Personal Data Processing Policy
1. Introduction
1.1. This document defines the personal data processing policy (hereinafter the PD) of Vivat International Trading L.L.C. (hereinafter the Company).
1.2. The Company is a PD operator in accordance with the laws of the Russian Federation on PD.
1.3. This Policy has been developed in accordance with the current legislation of the Russian Federation on PD:
· Federal Law of the Russian Federation No.152-FZ “On Personal Data” dated 27.07.2006 (hereinafter the 152-FZ, the Federal Law “On Personal Data”), which establishes the basic principles and conditions for PD processing, rights, duties and responsibilities of the participants in the relationship associated with the PD processing;
· Decree of the Government of the Russian Federation No.1119 “On Approval of the Requirements for the Protection of Personal Data While Processing in the Personal Data Information Systems” dated 01.11.2012;
· Decree of the Government of the Russian Federation No.687 “On Approval of the Regulation on the Specifics of Personal Data Processing Performed Without the Use of Automation Means” dated 15.09.2008.
1.4. The operation of this Policy applies to any action (operation) or set of actions (operations) performed using or without using automation means for PD, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, removal, destruction of PD.
1.5. This Policy is subject to revision and, if necessary, updating if changes are made in the legislation of the Russian Federation on PD.
2. Principles and Objectives of PD Processing
PD processing is carried out on the basis of the following principles:
1. PD processing is carried out on a legal and fair basis;
2. PD processing is limited to the achievement of specific, pre-defined and legitimate purposes;
3. PD processing incompatible with the objectives of PD collecting is not allowed;
4. It is not allowed to combine databases containing PD, processing of which is carried out for purposes incompatible with each other;
5. The content and volume of processed PD correspond to the stated processing objectives. The processed PD is not redundant in relation to the stated processing objectives;
6. When processing PD, the accuracy and adequacy of the PD is ensured, if necessary, and the relevance of the PD in relation to the stated processing objectives;
7. PD storage is carried out in a form that allows identifying a PD subject no longer than the PD processing objectives require, if the PD storage period is not established by a federal law, an agreement, a party, a beneficiary or a guarantor to which is a PD subject;
8. The processed PD is subject to destruction or depersonalization upon achievement of processing objectives or in case of the loss of the need to achieve these objectives, unless otherwise provided by federal law.
The objectives of PD processing are
1. marketing actions, promotion of products and services, evaluating the quality of customer service;
2. conclusion, execution and termination of civil law contracts with individuals, legal and other persons;
3. notification of a PD subject about winning the competition and winning prizes;
4. dispatch to a PD subject of news and information about the Company’s actions, novelties and services;
5. personalization of the site based on the search history and views of a PD subject;
6. to contact our employees with a PD subject for consultations on the services and products offered by the Company;
7. issuance of commercial offers, invoices, conclusion of contracts for the provision of services and/or sale of products;
8. for other purposes not prohibited by applicable law.
3. Conditions for PD Processing
3.1. PD processing is carried out in compliance with the principles and rules established by the Federal Law “On Personal Data”. PD processing is carried out in the following cases:
1. PD processing is carried out with the consent of a PD subject to process his/her PD;
2. PD processing is necessary to achieve the objectives stipulated by the international treaty of the Russian Federation or the law for the implementation and performance of functions, powers and duties imposed by the legislation of the Russian Federation on the operator;
3. PD processing is necessary for the performance of a contract, a party, a beneficiary or a guarantor to which is a PD subject, as well as for the conclusion of a contract on the initiative of a PD subject or a contract whereby a PD subject will be a beneficiary or a guarantor;
4. PD processing is necessary to protect the life, health or other vital interests of a PD subject if obtaining the consent of a PD subject is impossible;
5. PD processing is necessary for the implementation of the rights and legitimate interests of the operator or third parties or for achieving socially significant goals, provided that the rights and freedoms of a PD subject are not violated;
6. PD processing is carried out for statistical or other research purposes, subject to obligatory PD depersonalization. An exception is the PD processing in order to promote products, works, services on the market by making direct contacts with a potential consumer by means of communication;
7. PD processing access to which for an unlimited number of persons is provided by or at the request of a PD subject.
3.2. The Company may include PD subjects in the PD public sources, and the Company obtains a written consent of a PD subject for processing.
3.3. The Company can process data on the health status of a PD subject in the following cases:
1. in accordance with the legislation on state social assistance, labor legislation, the legislation of the Russian Federation on pensions for state pensions, on labor pensions;
2. in order to protect the life, health or other vital interests of an employee or to protect the life, health or other vital interests of others; and obtaining the consent of a PD subject is impossible;
3. in order to establish or exercise the rights of an employee or third parties, as well as in connection with the implementation of justice;
4. in accordance with the legislation on compulsory types of insurance, with insurance legislation.
3.4. The decisions causing legal consequences with respect to a PD subject or otherwise affecting his/her rights and legitimate interests, which are based on an exclusively automated PD processing, are not adopted.
3.5. The Company may carry out PD processing on behalf of the operator on the basis of an agreement between the Company and the operator.
3.6. In the absence of a written consent of a subject to the processing of his/her PD, the subject’s consent may be given by a PD subject or his/her representative in any form that allows obtaining the fact of its receipt.
3.7. When assigning the PD processing to another person, the Company enters into a contract (hereinafter the operator’s instruction) with this person and obtains the consent of a PD subject, unless otherwise provided by federal law. At the same time, in the operator’s instruction the Company obliges the person carrying out the PD processing on behalf of the Company to observe the principles and rules for PD processing, as provided for by the Federal Law “On Personal Data”.
3.8. In cases where the Company assigns the PD processing to another person, the Company is liable for the actions of the specified person to a PD subject. A person carrying out the PD processing on behalf of the Company is liable to the Company.
3.9. The Company undertakes and obliges other persons who have access to the PD not to disclose to third parties or distribute PD without the consent of a PD subject, unless otherwise provided by federal law.
3.10. When completing a feedback form on the Company’s website, it is understood that a PD subject has given his/her consent to the processing of personal data provided by him/her.
4. Obligations of the Company
In accordance with the requirements of the Federal Law No.152-FZ “On Personal Data”, the Company shall:
1. provide a PDD subject, at his/her request, with information regarding the processing of his/her PD, or on a lawful basis provide a refusal within thirty days from the date of receipt of the request of a PD subject or his/her representative;
2. at the request of a PD subject, clarify, block or delete the processed PD, if PD is incomplete, obsolete, inaccurate, illegally received or is not required for the stated processing objectives within a period not exceeding seven business days from the date a PD subject or his/her representative submits the information confirming these facts;
3. keep a Log of Appeals of PD Subjects recording the requests of the PD subjects for receiving the PD, as well as the facts of the provision of PD at these requests;
4. notify a PD subject about the PD processing in the event that the PD has been received not from the PD subject. The following cases are an exception:
· PD subject has been notified of the PD processing by the Company;
· PD has been received by the Company in connection with the performance of a contract, a party, a beneficiary or a guarantor to which is a PD subject, or on the basis of a federal law;
· PD has been made public or obtained from a public source;
· the Company carries out PD processing for statistical or other research purposes, if the rights and legitimate interests of a PD subject are not violated;
· a PD subject has been provided with the information contained in a PDD Processing Notice, which has violated the rights and legitimate interests of third parties;
5. in the event that a PD processing objective has been achieved, immediately stop PD processing and destroy the relevant PD within a period not exceeding thirty days from the date the PD processing objective has been achieved, unless otherwise provided by a contract, a party, a beneficiary or a guarantor to which is a PD subject, by another agreement between the Company and a PD subject, or if the Company is not entitled to process the PD without the consent of a PD subject on the grounds provided by Federal Law No.152-FZ “On Personal Data”, or other federal laws;
6. in the event that the a PD subject withdraws his/her consent to the PD processing, stop PD processing and destroy the PD within a period not exceeding thirty days from the date of the said withdrawal, unless otherwise provided by an agreement between the Company and the PD subject. The Company shall notify the PD subject on the destruction of PD;
7. in case of receipt of a request from a PD subject to stop processing of the PD received for the purpose of promoting products, works, services on the market, immediately stop processing PD.
5. Measures to Ensure the Safety of PD During Its Processing
5.1. When processing PD, the Company applies the necessary legal, organizational and technical measures to protect the PD from unauthorized or accidental access thereto, destruction, modification, blocking, copying, provision, dissemination of PD, and other illegal actions against PD.
5.2. The safety of the PD is achieved by the following measures:
1. identification of threats to the safety of PD when processing the same using PD information systems;
2. implementation of organizational and technical measures to ensure the safety of PD when processing the same using PD information systems required to fulfill the requirements for PD protection, the implementation of which is ensured by the levels of protection of the PD established by the Government of the Russian Federation;
3. application of procedures duly assessed in terms of the compliance of information protection means;
4. evaluation of the effectiveness of the measures taken to ensure the safety of the PD before the commissioning of a PD information system;
5. registration of PD computer carriers;
6. detecting the facts of unauthorized access to PD and taking measures;
7. restoration of PD modified or destroyed due to unauthorized access thereto;
8. establishment of rules for accessing PD processed using a PD information system, as well as ensuring the registration and recording of all actions performed with the PD in the PD information system;
9. control over the measures taken to ensure the safety of the PD and the level of protection of PD information systems.
6. Rights of a PD subject
In accordance with the Federal Law “On Personal Data”, a PD subject has the right to:
1. obtain information concerning the PD processing by the Company, namely:
· confirmation of the fact of PD processing by the Company;
· legal grounds and objectives for the PD processing by the Company;
· Company’s PD processing methods;
· name and location of the Company, information on persons (except for the Company’s employees) who have access to the PD or who can be disclosed the PD on the basis of a contract with the operator or on the basis of a federal law;
· processed PD related to the corresponding PD subject, the source of its receipt, if another procedure for the submission of such data is not provided for by federal law;
· terms of the PD processing by the Company, including the terms of its storage;
· procedure for a PD subject to exercise the rights provided for by Federal Law “On Personal Data”;
· information on the transboundary data transfer being or planned to be performed;
· name or surname, firs name, patronymic and address of a person carrying out the PD processing on behalf of the Company, if the processing is or will be entrusted to such person;
· other information provided for by Federal Law “On Personal Data” or other federal laws;
2. require the Company to clarify his/her PD, block or destroy the same if the PD is incomplete, obsolete, inaccurate, illegally obtained or not required for the stated processing objectives;
3. withdraw consent to the PD processing in cases provided for by law.
7. Exercising Rights
7.1. A PD subject may apply to the operator for the purposes of exercising his/her rights established by Federal Law “On Personal Data” in writing in the prescribed form upon a personal visit to the Company by the PD subject or his/her representative. (Hereinafter, the PD subjects are both a PD subject himself/herself and his/her legal representative: a parent, guardian, trustee and other persons whose powers are established by Federal Law No.152-FZ or by another law of the Russian Federation).
7.2. An application form is issued to a PD subject or his/her representative by an employee of the Company and is filled out by the PD subject or his/her representative under a handwritten signature in the presence of the said employee.
7.3. After receiving an application in accordance with the prescribed form, an employee of the Company shall verify the information on the main document certifying the identity of a PD subject, the grounds on which the person acts as a representative of a PD subject, and the original documents presented while applying.
7.4. A response to an application is sent to a PD subject in writing by mail to the address specified in the application.
7.5. The deadline for the formation and the transfer of a response to the post office for sending cannot exceed thirty days from the date of receipt by the operator of an application.
7.6. The term for making the necessary changes to the PD that is incomplete, inaccurate or irrelevant cannot exceed seven business days from the day a PD subject or his/her representative submits information confirming that the PD is incomplete, inaccurate or irrelevant.
7.7. The deadline for the destruction of PD that is illegally received or not required for the stated processing objectives cannot exceed seven business days from the date a PD subject or his/her representative submits information confirming that the PD is illegally obtained or not required for the stated processing objectives.
8. Limitations of the Rights of PD Subjects
8.1. The right of a PD subject to access to his/her PD is limited in the event that the provision of the PD violates the rights and legitimate interests of others.
8.2. In the event that the information regarding the PD processing, as well as the PD being processed, has been made available to a PD subject at his/her request, the PD subject has the right to send a second request in order to obtain information regarding the PD processing and to review himself/herself such PD not earlier than thirty days after sending the first request, if a shorter period is not established by federal law, normative legal act adopted in accordance therewith, or contract, a party, a beneficiary or a guarantor to which is a PD subject.
8.3. A PD subject has the right to send the Company a second request in order to obtain information regarding the PD processing and for the purpose of reviewing the processed PD before the expiration of the period specified in p. 8.2, if such information and/or processed PD has not been provided to him/her after the complete consideration of the first request. The second request shall contain a justification thereof.
8.4. The Company has the right to refuse to a PD subject in the fulfillment of a second request that does not meet the conditions stipulated in sp. 8.2 and 8.3.