1. General Provisions
1.1. The policy regarding the processing of personal data by PRESTIGE LLC (hereinafter referred to as the "Regulations") has been developed in pursuance of the regulatory legal acts of the Russian Federation, including, but not limited to, the Constitution of the Russian Federation, Federal Law of 27.07.2006 N 149-FZ "On information, information technology and information protection ", Federal Law of 27.07.2006 N 152-FZ" On Personal Data ", Decree of the Government of the Russian Federation of 15.09.2008 N 687" On approval of the Regulation on the specifics of processing personal data carried out without using funds automation ", Decree of the Government of the Russian Federation of 01.11.2012 N 1119" On approval of requirements for the protection of personal data during their processing in personal data information systems. "
1.2. This Policy defines the policy of the Limited Liability Company "PRESTIGE" (LLC "PRESTIGE"), OGRN: 1117746724193, 125480, Moscow, st. Vilisa Latsisa, building 5 building 1,off.VIII (hereinafter - the Operator) in relation to the processing of personal data and is Publicly available document.
1.3. The requirements of this Regulation are mandatory for all employees of the Operator who have gained access to personal data.
1.4. Terms and Definitions:
1.4.1. Personal data - any information relating directly or indirectly to a specific or identifiable individual (subject of personal data);
1.4.2.Operator of personal data (operator) - a state body, municipal body, legal entity or individual, independently or together with other persons organizing and (or) processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
1.4.3. Personal data processing is any action (operation) or a set of actions (operations) with personal data performed with the use of automation tools or without their use. The processing of personal data includes, inter alia: collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction.
1.4.4. Automated processing of personal data - processing of personal data using computer technology;
1.4.5. Dissemination of personal data - actions aimed at disclosing personal data to an indefinite circle of persons;
1.4.6. Provision of personal data - actions aimed at disclosing personal data to a certain person or a certain circle of persons;
1.4.7. Blocking of personal data - temporary termination of the processing of personal data (except for cases where processing is necessary to clarify personal data);
1.4.8. Destruction of personal data - actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;
1.4.9. Depersonalization of personal data - actions as a result of which it becomes impossible to determine the ownership of personal data to a specific subject of personal data without using additional information;
1.4.10. Personal data information system - a set of personal data contained in databases and information technologies and technical means that ensure their processing;
1.4.11. Cross-border transfer of personal data - the transfer of personal data to the territory of a foreign state to a foreign state authority, a foreign individual or a foreign legal entity.
1.5. The subjects of personal data include, but are not limited to:
1.5.1. Clients and counterparties of the Operator (individuals);
1.5.2. Representatives / employees of the operator's clients and counterparties (legal entities).
2. General principles and conditions for the processing of personal data
2.1. The operator carries out the processing of personal subjects specified in clause 1.5 of these Regulations.
2.2. The processing is carried out in order to perform the functions defined by the laws and other regulatory legal acts of the Russian Federation, as well as in the framework of the activities defined in the internal documents of the Operator.
2.3.When processing personal data, the Operator is guided by the following principles and conditions:
2.3.1. The processing of personal data must be carried out on a legal and fair basis;
2.3.2. The processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data, except for the cases specified in Part 1 of Article 6 of the Federal Law of 27.07.2006 N 152-FZ "On Personal Data";
2.3.3. Processing of special categories of personal data is carried out in the cases provided for by part 2 of article 10 of the Federal Law of 27.07.2006 N 152-FZ "On Personal Data";
2.3.4. The operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person, including a state or municipal contract, or by adopting an appropriate act by a state or municipal body (hereinafter referred to as the instruction Operator). A person who processes personal data on behalf of the Operator is obliged to comply with the principles and rules for processing personal data provided for by the provisions of Federal Law No. 152-FZ of 27.07.2006 "On Personal Data". The Operator's order must define a list of actions (operations) with personal data that will be performed by the person processing personal data, and the purposes of processing, the obligation of such a person to maintain the confidentiality of personal data and ensure the safety of personal data during their processing must be established, specify the requirements for the protection of processed personal data in accordance with Article 19 of the Federal Law of 27.07.2006 N 152-FZ "On Personal Data";
2.3.5. The processing of personal data should be limited to the achievement of specific, predetermined and legitimate purposes. Processing of personal data that is incompatible with the purposes of collecting personal data is not allowed;
2.3.6. It is not allowed to combine databases containing personal data, the processing of which is carried out for purposes incompatible with each other;
2.3.7.Only personal data that meet the purposes of their processing is subject to processing;
2.3.8. The content and volume of processed personal data must comply with the stated processing objectives. The processed personal data should not be redundant in relation to the stated purposes of their processing;
2.3.9. When processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, relevance in relation to the purposes of processing personal data must be ensured. The operator must take the necessary measures or ensure that they are taken to delete or clarify incomplete or inaccurate data;
2.3.10. The storage of personal data should be carried out in a form that makes it possible to determine the subject of personal data, no longer than the purpose of processing personal data requires, if the storage period for personal data is not established by federal law, an agreement, a party to which, the beneficiary or guarantor to which the subject of personal data is ... The processed personal data are subject to destruction or depersonalization upon achievement of the processing goals or in case of loss of the need to achieve these goals, unless otherwise provided by federal law;
2.4. The operator independently determines the content, volume, purposes of processing and storage periods of personal data.
2.5. The documents adopted by the Operator defining the Operator's policy regarding the processing of personal data, local regulations on the processing of personal data, as well as local regulations establishing procedures aimed at preventing and identifying violations of the legislation of the Russian Federation, eliminating the consequences of such violations are communicated to the Operator's employees at parts concerning them.
3. Purposes of processing personal data
3.1. The processing of personal data is carried out in order to:
3.1.1. Conclusion and implementation of contracts with clients and contractors;
3.1.2. Informing customers about new products, special promotions and offers;
3.1.3. Registration of discount cards.
4. Categories of processed personal data by subjects, sources of their receipt, terms of processing and storage of personal data
4.1. The operator processes the following categories of personal data:
4.1.1. Personal employees of the counterparty: Surname; name; patronymic; E-mail address; contact phone number.
4.1.2. Counterparty's clients' personal data: Surname; name; patronymic; E-mail address; contact phone number.
4.2. Personal data is processed and stored until:
- achievement or loss in the need to achieve the goals of processing personal data;
- Liquidation or reorganization of the Operator.
5. Information about third parties involved in the processing of personal data
5.1. In order to comply with the legislation of the Russian Federation, as well as with the consent of the subjects of personal data, in order to achieve the purposes of processing, the Operator, in the course of its activities, provides personal data to third parties:
5.1.1. Personal data of partners-individuals for the delivery of orders to courier services.
6. Rights and obligations of the Operator of personal data
6.1. The operator is obliged to immediately stop, at the request of the subject of personal data, the processing of his personal data in order to promote goods, works, services on the market by making direct contacts with a potential consumer using communication means.
6.2. The operator is obliged to explain to the subject of personal data the procedure for making a decision on the basis of exclusively automated processing of his personal data and the possible legal consequences of such a decision, to provide an opportunity to object to such a decision, and also to explain the procedure for the subject of personal data to protect his rights and legitimate interests.
6.3. The operator is obliged to consider an objection against a decision on the basis of exclusively automated processing of the personal data of the subject of personal data, within thirty days from the date of its receipt and notify the subject of personal data about the results of considering such an objection.
6.4. When collecting personal data, the Operator is obliged to provide the subject of personal data, at his request, with the information provided for by the provisions of the current legislation.
6.5. If the provision of personal data is mandatory in accordance with federal law, the Operator is obliged to explain to the subject of personal data the legal consequences of refusing to provide his personal data.
6.6. The operator is obliged to provide, free of charge, to the subject of personal data or his representative the opportunity to familiarize himself with the personal data relating to this subject of personal data. Within a period not exceeding seven working days from the date the personal data subject or his representative provides information confirming that the personal data is incomplete, inaccurate or irrelevant, the Operator is obliged to make the necessary changes to them. Within a period not exceeding seven working days from the date the subject of personal data or his representative submits information confirming that such personal data is illegally obtained or is not necessary for the stated purpose of processing, the Operator is obliged to destroy such personal data. The operator is obliged to notify the subject of personal data or his representative about the changes made and the measures taken and take reasonable measures to notify third parties to whom the personal data of this subject was transferred.
6.7. The operator is obliged to inform the authorized body for the protection of the rights of subjects of personal data, at the request of this body, the necessary information within thirty days from the date of receipt of such a request.
6.8. In the event that unlawful processing of personal data is revealed when the subject of personal data or his representative contacts or at the request of the subject of personal data or his representative or an authorized body for the protection of the rights of subjects of personal data, the Operator is obliged to block the unlawfully processed personal data relating to this subject of personal data, or ensure their blocking (if the processing of personal data is carried out by another person acting on behalf of the Operator) from the moment of such an appeal or receipt of the specified request for the verification period. In case of revealing inaccurate personal data when the subject of personal data or his representative applies, or at their request or at the request of the authorized body for the protection of the rights of personal data subjects, the Operator is obliged to block personal data related to this personal data subject, or to ensure their blocking (if processing personal data is carried out by another person acting on behalf of the Operator) from the moment of such an appeal or receipt of the specified request for the verification period, if the blocking of personal data does not violate the rights and legitimate interests of the subject of personal data or third parties.
6.9. In case of confirmation of the fact of inaccuracy of personal data, the Operator on the basis of information provided by the subject of personal data or his representative or an authorized body for the protection of the rights of subjects of personal data, or other necessary documents, is obliged to clarify the personal data or ensure their clarification (if the processing of personal data is carried out by another person, acting on behalf of the Operator) within seven working days from the date of submission of such information and remove the blocking of personal data.
6.10. In case of revealing illegal processing of personal data carried out by the Operator or a person acting on behalf of the Operator, the Operator, within a period not exceeding three working days from the date of this identification, is obliged to stop the illegal processing of personal data or to ensure that the illegal processing of personal data by the person acting on behalf of Operator. If it is impossible to ensure the legality of the processing of personal data, the Operator, within a period not exceeding ten working days from the date of detection of the illegal processing of personal data, is obliged to destroy such personal data or ensure their destruction. The Operator is obliged to notify the subject of personal data or his representative about the elimination of violations or the destruction of personal data, and if the appeal of the subject of personal data or his representative or the request of the authorized body for the protection of the rights of subjects of personal data were sent by the authorized body for the protection of the rights of personal data subjects. data, also to the specified authority.
6.11.If the purpose of processing personal data is achieved, the Operator is obliged to stop processing personal data or ensure its termination (if the processing of personal data is carried out by another person acting on behalf of the Operator) and destroy personal data or ensure their destruction (if the processing of personal data is carried out by another person acting under on behalf of the Operator) within a period not exceeding thirty days from the date of achieving the purpose of processing personal data, unless otherwise provided by an agreement to which the subject of personal data is a party, beneficiary or guarantor of which is the subject of personal data, another agreement between the Operator and the subject of personal data, or if the Operator is not entitled to to process personal data without the consent of the subject of personal data on the grounds provided for by the Federal Law of 27.07.2006 N 152-ФЗ "On Personal Data" or other regulatory legal acts.
6.12. In the event that the subject of personal data withdraws consent to the processing of his personal data, the Operator is obliged to stop their processing or ensure the termination of such processing (if the processing of personal data is carried out by another person acting on behalf of the Operator) and if the storage of personal data is no longer required for processing purposes personal data, destroy personal data or ensure their destruction (if the processing of personal data is carried out by another person acting on behalf of the Operator) within a period not exceeding thirty days from the date of receipt of the said review, unless otherwise provided by the contract, the party to which, the beneficiary or the guarantor of which is the subject of personal data, another agreement between the Operator and the subject of personal data, or if the Operator is not entitled to process personal data without the consent of the subject of personal data on the grounds provided for by the current legislator estom.
6.13. If it is impossible to destroy personal data within the period specified in clause 6.10-6.12 of this provision, the Operator blocks such personal data or ensures their blocking (if the processing of personal data is carried out by another person acting on behalf of the Operator) and ensures the destruction of personal data within a period of not more than six months, unless another period is established by federal laws.
7. Rights of subjects of personal data
7.1.The subject of personal data has the right to receive information about the processing of his personal data by the Operator.
7.2. The subject of personal data has the right to demand from the Operator, who processes them, to clarify these personal data, to block or destroy them if they are incomplete, outdated, inaccurate, illegally obtained or cannot be deemed necessary for the stated purpose of processing, as well as to accept the provided measures to protect their rights.
7.3. In the event that the information specified in part 7 of Article 14 of the Federal Law of July 27, 2006 N 152-FZ "On Personal Data", as well as the processed personal data were provided for familiarization with the subject of personal data at his request, the subject of personal data has the right to apply again to the Operator or send him a repeated request in order to obtain previously requested information and familiarize himself with such personal data no earlier than thirty days after the initial application or sending the initial request, unless a shorter period is established by federal law adopted in accordance with it by a regulatory legal act or an agreement to which the subject of personal data is a party or beneficiary or guarantor.
7.4. The personal data subject has the right to re-contact the Operator or send him a repeated request in order to obtain the information specified in part 7 of Article 14 of the Federal Law of July 27, 2006 N 152-FZ "On Personal Data" and also in order to familiarize himself with the processed personal data before the expiration the period specified in part 4 of article 14 of the Federal Law of July 27, 2006 N 152-FZ "On personal data" in the event that such information and (or) processed personal data were not provided to him for review in full following the results of consideration of the initial appeal ...
7.5. The right of the subject of personal data to access his personal data may be limited in accordance with Part 8 of Article 14 of the Federal Law of 27.07.2006 N 152-FZ "On Personal Data".
8. Measures to ensure the security of personal data during their processing
8.1. When processing personal data, the operator takes the necessary legal, organizational and technical measures or ensures their adoption to protect personal data from unauthorized or accidental access to them, destruction, alteration, blocking, copying, provision, dissemination of personal data, as well as from other illegal actions in regarding personal data.
9. Responsibility for the disclosure of information related to personal data
9.1. Persons guilty of violating the requirements of this Federal Law shall bear responsibility stipulated by the legislation of the Russian Federation.