services through direct contacts with a potential consumer by means of communication is permitted only with the prior consent of the subject of personal data. The specified personal data processing shall be deemed carried out without the prior consent of the subject of personal data, unless the Operator proves that such consent has been obtained.

Upon request of the subject of personal data, the Operator shall immediately stop processing his personal data.

3.6. Consent to processing personal data may be withdrawn by the subject of personal data. In case the subject of personal data withdraws consent to processing personal data, the Operator is entitled to continue processing of personal data without the consent of the subject of personal data if there are grounds specified in Law.

4. Transfer of Personal Data

4.1. When transferring personal data, the Operator shall comply with the following requirements:

a) Communicate personal data of the subject of personal data for commercial purposes only with the consent of the subject of personal data.

b) Warn persons who have received personal data that this data can only be used for those purposes for which they are communicated, and demand from these persons representations that this rule is observed. Persons who have received personal data of the subject of personal data shall comply with the confidentiality policy.

c) Allow access to personal data of the subject of personal data only to specially authorised persons, and these persons shall be entitled to obtain only those personal data that are necessary to perform a particular function.

4.2. The Operator is entitled to instruct processing of personal data to another person subject to the contract concluded with this person.

4.2.1. A person who processes personal data under the Operator's instruction shall comply with the principles and rules for processing personal data provided by law.

4.2.2. The Operator's instruction shall determine the list of actions (operations) with personal data that will be performed by a person who processes the personal data and the purposes of processing, establish the duty of such person to maintain confidentiality of personal data and ensure security of personal data during their processing, as well as specify requirements for protection of the processed personal data.

4.3. A person who processes personal data under the Operator's instruction is not obliged to obtain the consent of the subject of personal data to processing his personal data.

4.4. If the Operator instructs processing of personal data to another person, the Operator shall be liable to the subject of personal data for the actions of the specified person. A person who processes personal data under the Operator's instruction shall be liable to the Operator.

5. Processing of Personal Data

5.1. The Operator shall take all necessary legal, organisational and technical measures or ensure that these measures are taken to protect personal data against unlawful or accidental access, destruction, modification, blocking, copying, provision, and distribution of personal data, as well as against other illegal actions in relation to personal data.

5.1.1. Implementation of organisational and legal measures to protect personal data and establish the procedure for processing personal data by the Operator shall be carried out by a person authorised by the Operator's managing director.

5.1.2. Implementation of technical and other measures to protect personal data contained in individual PDIS shall be carried out by a person authorised by the Operator's managing director with the relevant order.

5.1.3. The list of persons who have the right of access to individual PDIS shall be established in the registers (lists) of persons who have the relevant access.

5.1.4. The right of access to personal data may also be provided to other persons listed in the register of persons who have access to personal data.

5.2. The procedure for storing material and electronic media of personal data and PDIS, as well as the list of the processed personal data and the purposes of processing personal data shall be established in the provisions on individual PDIS.

5.3. Processing of personal data shall be carried out in such a way that it is possible to determine locations of personal data storage for each category of personal data and to establish a list of persons who carry out processing of personal data and persons who have access to personal data.

5.4. The Operator shall keep lists of current local regulations and PDIS, lists of persons who are responsible for protection of personal data and persons who have access to PDIS, as well as other lists, where it is necessary to keep relevant records. Keeping of lists can be carried out in electronic form and/or on material media.

6. Procedure for Processing Personal Data

6.1. Processing of personal data contained in PDIS or extracted from such a system shall be considered implemented without using automation means (non-automated), if actions with personal data, such as use, refinement, distribution, destruction of personal data in relation to each of the subjects of personal data, are carried out with direct human involvement.

Processing of personal data cannot be deemed carried out using automation means solely on the ground that personal data is contained in PDIS or has been extracted from it.

6.2. When processing personal data, it is not permitted to record personal data on a single material medium of personal data, the processing purposes of which are obviously incompatible. A separate material medium shall be used for each category of personal data to process various categories of personal data.

If the purposes of processing personal data recorded on the same material medium are incompatible and the material medium does not allow to process personal data separately from other personal data recorded on the same medium, it is necessary to take measures to ensure separate processing of personal data.

6.3. Destruction and/or blocking of personal data can be carried out in any way that prevents further processing of these personal data, including by physically destroying material media and permanently deleting data from electronic media without the possibility of recovering such data.

Destruction and/or blocking of personal data shall be carried out by the person responsible for protection of the relevant PDIS.

6.4. Refinement of personal data shall be carried out by updating or modifying data on the relevant media. If such procedure is not allowed by technical characteristics of the medium, then refinement of personal data shall be carried out by recording information on modifications made on the same medium or by making a new medium with refined personal data.

6.5. When storing material media, it is necessary to observe conditions that ensure safety of personal data and prevent unauthorised access. The list of measures necessary to ensure such conditions, the procedure for their taking, as well as the list of persons responsible for implementation of these measures shall be established by the Operator.

7. General Measures for Protection of Personal Data

7.1. The composition and list of measures necessary and sufficient to ensure performance of the Operator's duties for protection of personal data include the following duties:

i. approval of the list of PDIS and appointment of persons responsible for the organisation of processing and protection of personal data;

ii. publication of documents defining the Operator's policy in relation to processing of personal data and issuing local regulations establishing the procedures aimed at preventing and detecting violations of law and eliminating effects of such violations;

iii. application of legal, organisational and technical measures to ensure security of personal data;

iv. implementation of internal control and (or) audit of the compliance of processing personal data with the Law and legal regulations enacted in accordance with it, requirements for protection of personal data, the Operator's policy in relation to processing of personal data, and the Operator's local regulations;

v. assessment of harm that may be caused to the subjects of personal data, the ratio of the specified harm to the measures taken to ensure performance of duties for protection of personal data;

vi. familiarisation and/or training of persons who directly carry out processing of personal data.

7.2. Ensuring security of personal data is achieved, in particular, by:

i. identifying threats to security of personal data when they are processed in personal data information systems;

ii. taking organisational and technical measures to ensure security of personal data when they are processed in personal data information systems necessary to meet the requirements for protection of personal data, execution of which ensures the levels of personal data protection;

iii. applying information security means that have passed the procedure for assessing compliance according to the established procedure;

iv. assessing effectiveness of the measures taken to ensure security of personal data prior to commissioning of the personal data information system;

v. registering computer media of personal data;

vi. detecting cases of unauthorised access to personal data and taking the relevant measures;

vii. restoring personal data modified or destroyed due to unauthorised access;

viii. establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and recording of all actions performed with personal data in the personal data information system;

ix. controlling the measures taken to ensure security of personal data and the level of security of the personal data information systems.

7.3. The Operator shall provide unrestricted access to the documents defining its policy in relation to processing of personal data and to information on the implemented requirements for protection of personal data by publishing such documents on the Site, at its location and/or otherwise.

8. Responsibility for Data Protection Violation

8.1. Persons guilty of violating the procedure for processing personal data are subject to disciplinary, administrative, civil or criminal liability in accordance with the current legislation.

8.2. The responsible person shall be liable for violating the procedure for processing personal data as provided by law and indemnify against damage caused by unlawful use of information containing personal data.

9. Consent to Processing of Personal Data

9.1. Use of Site implies full and unconditional consent of the user to the processing of his / her personal data by the Operator.

9.2. The legal basis for the processing of personal data is: the consent of the subject of personal data, the conclusion and execution of a contract.

9.3. List of personal data: name, phone number, e-mail address, country of residence.

9.4. Personal data is provided directly by the subject of personal data by sending information to the Operator's representative or by entering data on the Site. The collection of personal data is carried out automatically by the data entry on the Site or an employee of the Operator authorised for the collection of user data.

9.5. Processing of personal data is carried out for the following purposes: conclusion and execution of a contract, informing the subject about promotions and special offers, collection of marketing data, preparation of responses to incoming requests and receiving feedback; collection and analysis of information regarding the demand for services, research and analysis of data, statistical and other research based on depersonalised data, transfer of personal data of the subject to third parties for the purpose of concluding contracts, telephone notifications, SMS and e-mail newsletters.

9.6. Processing and storage of personal data is carried out until the achievement of the purposes of processing of personal data and/or until the withdrawal of the consent to processing of personal data by the subject of personal data.

9.7. The person responsible for the processing and protection of the ISPD is the head of the Operator, unless otherwise determined by an order for the appointment of another person.

9.8. Personal data shall be destroyed after the expiry of the processing period, as well as in other cases stipulated by the current legislation, by the person responsible for the protection and processing of the ISPD.

9.9. Consent applies to any action (operation) or a set of actions (operations) performed using automation or without the use of such means with the provided personal data, including the collection, recording, systematisation, accumulation, storage, clarification (update, change), extraction, use, distribution, transfer (including cross-border), depersonalisation, blocking, deletion, destruction of personal data.