Policy on the processing of personal data
- General terms
1.1. The given Policy on the processing of personal data (further – the Policy) has been prepared according to clause 2 of part 1 of article 18.1 of Federal Law of the Rusian Federation «On personal data» №152-ФЗ, July 27, 2006 (further – the Law) and defines the position of SP Khlopov Alexey Maximovitch (PSRNSP: 316774600546151, registration address: Moscow, ul. B. Serpukhovskaya, 34, b.5, apt 64) and/or his affiliated parties (further – the Company) in the sphere of processing and protecting of personal data (further – the Data), keeping the rights and freedom of every person, especially the right for privacy and for personal and family privacy.
- Field of application
2.1. The given Policy applies to the Data received as before as after the implementation of the given Policy.
2.2. Understanding the importance and value of the Data, and also worrying about the constitutional rights of the Russian Federation citizens as well as the citizens of other states, the Company provides reliable protection of the Data.
3.1. The Data refer to any information related to a directly or in directly identified or identifiable natural person (citizen), i.e. such information as, in particular: surname, name, email address, phone number, date and place of birth, physical state and health, information on an insurance.
3.2. The processing of the Data refer to any action (operation) or a complex of actions (operations) with the Data, which are done with the use of automation and/or without it. To such actions (operations) are related: collection, recording, systematization, accumulation, storing, specifying (upgrade, change), extraction, usage, transfer (delivery, providing, access), depersonalization, blocking, and disposal of the Data.
3.3. The safety of the Data refer to the protection of the Data from illegal and/or unauthorized access to them, from disposal, changing, blocking, copying, providing, delivering the Data, and also from any other illegal actions with the Data.
- Legal basis and goals of the processing of the Data
4.1. Processing and providing safety of the Data in the Company is realized according to the requirements of the Constitution of the Russian Federation, the Law, the Labor Code of the Russian Federation, subordinate legislation, and other defining cases and features of the processing of the Data federal laws of the Russian Federation, and also quidelines and guidance documents of FSTEC and FSB of Russia.
4.2. Subjects of the Data processed by the Company are:
clients – consumers, including the visitors of website http://www.yeti.guide, owned by the Company, including the purpose of order registration on website http://www.yeti.guide with the further delivery to the client, a recepient of services.
4.3. The Company processes the Data of subjects with the following goals:
realization of the functions assigned to the Company by the laws of the Russian Federation, as well as powers and duties according to the federal laws, including but not limited to: the Civil Code of the Russian Federation, the Tax Code of the Russian Federation, the Labor Code of the Russian Federation, the Family Code of the Russian Federation, Federal Law № 27-ФЗ «On the individual (personified) accounting in the system of compulsory pension insurance» (April 1, 1996), Federal Law № 152-ФЗ «On personal data» (July 27, 2006), Federal Law № 53-ФЗ «On military duty and military service» (March 28, 1998), Federal Law № 31-ФЗ «On mobilization preparation and mobilization in the Russian Federation» (February 26, 1997), Federal Law № 14-ФЗ «On limited liability companies» (February 8, 1998), Federal Law №2300-1 «On the protection of the rights of consumers» (February 7, 1992), Federal Law № 129-ФЗ «On accounting» (November 21, 1996), Federal Law № 326-ФЗ «On mandatory medical insurance in the Russian Federation» (November 29, 2010).
Of clients – consumers with the following goals:
1 providing information about goods/services, current promo activities and special offers;
2 analyzing the quality of the Company`s service and improving it;
3 informing on the order status;
5. The principles and terms of the Data processing
5.1. While processing the Data the Company adheres to the following principles: the Data processing is realized on the legal and fair basis; the Data are not revealed to the third parties and not delivered without the permission of the Data subject, excluding the cases requiring the Data disclosure at the request of authorized state bodies or legal proceedings; precise legal goals are defined before the Data processing (including collection); only those Data are being collected which are necessary and enough for the announced goals of processing; merging databases containing the Data being processed, with the incompatible goals is not allowed; the Data processing is limited to the accomplishment of specified, predetermined and legal goals; the Data being processed are subject to destruction or depersonalization after the goals of the processing have been achieved or in case when the need in achieving those goals has been lost, unless other is provided by Federal law.
5.2. The Company can include the Data of subjects into public data sources, at that the Company receives the written permission of a subject for his Data processing, the permission can be expressed via a form on the website (a checkbox), in this case the subject expresses his/her permission by clicking on the checkbox.
5.3. The Company does not process the Data related to the race, nationality, political views, religious, philosophical and other beliefs, sex life, or membership in public associations, including trade unions.
5.4. Biometric Data (information describing physiological and biological features of a person, according to which he/she can be identified and which are used by an operator for the identification of the Data subject) are not processed by the Company.
5.5. The Company does not implement the cross-border transfer of the Data.
5.6. In cases specified by the laws of the Russian Federation, the Company has the right to transfer the Data to the third parties (the Federal Tax Service, the State Pension Fund, and other state bodies), in cases provided by the laws of the Russian Federation.
5.7. The Company has the right to entrust the third parties with the Data processing if permitted by the Data subject, based on the contract signed with the third parties including their agreement with the User Agreement and Policy on the processing of personal data located on the website.
5.8. The parties processing the Data on the base of the contract with the Company (the commission of the operator) are obliged to adhere to the principles and the rules of the Data processing and protection provided by law. For every third party there is a list of actions (operations) with the Data in the contract, which are supposed to be realized by the third party processing the Data, as well as the goals of the processing. The contract establishes the obligation of the third party to keep confidentiality and provide security of the Data while processing them, also it gives the rquirements for the protection of the Data being processed according to the Law.
5.9. According to the requirements of the current laws of the Russian Federation and the Company`s contractual obligations, the processing of the Data in the Company is realized with the use of automation and without it. The complex of the processing operations includes: collection, recording, systematization, accumulation, storing, specifying (upgrade, change), extraction, usage, transfer (providing, access), depersonalization, blocking, disposal and destruction of the Data.
5.10. The Company prohibits to make decisions based only on automated Data processing leading to legal cosequences in respect of the Data subject or in any other way related to his/her rights and legal interests, excluding cases provided by the laws of the Russian Federation.
- The rights and obligations of the Data subjects, and also of the Company, in the sphere of the Data processing
6.1. The subject whose Data are being processed by the Company has the right:
- to receive from the Company:
confirmation of the fact of the Data processing and information about the availability of the Data related to the respective Data subject;
information about the legal basis and goals of the Data processing; information about the methods of the Data processing used by the Company; information about the name and location of the Company;
information about the parties (excluding the staff of the Company) having the access to the Data or who can have the access to the Data on the base of the contract with the Company or federal laws;
a list of the Data being processed, which relates to the Data subject, and information about the source where they have been received from, if any other way of receiving such Data is not provided by federal laws;
information about the period of the Data processing, including the period of their storage;
information about the order of the realization of the Data subject`s rights provided by the Law; the name (the first name, the middle name and the surname) and the address of the person processing the Data on behalf of the Company;
other information provided by the Law or other legislation;
- to demand from the Company:
to correct his/her Data, to block or destroy them if the Data are incomplete, outdated, inaccurate, received illegally, or nit necessary for the announced goals of processing;
to withdraw his/her permission for the Data processing any moment; to stop illegal actions of the Company towards his/her Data;
to appeal against actions or inaction of the Company to the Federal service for supervision in the sphere of Telecom, information technologies and mass communications (Roscomnadzor) or to the court if the subject supposes that the Company processes his/her Data with the violation of the Law, or in any other way violates his/her rights and freedoms;
- for the protection of his/her rights and legal interests including reimbursement of losses and/or compensation for moral injury in court.
6.2. The Company while processing the Data is obliged to:
give to the Data subject, on his/her damand, information about his/her Data processing, or to refuse on the legal basis during thirty days from the date of receiving the demand of the Data subject or his/her representative;
clarify to the Data subject the legal consequences of his/her refusal to give the Data, if providing the Data is obligatory according to federal law;
before processing the Data (if the Data have been received not from the Data subject) give to the Data subject the following information, excluding cases provided by part 4 of article 18 of the Law:
- the name or first name, middle name and surname, and the address of the Company or its representative;
- the goal of the Data processing and its legal basis;
- supposed users of the Data;
- the rights of Data subjects established by the Law;
- the source of the Data.
take necessary legal, organizational and technical measures, or provide them, for the protection of the Data from illegal or accidental access to them, their destruction, change, blocking, copying, providing or delivery, and also from other illegal actions towards the Data;
publish on the Internet a document defining its policy on the Data processing and the information about current requirements for the Data protection, and provide unlimited access with the Internet to them;
provide to the Data subjects and/or their representatives a free possibility to review the Data when handling a respective request, during 30 days from the date of receiving such request;
block illegaly processed Data related to the Data subject or provide their blocking (if the Data are being processed by the third party operating on behalf of the Company) from the moment of the request for the check period, in case when illegal Data processing is detected at the Data subject`s or his/her representative`s request, or at the request of an authorized body on protection of the rights of the persoanl data subjects;
correct the Data or provide their correction (if the Data are being processed by the third party operating on behalf of the Company) during 7 working days from the date of receiving the information and unblock the Data, if the inaccuracy of the Data is confirmed by the information given by the Data subject or his/her representative;
stop illegal Data processing or provide termination of their illegal processing by the party operating on behalf of the Company, in case of detection of the illegal Data processing by the Company or the party operating on the base of the contract with the Company, during not more than 3 working days from the date of such detection;
stop the Data processing or provide its termination (if the Data are being processed by the third party operating on the base of the contract with the Company) and destroy the Data or provide their destruction (if the Data are being processed by the third party operating on the base of the contract with the Company), when the goals of the Data processing have been accomplished, if other is not provided by the contract, in which the Data subject is a party, a beneficiary or a guarantor;
stop the Data processing or provide its termination and destroy the Data or provide their destruction, if the Data subject withdraws his/her permission for the Data processing, if the Company has no right to process the Data without the Data subject`s permission;
keep a log of Data subjects` requests which must contain Data subjects` requests for receiving the Data, and also the facts of providing the Data according to those requests.
- Requirements for the Data protection
7.1. The Company while processing the Data takes necessary legal, organizational and technical measures for protecting the Data from illegal and/or unauthorized access to them, from their destruction, change, blocking, copying, providing, delivery, and also from other illegal actions towards the Data.
7.2. To such measures, according to the Law, refer, in particular:
appointment of a person responsible for the organization of the Data proccessing and a person responsible for the security of the Data;
development and adoption of local acts on the problems of the Data processing and protection;
implementation of legal, organizational and technical measures for providing the Data security:
- identifying the Data security threats at their processing in personal data information systems;
- implementation of organizational and technical measures for providing the Data security at their processing in personal data information systems, which are necessary for meeting the requirements for the Data protection and which can be implemented due to the Data protection levels established by the Russian Government;
- mplementation of the conformity assessment procedures for information security tools, held in a prescribed manner;
- efficiency assessment of the measures taken for the Data security before their input
- operation of a personal data information system;
- registration of the Data machine carriers, if the Data are stored at machine carriers;
- detecting the facts of illegal access to the Data and taking measures for preventing such inicidents in future;
- restoring the Data modified or destroyed in the result of illegal access to them;
- establishing the rules of the access to the Data being processed in a personal data information system, and also providing registration and record of all the actions with the Data in a personal data information system.
monitoring the measures taken for providing the Data security and the protection level of personal data information systems;
estimation of the damage which can be done towards the Data subjects, if the requirements of the Law are violated, and correlation of that damage with the measures taken by the Company, which are focused on the performance of the duties provided by the Law;
compliance with the conditions excluding unauthorized access to material Data carriers and providing the Data security;
introduction of the legal provision of the Russian Federation on the Data to the Company`s employees directly engaged in the Data processing, including the requirements for the Data protection and local acts on the problems of the Data processing and protection, and also training the Company`s employees.
- The period of the Data processing (storage)
8.1. The period of the Data processing (storage) is defined according to the goals of the Data processing, in accordance with the term of the contract with the Data subject, requirements of federal laws, requirements of the Data operators on behalf of which the Company processes the Data, basic rules of the work of organizations archives, and limitation period.
8.2. The Data with the expired period of processing (storage) are to be destroyed, if other is not provided by federal law. Storing the Data after their processing has been finished is allowed only after their depersonalization.
- Order of clarification of the problems on the Data processing
9.1. Persons whose Data are processed by the Company can get clarifications on the problems of their Data processing through a personal contact with the Company or through a written request to the address of the Company: Moscow, ul. B. Serpukhovskaya, 34, b. 5, apt 64.
9.2. In case of an official request to the Company in its text there should be given the following information:
the surname, name and the middle name of the Data subject or his/her representative;
the number of the main document certifying the identity of the Data subject or his/her representative, the issue date of the given doccument and the issuing authority;
confirmation of the current relations between the Data subject and the Company; information for feedback where the Company can send the answer to the request;
the signature of the Data subject (or his/her representative). If the request is send via email, it should be formed as an electronic document and signed electronically, according to the Rusian Federation laws.
- The features of the processing and protection of the Data collected by the Company through the Internet
10.1. The Company processes the Data coming from the users of website: http://www.yeti.guide (further collectively – the Website), and also received at the Company`s email: email@example.com.
10.2. The Data collection
There are two main ways how the Company gets the Data through the Internet:
10.2.1. Providing the Data
Providing the Data (independent data input):
date or place of birth
physical state and health
information on the insurance
10.2.2. From the Data subjects via the email of the Company:
10.3. Automatically collected information
The Company can collect and process the information which is not personal data:
information about the Website users` interests, based on their entered search queries about the goods realized and offered for sale by the Company
- with the goal of providing relevant information to the Company`s clients when they use the Website, and also of generalization and analysis of information about the Website sections and goods which are most in demand of the Company`s clients;
the search queries of the Website users to generalize them and create client statistics on the usage of the Website sections.
The Company automatically receives some kinds of information during users interaction with the Website, corresponding by email and the like. It is technologies and services such as web protocols, cookies, web marks, and also applications and tools of the given third party.
At that, web marks, cookies and other monitoring technologies do not give the opportunity to automatically receive the Data. If a Website user gives his/her Data at own discretion, for example, when filling in the feedback form or sending an email, only then start the automatical processes of detailed information collection for the websites usability and/or for improving the interaction with users.
10.4. Use of the Data
The Company has the right to use provided Data in accordance with the announced goals of their collection, at the permission of the Data subject, if such permission is needed according to the requirements of the Russian Federation laws in the sphere of the Data.
Received Data, generalized and anonymised, can be used for better understanding the needs of the consumers of the goods and services which the Company sells and for improving its service.
10.5. Transfer of the Data
The Company can commission third parties with the Data processing only with the permission of the Data subject. Also, the Data can be transferred to third parties in the following cases:
а) As an answer to the legal requests of authorised state bodies, according to law, court decisions an so on.
б) The Data can not be transferred to third parties for marketing, commercial and other similar goals, excluding the cases when the permission of the Data subject has been previously received.
10.6. The Website contains links to other web resources which may have useful information interesting for the Website users. At that, the given Policy does not cover those other sites. The users who pass through the links to other sites are recommended to read the Data processing policies located on those sites.
10.7. The Website user can withdraw his/her permission for the Data processing any time by sending an email to the Company: firstname.lastname@example.org, or sending a written notice to the address: Moscow, ul. B. Serpukhovskaya, 34, b. 5, apt 64. After having received such notice the Company stops processing the user`s Data and deletes his/her Data, excluding the cases when the processing can be prolonged according to law.
The given Policy is a local normative act of the Company. The given Policy is public. The publicity of this Policy is provided by publication on the Website. This Policy can be revised in any of the following cases: if the Russian Federation laws in the sphere of personal data processing and protection change; if authorized state bodies give prescriptions for the elimination of discrepancies related to the sphere of the Policy; according to the decision of the Company management; if the goals and terms of the Data processing change; if the organizational structure, as well as the structure of information and/or telecom systems change (or new ones are introduced); if new technologies of the Data processing and protection (including transfer and storage) are implemented; if it is necessary to change the procedure of the Data processing related to the Company activity. In case of default of this Policy the Company and its employees take responsibility according to the current legislation of the Russian Federation. Execution control over this Policy is done by the persons responsible for the organization of the Data processing and for personal data protection in the Company.