Policy of LLC “BV-Kaluga” (Operator) regarding the processing of personal data received through the website.
1. General Provisions.
1.1 This document defines the policy of LLC “BV-Kaluga” (TIN 4025418446) (hereinafter referred to as the Operator, the Organization) with regard to the processing and confidentiality of personal data received through the website https://bwkaluga.ru/ (hereinafter referred to as the website) and its services.
1.2.Arrangement of personal data handling is aimed at ensuring the observance of the legitimate rights and interests of personal data subjects, their legal representatives, the Operator in connection with the need to receive (collect), record, systematize (combine), store, accumulate, clarify, transfer (distribution, provision, access), use, depersonalization, deletion, destruction of information constituting personal data of the site visitors.
1.3 This Policy is developed on the basis of the Constitution of the Russian Federation, the Code of the Russian Federation on Administrative Offenses, the Civil Code of the Russian Federation, the Criminal Code of the Russian Federation, the Federal Law of 27.07.2006 № 152-FZ “On Personal Data”, as well as other regulations containing norms governing the treatment of personal data.
1.4 The following concepts and definitions are used in the Policy:
personal data - any information relating directly or indirectly to a certain or definable natural person (subject of personal data) (clause 1 of Article 3 of the Federal Law dated 27.07.2006 N 152-FZ);
processing of personal data - any action (operation) or set of actions (operations) performed with or without the use of automation means with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data (clause 3, Article 3, Federal Law dated 27.07.2006 N 152-FZ);
provision of personal data - actions aimed at disclosure of personal data to a certain person or a certain circle of persons (Clause 6, Article 3, Federal Law dated 27.07.2006 N 152-FZ);
blocking of personal data - temporary cessation of personal data processing (except for cases when processing is necessary to clarify personal data) (Clause 7, Article 3, Federal Law of 27.07.2006 N 152-FZ);
destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed (clause 8 of Article 3 of the Federal Law dated 27.07.2006 N 152-FZ);
depersonalization of personal data - actions, as a result of which it becomes impossible to determine the belonging of personal data to a particular individual without using additional information (Clause 9, Article 3 of the Federal Law dated 27.07.2006 N 152-FZ);
information - information (messages, data) regardless of the form of its presentation;
website visitor (user) - a person who has access to the Operator's website or the website through which the services of the Operator or third parties are booked through the Operator via the Internet and uses the website;
personal data information system - an aggregate of personal data contained in databases and information technologies and technical means ensuring their processing;
Personal data subject's consent to the processing of his/her personal data - a form of document posted for free access on the Operator's website at https://bwkaluga.ru/agreement, which the website visitor (user) agrees to.
Consent in relation to the Operator (LLC “BV-Kaluga”) to the processing of his/her personal data.
1.5 The Policy applies to all operations on the processing of Personal Data received through the Internet (via websites, services) performed by the Organization.
1.6 The Policy is mandatory for familiarization and execution by all employees of the Organization, persons admitted to the processing of personal data in the Organization, and persons involved in the organization of processes of processing and ensuring the security of personal data in the Organization, site visitor, whose personal data are collected and processed by the Operator. This Policy shall be published on the pages of the Operator's website in the information and telecommunication network “Internet” for unrestricted access.
1.7 The Policy shall be updated in cases of:
- changes in the legislation of the Russian Federation on personal data;
- identification of inconsistencies affecting the processing and (or) protection of personal data, based on the results of control over the fulfillment of requirements for the processing and (or) protection of personal data;
- by decision of the Organization's management.
1.8 The Operator's basic rights:
- To carry out processing of personal data based on the consent of the subject of personal data.
- The Operator has the right to transfer personal data to the bodies of inquiry and investigation, other authorized bodies on the grounds stipulated by the current legislation.
- The operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided for by federal law, on the basis of a contract concluded with this person.
- In case the personal data subject revokes his/her consent to the processing of personal data, the operator has the right to continue processing personal data without the consent of the personal data subject if there are grounds established by the applicable law.
1.9 The main obligations of the Operator:
- Obtain the consent of the personal data subject to the processing of his/her personal data (except for available exceptions).
- When collecting personal data, the operator is obliged to provide the subject of personal data, upon his/her request, with the following information:
1) confirmation of the fact of personal data processing by the operator;
2) legal grounds and purposes of personal data processing;
3) the purposes and methods of personal data processing applied by the operator;
4) name and location of the operator, information about persons (except for the operator's employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the operator or on the basis of federal law;
5) processed personal data related to the respective personal data subject, the source of their obtaining, unless another procedure for submission of such data is provided for by the federal law;
6) the terms of personal data processing, including the terms of their storage;
7) the procedure for exercising by the subject of personal data of the rights provided for by this Federal Law;
8) information on the realized or supposed trans-border transfer of data;
9) the name or surname, first name, patronymic and address of the person who processes personal data on behalf of the operator, if the processing is or will be entrusted to such a person;
- The operator shall immediately stop processing of personal data at the request of the subject of personal data.
- The Operator shall explain to the subject of personal data the legal consequences of refusal to provide his/her personal data and (or) give consent to their processing, if obtaining such consent is mandatory.
- If personal data is not received from the subject of personal data, the Operator, except for cases provided for by law, prior to the start of processing of such personal data shall provide the subject of personal data with information, the list of which is established by Federal Law 152-FZ of 27.07.2006 “On Personal Data”.
- When collecting personal data, including via information and telecommunication network “Internet”, the Operator is obliged to ensure recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for cases defined by the legislation.
- The Operator shall be obliged to take measures necessary and sufficient to ensure fulfillment of obligations stipulated by this Federal Law and regulatory legal acts adopted in accordance with it. The Operator shall independently determine the composition and list of measures necessary and sufficient to ensure fulfillment of obligations stipulated by this Federal Law and regulatory legal acts adopted in accordance with it, unless otherwise provided for by this Federal Law or other federal laws.
- The Operator shall be obliged to publish or otherwise provide unrestricted access to the document defining its policy on personal data processing.
- The operator is obliged to explain to the personal data subject the procedure for making a decision on the basis of exclusively automated processing of his/her personal data and possible legal consequences of such a decision, to provide an opportunity to object to such a decision, as well as to explain the procedure for protection by the personal data subject of his/her rights and legitimate interests.
- If the operator carries out trans-border transfer of personal data, the operator is obliged to make sure that the foreign state, on whose territory the transfer of personal data is carried out, provides adequate protection of the rights of personal data subjects, before the beginning of trans-border transfer of personal data.
- The operator is obliged to comply with the rules and terms of consideration of requests and appeals of the personal data subject or his/her representative, as well as of the authorized body for the protection of the rights of personal data subjects, established by the legislation and this Regulation.
- The operator is obliged to provide free of charge to the personal data subject or his/her representative the opportunity to familiarize with personal data related to this personal data subject.
1.10. Personal data is collected by the User filling in the forms on the website (write a letter to the General Director, write to us, book a room, etc.).
1.11. Personal data obtained through the site is not subject to distribution.
1.10. Basic rights of the personal data subject:
- To withdraw previously given consent to the processing of personal data.
- Has the right to demand from the Operator to clarify his/her personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect his/her rights.
- The subject of personal data has the right to receive information regarding the processing of his/her personal data (the right of the subject of personal data to access his/her personal data may be restricted in accordance with federal laws).
- The subject of personal data has the right to protection of his/her rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.
1.11. Main obligations of the subject of personal data:
- To transfer to the Operator a set of reliable personal data,
- Timely inform the Operator about changes in his/her personal data.
2. Purposes of processing, legal basis, scope and categories of processed personal data, categories of personal data subjects.
2.1 Purpose of personal data processing: reservation of services of the Operator or its partners and payment.
Category of personal data subjects: site visitors (natural persons) - customers making reservations through the site.
Category of personal data: general.
List of personal data: Full name; phone number; e-mail address, citizenship, bank card details (when paying when booking through the site).
Legal basis for processing of personal data: consent of the subject of personal data to the processing of his/her personal data, norms of the current legislation.
2.2 Purpose of personal data processing: promotion of works, services (including sending advertising materials to the visitor, providing the user with access to personalized resources of the site, creating a user account).
Category of personal data subjects: site visitors.
Category of personal data: general.
List of personal data: Full name, telephone number; e-mail address; Ip address.
Legal basis for the processing of personal data: consent of the subject of personal data to the processing of his personal data, the norms of current legislation.
2.3 Purpose of personal data processing: consulting.
Category of personal data subjects: clients, site visitors.
Category of personal data: general.
List of personal data: name; telephone number, e-mail address.
Legal basis of personal data processing: consent of the subject of personal data to the processing of his/her personal data, norms of the current legislation.
2.4 Purpose of personal data processing: optimization and improvement of the Organization's website (by tracking traffic).
Categories of personal data subjects: visitors of the Organization's website.
Categories of personal data: general.
List of personal data: IP-address, cookie files.
Legal basis of personal data processing: consent of the subject of personal data to the processing of his/her personal data.
2.5 Purpose of personal data processing: establishment of feedback with the client/potential client, collection of questions and suggestions on the work of the Organization, collection of feedback on the work of the Organization (also with the help of third parties).
Categories of personal data subjects: visitors of the Organization's website.
Categories of personal data: general.
List of personal data: Full name, e-mail address.
Legal basis of personal data processing: consent of the subject of personal data to the processing of his/her personal data.
2.6 Purpose of personal data processing: ordering other services of the Operator (ordering transfer, ordering excursion, visa support), providing access to websites and services of the Operator's partners in order to receive products, updates and services.
Category of personal data subjects: site visitors (individuals) - customers.
Category of personal data: general.
List of personal data: name; telephone number, e-mail address.
Legal basis for the processing of personal data: consent of the subject of personal data to the processing of his personal data.
2.7 The purpose of the processing of personal data provided by the visitor of the site, information of the service Yandex Metrica (terms of use -https://yandex.ru/legal/metrica_termsofuse/), IP-address, information about cookies, information about the browser, referrer (address of the previous page) - statistical and other research, collection of statistics about IP-addresses of visitors in order to identify and solve technical problems,
2.8 The terms of personal data processing are determined taking into account:
- the established purposes of personal data processing;
- terms of validity of contracts with personal data subjects and/or consent of personal data subjects to the processing of their personal data;
- terms determined by the regulatory legal acts of the Russian Federation.
3. Procedure and conditions of personal data processing.
3.1 The Organization processes personal data on a lawful and fair basis, including in personal data information systems with or without the use of automation tools. At the same time, the requirements for automated and non-automated processing of personal data stipulated by the current legislation are met.
3.2 When processing personal data, their accuracy, sufficiency, relevance to the purposes of personal data processing are ensured.
3.3 The Operator does not verify the personal data provided by the user. The operator assumes that the person using the site is legally capable or the consent to the processing of personal data is provided by his/her legal representative.
3.4 In any use of the site - for personal data that are automatically transferred to the Operator in the process of using the site using the software installed on the user's device. The user is considered to have provided consent to the processing of his/her personal data from the moment of using the site.
3.5 The Operator does not carry out cross-border transfer of personal data.
3.6 The Operator performs the actions of personal data processing listed in subparagraph 2 of paragraph 1.4 of this Policy.
3.7. The user's consent to the processing of his/her personal data by the Operator is valid from the date of giving such consent.Termination of personal data processing is carried out on the following grounds (taking into account the legislation on archiving):
- achievement of the purposes of personal data processing;
- expiration of the consent period or revocation of the personal data subject's consent to the processing of his/her personal data;
- detection of unlawful processing of personal data.
3.8 Storage of users' personal data is carried out on electronic media. When processing personal data for the purpose of fulfillment of obligations under agreements (contracts), the Operator may retrieve personal data and store them on material carriers.
3.9 When storing personal data, the Operator uses databases located in the territory of the Russian Federation.
3.10. When storing personal data, the Operator takes certain security measures limiting access to personal data:
- limiting access to the premises where personal data is stored;
- storage of personal data in locked cabinets, safes;
- defining the circle of persons having access to personal data;
- use of passwords for access to information systems of personal data storage.
3.11. The Operator shall take measures necessary and sufficient to ensure the fulfillment of its obligations under the current legislation:
- a person responsible for the organization of personal data processing is appointed;
-local acts on personal data processing are issued;
- legal, organizational and technical measures are taken to ensure personal data (identification of threats to personal data security during their processing in personal data information systems; accounting of personal data carriers; detection of unauthorized access to personal data and taking measures to detect, prevent and eliminate the consequences of computer attacks; establishment of rules of access to personal data, ensuring registration and accounting of actions performed with personal data; con
- internal control over compliance of personal data processing with the current legislation on personal data protection issues.
4. Measures to ensure confidentiality.
4.1 The Operator takes the necessary legal, organizational and technical measures or ensures their adoption to protect the received personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution, as well as other unlawful actions with it by third parties.
4.2 This Policy applies only to the Organization's services. The Organization does not control and is not responsible for third party websites, to which the user can go via links available on the Organization's sections, including as a result of a search.
4.3 The Operator does not disclose or distribute personal data to third parties, except for the following cases:
- the subject of personal data has expressed his/her consent to such disclosure in advance;
- transfer (provision) is necessary for the execution of an agreement to which the personal data subject is a party or a beneficiary or guarantor, as well as for the conclusion of an agreement at the initiative of the personal data subject or an agreement under which he/she will be a beneficiary;
- the transfer (provision) is necessary to protect the rights and legitimate interests of the Organization or third parties;
- the transfer is initiated by the subject of personal data;
- transfer (provision) is necessary to comply with the applicable legislation and is stipulated in regulatory legal acts.
4.4 The personal data shall be kept confidential, except for the cases when the subject of personal data voluntarily provides the data for public access to an unlimited number of persons, as well as in cases when the Operator fulfills the obligations imposed on it by the current legislation.
5. Actualization, correction, deletion and destruction of personal data, responses to the subjects' requests for access to personal data.
5.1 Upon request of a personal data subject or his/her representative, the Operator shall, within ten working days from the date of receipt of the request, provide information on the availability of personal data related to the respective personal data subject, as well as provide an opportunity to familiarize with such personal data. The said term may be extended, but not more than for five working days in case the Operator sends to the address of the personal data subject a motivated notification indicating the reasons for extending the term for providing the requested information.
5.2 Within a period not exceeding seven working days from the date of submission by the personal data subject or his/her representative of information confirming that the personal data are incomplete, inaccurate or irrelevant, the Operator shall make the necessary changes to them. Within a period not exceeding seven working days from the date of submission by the subject of personal data or his/her representative of information confirming that such personal data are illegally obtained or are not necessary for the stated purpose of processing, the operator shall destroy such personal data. The operator is obliged to notify the personal data subject or his/her representative of the changes made and the measures taken.
5.3 The operator is obliged to inform the authorized body for the protection of the rights of personal data subjects (Roskomnadzor) at the request of this body of the necessary information within ten working days from the date of receipt of such a request. This term may be extended, but not more than for five working days in case the Operator sends a motivated notice to the authorized body for the protection of the rights of personal data subjects, indicating the reasons for extending the term for providing the requested information.
5.4 In case of detection of unlawful processing of personal data, the Operator shall block the unlawfully processed personal data for the period of verification.
In case of detection of inaccurate personal data, the Operator is obliged to block personal data related to this personal data subject for the period of verification, if the blocking of personal data does not violate the rights and legitimate interests of the personal data subject or third parties.
5.5 If the fact of inaccuracy of personal data is confirmed, the Operator shall clarify the personal data within seven working days from the date of submission of such information and lift the blocking of personal data.
5.6 In case of detection of unlawful processing of personal data, the Operator is obliged to stop unlawful processing of personal data within a period not exceeding three working days from the date of such detection. If it is impossible to ensure the lawfulness of personal data processing, the Operator shall, within a period not exceeding ten working days from the date of detection of unlawful processing of personal data, destroy such personal data or ensure their destruction. The Operator is obliged to notify the personal data subject or his/her representative about elimination of the admitted violations or destruction of personal data, and in case the personal data subject's or his/her representative's appeal or request of the authorized body for protection of the rights of personal data subjects was sent by the authorized body for protection of the rights of personal data subjects, also the said body.
5.7 In case of establishing the fact of unlawful or accidental transfer (provision, dissemination, access) of personal data resulting in violation of the rights of personal data subjects, the Operator shall notify the authorized body for the protection of the rights of personal data subjects (Roskomnadzor) from the moment of detection of such incident:
- within twenty-four hours about the incident, about the alleged causes that led to the violation of the rights of personal data subjects and the alleged harm caused to the rights of personal data subjects, about the measures taken to eliminate the consequences of the relevant incident, as well as to provide information about the person authorized by the Operator to interact with the authorized body for the protection of the rights of personal data subjects on issues related to the identified incident;
- within seventy-two hours on the results of the internal investigation of the identified incident, as well as to provide information on the persons whose actions caused the identified incident (if any).
5.8 If the purpose of personal data processing is achieved, the Operator shall stop processing personal data and destroy the personal data within a period not exceeding thirty days from the date when the purpose of personal data processing is achieved, unless otherwise provided for by the contract to which the personal data subject is a party, beneficiary or guarantor, or by any other agreement between the Operator and the personal data subject, or if the Operator is not entitled to process personal data without the consent of the personal data subject.
5.9. In case the subject of personal data withdraws his/her consent to the processing of his/her personal data, the Operator shall cease the processing of personal data and, if the preservation of personal data is no longer required for the purposes of personal data processing, destroy the personal data within a period not exceeding thirty days from the date of receipt of the said withdrawal, unless otherwise provided for or if the Operator is not entitled to process personal data without the consent of the subject of personal data on the grounds provided for by applicable law.
5.10. In case the subject of personal data requests to stop processing of personal data, the Operator shall, within a period not exceeding ten working days from the date of receipt of the relevant request, stop processing of personal data, except as provided for by applicable law.
5.11. If it is not possible to destroy personal data within the established terms, the Operator shall block such personal data and ensure destruction of personal data within a period not exceeding six months, unless another term is established by federal laws.
5.12. In case of a request of a personal data subject to stop dissemination of personal data, the Operator shall stop transfer (dissemination, provision, access) of personal data within three business days from the moment of receipt of such request or within the term specified in a court decision that has entered into legal force, and if such term is not specified in the court decision, then within three business days from the moment the court decision enters into legal force.
6. Final provisions.
6.1 This Policy may be changed at the initiative of the Operator. The new version shall be posted on the Operator's website for familiarization by an indefinite number of persons. From the date of posting on the website the Policy is considered to be in force.
6.2 The User is obliged to familiarize himself with the text of the Policy every time he uses the website.
6.3 Continued use of the site or its services after the publication of a new version of the Policy means acceptance of the Policy and its terms by the User. In case of disagreement with the terms of the Policy, the User shall immediately stop using the site and its services.
1. General Provisions.
1.1 This document defines the policy of LLC “BV-Kaluga” (TIN 4025418446) (hereinafter referred to as the Operator, the Organization) with regard to the processing and confidentiality of personal data received through the website https://bwkaluga.ru/ (hereinafter referred to as the website) and its services.
1.2.Arrangement of personal data handling is aimed at ensuring the observance of the legitimate rights and interests of personal data subjects, their legal representatives, the Operator in connection with the need to receive (collect), record, systematize (combine), store, accumulate, clarify, transfer (distribution, provision, access), use, depersonalization, deletion, destruction of information constituting personal data of the site visitors.
1.3 This Policy is developed on the basis of the Constitution of the Russian Federation, the Code of the Russian Federation on Administrative Offenses, the Civil Code of the Russian Federation, the Criminal Code of the Russian Federation, the Federal Law of 27.07.2006 № 152-FZ “On Personal Data”, as well as other regulations containing norms governing the treatment of personal data.
1.4 The following concepts and definitions are used in the Policy:
personal data - any information relating directly or indirectly to a certain or definable natural person (subject of personal data) (clause 1 of Article 3 of the Federal Law dated 27.07.2006 N 152-FZ);
processing of personal data - any action (operation) or set of actions (operations) performed with or without the use of automation means with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data (clause 3, Article 3, Federal Law dated 27.07.2006 N 152-FZ);
provision of personal data - actions aimed at disclosure of personal data to a certain person or a certain circle of persons (Clause 6, Article 3, Federal Law dated 27.07.2006 N 152-FZ);
blocking of personal data - temporary cessation of personal data processing (except for cases when processing is necessary to clarify personal data) (Clause 7, Article 3, Federal Law of 27.07.2006 N 152-FZ);
destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed (clause 8 of Article 3 of the Federal Law dated 27.07.2006 N 152-FZ);
depersonalization of personal data - actions, as a result of which it becomes impossible to determine the belonging of personal data to a particular individual without using additional information (Clause 9, Article 3 of the Federal Law dated 27.07.2006 N 152-FZ);
information - information (messages, data) regardless of the form of its presentation;
website visitor (user) - a person who has access to the Operator's website or the website through which the services of the Operator or third parties are booked through the Operator via the Internet and uses the website;
personal data information system - an aggregate of personal data contained in databases and information technologies and technical means ensuring their processing;
Personal data subject's consent to the processing of his/her personal data - a form of document posted for free access on the Operator's website at https://bwkaluga.ru/agreement, which the website visitor (user) agrees to.
Consent in relation to the Operator (LLC “BV-Kaluga”) to the processing of his/her personal data.
1.5 The Policy applies to all operations on the processing of Personal Data received through the Internet (via websites, services) performed by the Organization.
1.6 The Policy is mandatory for familiarization and execution by all employees of the Organization, persons admitted to the processing of personal data in the Organization, and persons involved in the organization of processes of processing and ensuring the security of personal data in the Organization, site visitor, whose personal data are collected and processed by the Operator. This Policy shall be published on the pages of the Operator's website in the information and telecommunication network “Internet” for unrestricted access.
1.7 The Policy shall be updated in cases of:
- changes in the legislation of the Russian Federation on personal data;
- identification of inconsistencies affecting the processing and (or) protection of personal data, based on the results of control over the fulfillment of requirements for the processing and (or) protection of personal data;
- by decision of the Organization's management.
1.8 The Operator's basic rights:
- To carry out processing of personal data based on the consent of the subject of personal data.
- The Operator has the right to transfer personal data to the bodies of inquiry and investigation, other authorized bodies on the grounds stipulated by the current legislation.
- The operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided for by federal law, on the basis of a contract concluded with this person.
- In case the personal data subject revokes his/her consent to the processing of personal data, the operator has the right to continue processing personal data without the consent of the personal data subject if there are grounds established by the applicable law.
1.9 The main obligations of the Operator:
- Obtain the consent of the personal data subject to the processing of his/her personal data (except for available exceptions).
- When collecting personal data, the operator is obliged to provide the subject of personal data, upon his/her request, with the following information:
1) confirmation of the fact of personal data processing by the operator;
2) legal grounds and purposes of personal data processing;
3) the purposes and methods of personal data processing applied by the operator;
4) name and location of the operator, information about persons (except for the operator's employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the operator or on the basis of federal law;
5) processed personal data related to the respective personal data subject, the source of their obtaining, unless another procedure for submission of such data is provided for by the federal law;
6) the terms of personal data processing, including the terms of their storage;
7) the procedure for exercising by the subject of personal data of the rights provided for by this Federal Law;
8) information on the realized or supposed trans-border transfer of data;
9) the name or surname, first name, patronymic and address of the person who processes personal data on behalf of the operator, if the processing is or will be entrusted to such a person;
- The operator shall immediately stop processing of personal data at the request of the subject of personal data.
- The Operator shall explain to the subject of personal data the legal consequences of refusal to provide his/her personal data and (or) give consent to their processing, if obtaining such consent is mandatory.
- If personal data is not received from the subject of personal data, the Operator, except for cases provided for by law, prior to the start of processing of such personal data shall provide the subject of personal data with information, the list of which is established by Federal Law 152-FZ of 27.07.2006 “On Personal Data”.
- When collecting personal data, including via information and telecommunication network “Internet”, the Operator is obliged to ensure recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for cases defined by the legislation.
- The Operator shall be obliged to take measures necessary and sufficient to ensure fulfillment of obligations stipulated by this Federal Law and regulatory legal acts adopted in accordance with it. The Operator shall independently determine the composition and list of measures necessary and sufficient to ensure fulfillment of obligations stipulated by this Federal Law and regulatory legal acts adopted in accordance with it, unless otherwise provided for by this Federal Law or other federal laws.
- The Operator shall be obliged to publish or otherwise provide unrestricted access to the document defining its policy on personal data processing.
- The operator is obliged to explain to the personal data subject the procedure for making a decision on the basis of exclusively automated processing of his/her personal data and possible legal consequences of such a decision, to provide an opportunity to object to such a decision, as well as to explain the procedure for protection by the personal data subject of his/her rights and legitimate interests.
- If the operator carries out trans-border transfer of personal data, the operator is obliged to make sure that the foreign state, on whose territory the transfer of personal data is carried out, provides adequate protection of the rights of personal data subjects, before the beginning of trans-border transfer of personal data.
- The operator is obliged to comply with the rules and terms of consideration of requests and appeals of the personal data subject or his/her representative, as well as of the authorized body for the protection of the rights of personal data subjects, established by the legislation and this Regulation.
- The operator is obliged to provide free of charge to the personal data subject or his/her representative the opportunity to familiarize with personal data related to this personal data subject.
1.10. Personal data is collected by the User filling in the forms on the website (write a letter to the General Director, write to us, book a room, etc.).
1.11. Personal data obtained through the site is not subject to distribution.
1.10. Basic rights of the personal data subject:
- To withdraw previously given consent to the processing of personal data.
- Has the right to demand from the Operator to clarify his/her personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect his/her rights.
- The subject of personal data has the right to receive information regarding the processing of his/her personal data (the right of the subject of personal data to access his/her personal data may be restricted in accordance with federal laws).
- The subject of personal data has the right to protection of his/her rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.
1.11. Main obligations of the subject of personal data:
- To transfer to the Operator a set of reliable personal data,
- Timely inform the Operator about changes in his/her personal data.
2. Purposes of processing, legal basis, scope and categories of processed personal data, categories of personal data subjects.
2.1 Purpose of personal data processing: reservation of services of the Operator or its partners and payment.
Category of personal data subjects: site visitors (natural persons) - customers making reservations through the site.
Category of personal data: general.
List of personal data: Full name; phone number; e-mail address, citizenship, bank card details (when paying when booking through the site).
Legal basis for processing of personal data: consent of the subject of personal data to the processing of his/her personal data, norms of the current legislation.
2.2 Purpose of personal data processing: promotion of works, services (including sending advertising materials to the visitor, providing the user with access to personalized resources of the site, creating a user account).
Category of personal data subjects: site visitors.
Category of personal data: general.
List of personal data: Full name, telephone number; e-mail address; Ip address.
Legal basis for the processing of personal data: consent of the subject of personal data to the processing of his personal data, the norms of current legislation.
2.3 Purpose of personal data processing: consulting.
Category of personal data subjects: clients, site visitors.
Category of personal data: general.
List of personal data: name; telephone number, e-mail address.
Legal basis of personal data processing: consent of the subject of personal data to the processing of his/her personal data, norms of the current legislation.
2.4 Purpose of personal data processing: optimization and improvement of the Organization's website (by tracking traffic).
Categories of personal data subjects: visitors of the Organization's website.
Categories of personal data: general.
List of personal data: IP-address, cookie files.
Legal basis of personal data processing: consent of the subject of personal data to the processing of his/her personal data.
2.5 Purpose of personal data processing: establishment of feedback with the client/potential client, collection of questions and suggestions on the work of the Organization, collection of feedback on the work of the Organization (also with the help of third parties).
Categories of personal data subjects: visitors of the Organization's website.
Categories of personal data: general.
List of personal data: Full name, e-mail address.
Legal basis of personal data processing: consent of the subject of personal data to the processing of his/her personal data.
2.6 Purpose of personal data processing: ordering other services of the Operator (ordering transfer, ordering excursion, visa support), providing access to websites and services of the Operator's partners in order to receive products, updates and services.
Category of personal data subjects: site visitors (individuals) - customers.
Category of personal data: general.
List of personal data: name; telephone number, e-mail address.
Legal basis for the processing of personal data: consent of the subject of personal data to the processing of his personal data.
2.7 The purpose of the processing of personal data provided by the visitor of the site, information of the service Yandex Metrica (terms of use -https://yandex.ru/legal/metrica_termsofuse/), IP-address, information about cookies, information about the browser, referrer (address of the previous page) - statistical and other research, collection of statistics about IP-addresses of visitors in order to identify and solve technical problems,
2.8 The terms of personal data processing are determined taking into account:
- the established purposes of personal data processing;
- terms of validity of contracts with personal data subjects and/or consent of personal data subjects to the processing of their personal data;
- terms determined by the regulatory legal acts of the Russian Federation.
3. Procedure and conditions of personal data processing.
3.1 The Organization processes personal data on a lawful and fair basis, including in personal data information systems with or without the use of automation tools. At the same time, the requirements for automated and non-automated processing of personal data stipulated by the current legislation are met.
3.2 When processing personal data, their accuracy, sufficiency, relevance to the purposes of personal data processing are ensured.
3.3 The Operator does not verify the personal data provided by the user. The operator assumes that the person using the site is legally capable or the consent to the processing of personal data is provided by his/her legal representative.
3.4 In any use of the site - for personal data that are automatically transferred to the Operator in the process of using the site using the software installed on the user's device. The user is considered to have provided consent to the processing of his/her personal data from the moment of using the site.
3.5 The Operator does not carry out cross-border transfer of personal data.
3.6 The Operator performs the actions of personal data processing listed in subparagraph 2 of paragraph 1.4 of this Policy.
3.7. The user's consent to the processing of his/her personal data by the Operator is valid from the date of giving such consent.Termination of personal data processing is carried out on the following grounds (taking into account the legislation on archiving):
- achievement of the purposes of personal data processing;
- expiration of the consent period or revocation of the personal data subject's consent to the processing of his/her personal data;
- detection of unlawful processing of personal data.
3.8 Storage of users' personal data is carried out on electronic media. When processing personal data for the purpose of fulfillment of obligations under agreements (contracts), the Operator may retrieve personal data and store them on material carriers.
3.9 When storing personal data, the Operator uses databases located in the territory of the Russian Federation.
3.10. When storing personal data, the Operator takes certain security measures limiting access to personal data:
- limiting access to the premises where personal data is stored;
- storage of personal data in locked cabinets, safes;
- defining the circle of persons having access to personal data;
- use of passwords for access to information systems of personal data storage.
3.11. The Operator shall take measures necessary and sufficient to ensure the fulfillment of its obligations under the current legislation:
- a person responsible for the organization of personal data processing is appointed;
-local acts on personal data processing are issued;
- legal, organizational and technical measures are taken to ensure personal data (identification of threats to personal data security during their processing in personal data information systems; accounting of personal data carriers; detection of unauthorized access to personal data and taking measures to detect, prevent and eliminate the consequences of computer attacks; establishment of rules of access to personal data, ensuring registration and accounting of actions performed with personal data; con
- internal control over compliance of personal data processing with the current legislation on personal data protection issues.
4. Measures to ensure confidentiality.
4.1 The Operator takes the necessary legal, organizational and technical measures or ensures their adoption to protect the received personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution, as well as other unlawful actions with it by third parties.
4.2 This Policy applies only to the Organization's services. The Organization does not control and is not responsible for third party websites, to which the user can go via links available on the Organization's sections, including as a result of a search.
4.3 The Operator does not disclose or distribute personal data to third parties, except for the following cases:
- the subject of personal data has expressed his/her consent to such disclosure in advance;
- transfer (provision) is necessary for the execution of an agreement to which the personal data subject is a party or a beneficiary or guarantor, as well as for the conclusion of an agreement at the initiative of the personal data subject or an agreement under which he/she will be a beneficiary;
- the transfer (provision) is necessary to protect the rights and legitimate interests of the Organization or third parties;
- the transfer is initiated by the subject of personal data;
- transfer (provision) is necessary to comply with the applicable legislation and is stipulated in regulatory legal acts.
4.4 The personal data shall be kept confidential, except for the cases when the subject of personal data voluntarily provides the data for public access to an unlimited number of persons, as well as in cases when the Operator fulfills the obligations imposed on it by the current legislation.
5. Actualization, correction, deletion and destruction of personal data, responses to the subjects' requests for access to personal data.
5.1 Upon request of a personal data subject or his/her representative, the Operator shall, within ten working days from the date of receipt of the request, provide information on the availability of personal data related to the respective personal data subject, as well as provide an opportunity to familiarize with such personal data. The said term may be extended, but not more than for five working days in case the Operator sends to the address of the personal data subject a motivated notification indicating the reasons for extending the term for providing the requested information.
5.2 Within a period not exceeding seven working days from the date of submission by the personal data subject or his/her representative of information confirming that the personal data are incomplete, inaccurate or irrelevant, the Operator shall make the necessary changes to them. Within a period not exceeding seven working days from the date of submission by the subject of personal data or his/her representative of information confirming that such personal data are illegally obtained or are not necessary for the stated purpose of processing, the operator shall destroy such personal data. The operator is obliged to notify the personal data subject or his/her representative of the changes made and the measures taken.
5.3 The operator is obliged to inform the authorized body for the protection of the rights of personal data subjects (Roskomnadzor) at the request of this body of the necessary information within ten working days from the date of receipt of such a request. This term may be extended, but not more than for five working days in case the Operator sends a motivated notice to the authorized body for the protection of the rights of personal data subjects, indicating the reasons for extending the term for providing the requested information.
5.4 In case of detection of unlawful processing of personal data, the Operator shall block the unlawfully processed personal data for the period of verification.
In case of detection of inaccurate personal data, the Operator is obliged to block personal data related to this personal data subject for the period of verification, if the blocking of personal data does not violate the rights and legitimate interests of the personal data subject or third parties.
5.5 If the fact of inaccuracy of personal data is confirmed, the Operator shall clarify the personal data within seven working days from the date of submission of such information and lift the blocking of personal data.
5.6 In case of detection of unlawful processing of personal data, the Operator is obliged to stop unlawful processing of personal data within a period not exceeding three working days from the date of such detection. If it is impossible to ensure the lawfulness of personal data processing, the Operator shall, within a period not exceeding ten working days from the date of detection of unlawful processing of personal data, destroy such personal data or ensure their destruction. The Operator is obliged to notify the personal data subject or his/her representative about elimination of the admitted violations or destruction of personal data, and in case the personal data subject's or his/her representative's appeal or request of the authorized body for protection of the rights of personal data subjects was sent by the authorized body for protection of the rights of personal data subjects, also the said body.
5.7 In case of establishing the fact of unlawful or accidental transfer (provision, dissemination, access) of personal data resulting in violation of the rights of personal data subjects, the Operator shall notify the authorized body for the protection of the rights of personal data subjects (Roskomnadzor) from the moment of detection of such incident:
- within twenty-four hours about the incident, about the alleged causes that led to the violation of the rights of personal data subjects and the alleged harm caused to the rights of personal data subjects, about the measures taken to eliminate the consequences of the relevant incident, as well as to provide information about the person authorized by the Operator to interact with the authorized body for the protection of the rights of personal data subjects on issues related to the identified incident;
- within seventy-two hours on the results of the internal investigation of the identified incident, as well as to provide information on the persons whose actions caused the identified incident (if any).
5.8 If the purpose of personal data processing is achieved, the Operator shall stop processing personal data and destroy the personal data within a period not exceeding thirty days from the date when the purpose of personal data processing is achieved, unless otherwise provided for by the contract to which the personal data subject is a party, beneficiary or guarantor, or by any other agreement between the Operator and the personal data subject, or if the Operator is not entitled to process personal data without the consent of the personal data subject.
5.9. In case the subject of personal data withdraws his/her consent to the processing of his/her personal data, the Operator shall cease the processing of personal data and, if the preservation of personal data is no longer required for the purposes of personal data processing, destroy the personal data within a period not exceeding thirty days from the date of receipt of the said withdrawal, unless otherwise provided for or if the Operator is not entitled to process personal data without the consent of the subject of personal data on the grounds provided for by applicable law.
5.10. In case the subject of personal data requests to stop processing of personal data, the Operator shall, within a period not exceeding ten working days from the date of receipt of the relevant request, stop processing of personal data, except as provided for by applicable law.
5.11. If it is not possible to destroy personal data within the established terms, the Operator shall block such personal data and ensure destruction of personal data within a period not exceeding six months, unless another term is established by federal laws.
5.12. In case of a request of a personal data subject to stop dissemination of personal data, the Operator shall stop transfer (dissemination, provision, access) of personal data within three business days from the moment of receipt of such request or within the term specified in a court decision that has entered into legal force, and if such term is not specified in the court decision, then within three business days from the moment the court decision enters into legal force.
6. Final provisions.
6.1 This Policy may be changed at the initiative of the Operator. The new version shall be posted on the Operator's website for familiarization by an indefinite number of persons. From the date of posting on the website the Policy is considered to be in force.
6.2 The User is obliged to familiarize himself with the text of the Policy every time he uses the website.
6.3 Continued use of the site or its services after the publication of a new version of the Policy means acceptance of the Policy and its terms by the User. In case of disagreement with the terms of the Policy, the User shall immediately stop using the site and its services.