Floor 89, Federation East Tower
Moscow-City Complex
Bld. 12, Presnenskaya Embankment
1. GENERAL PROVISIONS
The Personal Data Processing Policy of Olga Vladimirovna Gnatovskaya, Sole Proprietor (hereinafter referred to as the Policy) has been developed in accordance with Federal Law No. 152-FZ of July 27, 2006, “On Personal Data” (hereinafter referred to as FZ-152).
This Policy defines the personal data processing procedures and measures to ensure the security of personal data by Olga Vladimirovna Gnatovskaya, Sole Proprietor (hereinafter referred to as the Company) in order to protect the rights and freedoms of individuals and citizens when processing their personal data, including the right to privacy, personal and family secrets.
The following key terms are used in this Policy:
Automated processing of personal data — the processing of personal data using computer technology;
Blocking of personal data — the temporary suspension of the processing of personal data (except in cases where processing is necessary to clarify personal data);
Personal data information system — the totality of personal data contained in databases and the information technologies and technical means supporting their processing;
Depersonalization of personal data — actions that make it impossible to determine the attribution of personal data to a specific data subject without the use of additional information;
Personal data processing — any action (operation) or set of actions (operations) performed with or without the use of automated tools with personal data, including the collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data;
Operator — a government agency, municipal body, legal entity, or individual that, independently or jointly with others, organizes and/or carries out the processing of personal data, and determines the purposes of personal data processing, the composition of personal data to be processed, and the actions (operations) performed with personal data;
Personal data — any information related to a directly or indirectly identified or identifiable individual (the personal data subject);
Provision of personal data — actions aimed at disclosing personal data to a specific individual or a specific group of individuals;
Dissemination of personal data — actions aimed at disclosing personal data to an unspecified group of individuals;
Cross-border transfer of personal data — the transfer of personal data to a foreign government agency, a foreign individual, or a foreign legal entity;
Destruction of personal data — actions that make it impossible to restore the contents of personal data in a personal data information system and/or that result in the destruction of tangible media containing personal data.
The Company is obligated to publish or otherwise ensure unrestricted access to this Personal Data Processing Policy in accordance with Part 2 of Article 18.1 of Federal Law No. 152.
2. PRINCIPLES AND CONDITIONS FOR PERSONAL DATA PROCESSING
2.1 Principles of Personal Data Processing
Personal data processing at the Company is based on the following principles:
— lawfulness and fairness;
— limiting the processing of personal data to achieving specific, predetermined, and legitimate purposes;
— preventing the processing of personal data incompatible with the purposes for which the personal data was collected;
— preventing the merging of databases containing personal data processed for incompatible purposes;
— processing only personal data that is relevant to the purposes for which it was processed;
— conformity of the content and volume of processed personal data with the stated purposes of processing;
— preventing the processing of personal data that is excessive in relation to the stated purposes of processing;
— ensuring the accuracy, sufficiency, and relevance of personal data in relation to the purposes for which it was processed;
— destruction or depersonalization of personal data upon achieving the processing objectives or if the need to achieve these objectives is no longer necessary, if the Company is unable to rectify any violations committed during the processing of personal data, unless otherwise provided by federal law.
2.2 Conditions for Processing Personal Data
The Company processes personal data if at least one of the following conditions is met:
— personal data is processed with the consent of the personal data subject to the processing of their personal data;
— the processing of personal data is necessary to achieve the goals stipulated by an international treaty of the Russian Federation or by law, for the implementation and performance of the functions, powers, and duties imposed on the Company by the legislation of the Russian Federation;
— the processing of personal data is necessary for the administration of justice, the execution of a judicial act, or the act of another body or official subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;
— the processing of personal data is necessary for the performance of an agreement to which the personal data subject is a party, beneficiary, or guarantor, as well as for concluding an agreement initiated by the personal data subject or an agreement under which the personal data subject will be a beneficiary or guarantor;
— the processing of personal data is necessary to exercise the rights and legitimate interests of the Company or third parties, or to achieve socially significant goals, provided that this does not violate the rights and freedoms of the personal data subject;
— the processing of personal data is made publicly available to an unlimited number of persons by the personal data subject or at their request (hereinafter, publicly available personal data);
— the processing of personal data is subject to publication or mandatory disclosure in accordance with federal law.
2.3 Confidentiality of Personal Data
The Company and other persons who have gained access to personal data undertake not to disclose or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by federal law.
2.4 Publicly Available Sources of Personal Data
For informational purposes, the Company may create publicly available sources of personal data of data subjects, including directories and address books. Publicly available sources of personal data may include, with the written consent of the data subject, their last name, first name, patronymic, date and place of birth, job title, contact phone numbers, email address, and other personal data provided by the data subject.
At the request of the data subject or by decision of a court or other authorized government agency, information about the data subject may be excluded from the Company’s publicly available sources of personal data.
2.5 Special Categories of Personal Data
The Company processes special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, health status, or intimate life in the following cases:
— the personal data subject has given written consent to the processing of their personal data;
— the personal data has been made publicly available by the personal data subject;
— the personal data is processed in accordance with legislation on state social assistance, labor legislation, and the legislation of the Russian Federation on state pensions and labor pensions;
— the processing of personal data is necessary to protect the life, health, or other vital interests of the personal data subject or the life, health, or other vital interests of other persons, and obtaining the consent of the personal data subject is not possible;
— the personal data is processed for medical and preventive purposes, to establish a medical diagnosis, or to provide medical and medical-social services, provided that the personal data is processed by a professional medical professional who is obligated to maintain medical confidentiality in accordance with Russian legislation;
— the processing of personal data is necessary to establish or exercise the rights of the personal data subject or third parties, as well as in connection with the administration of justice;
— the processing of personal data is carried out in accordance with legislation on compulsory types of insurance and insurance legislation.
The processing of special categories of personal data must be immediately terminated once the reasons for its processing have been eliminated, unless otherwise provided by federal law.
The Company may process personal data on criminal records only in cases and according to the procedure determined by federal laws.
2.6 Biometric Personal Data
Information that characterizes the physiological and biological characteristics of an individual, based on which their identity can be established (biometric personal data) and which is used by the operator to identify the personal data subject, may be processed by the Company only with the written consent of the personal data subject. 2.7 Entrusting the Processing of Personal Data to Another Person
The Company has the right to entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, based on an agreement concluded with that person. Any person processing personal data on behalf of the Company is obligated to comply with the principles and rules for processing personal data stipulated by Federal Law No. 152.
2.8 Cross-Border Transfer of Personal Data
The Company is obligated to ensure that the foreign state to which the personal data is to be transferred ensures adequate protection of the rights of personal data subjects before such transfer.
Cross-border transfer of personal data to the territory of foreign states that do not ensure adequate protection of the rights of personal data subjects may be carried out in the following cases:
the presence of the personal data subject’s written consent to the cross-border transfer of their personal data;
the performance of an agreement to which the personal data subject is a party.
3. RIGHTS OF THE PERSONAL DATA SUBJECT
3.1 Consent of the Personal Data Subject to the Processing of Their Personal Data
The personal data subject makes the decision to provide their personal data and consents to its processing voluntarily, of their own free will, and in their own interests. Consent to the processing of personal data may be given by the personal data subject or their representative in any form that allows for confirmation of its receipt, unless otherwise provided by federal law.
The Company is responsible for providing proof of the personal data subject’s consent to the processing of their personal data or proof of the grounds specified in Federal Law No. 152.
3.2 Rights of the Personal Data Subject
The personal data subject has the right to receive information from the Company regarding the processing of their personal data, unless such right is limited in accordance with federal laws. A personal data subject has the right to request that the Company clarify, block, or destroy their personal data if such personal data is incomplete, outdated, inaccurate, illegally obtained, or is not necessary for the stated purpose of processing, and to take legally prescribed measures to protect their rights.
The processing of personal data for the purpose of promoting goods, works, or services on the market through direct contact with potential consumers via communication tools is permitted only with the prior consent of the personal data subject. Such processing of personal data is deemed to be carried out without the prior consent of the personal data subject unless the Company proves that such consent has been obtained.
The Company is obligated to immediately cease processing their personal data for the above purposes at the request of the personal data subject.
Decisions based solely on automated processing of personal data that generate legal consequences for the personal data subject or otherwise affect their rights and legitimate interests are prohibited, except in cases stipulated by federal laws or with the written consent of the personal data subject.
If a personal data subject believes that the Company is processing their personal data in violation of Federal Law No. 152 or otherwise infringes their rights and freedoms, the personal data subject has the right to appeal the Company’s actions or inactions to the Authorized Body for the Protection of the Rights of Personal Data Subjects or in court.
A personal data subject has the right to protect their rights and legitimate interests in court, adhering to the pre-trial dispute resolution procedure.
4. PERSONAL DATA SECURITY
The security of personal data processed by the Company is ensured by the implementation of legal, organizational, and technical measures necessary to meet the requirements of federal legislation on personal data protection.
To prevent unauthorized access to personal data, the Company applies the following organizational and technical measures:
— appointing officials responsible for organizing the processing and protection of personal data;
— limiting the number of persons with access to personal data;
— familiarizing subjects with the requirements of federal legislation and the Company’s regulatory documents on the processing and protection of personal data;
— organizing the accounting, storage, and circulation of information media;
— identifying threats to the security of personal data during its processing;
— developing a personal data protection system based on the established level of personal data security during its processing in personal data information systems and on a threat model;
— restricting user access to information resources and software and hardware used for processing information;
— recording and accounting of user actions of personal data information systems;
— using information security tools (antivirus software, firewalls, intrusion detection tools, security analysis tools, cryptographic information protection tools, etc.) when necessary;
— browsers used are configured to automatically clear personal data (cache, cookies, browsing history, and download history) when closed;
— organizing access control to the Company’s premises and protecting premises containing personal data processing equipment.
5. FINAL PROVISIONS
Other rights and obligations of the Company as a personal data operator are determined by Russian Federation legislation in the field of personal data.
Company officials found guilty of violating the rules governing the processing and protection of personal data bear financial, disciplinary, administrative, civil, or criminal liability in accordance with the procedure established by federal laws.
Individual entrepreneur Gnatovskaya Olga Vladimirovna
Legal address: 123022, Moscow, vn.ter.g. municipal district Presnensky, st. Trekhgorny Val
OGRNIP: 318774600324061
INN: 501705853275