Personal Data Processing Policy
1. General position1.1. This Policy regarding the processing of personal data (hereinafter referred to as the “Policy”) determines the position of IE Sosnin A.T. (hereinafter - the "Company") in the field of processing and protection of personal data (hereinafter - the "Data"), in order to comply with the principles of legality, justice and confidentiality, the rights and freedoms of each person and, in particular, the right to privacy, personal and family a secret.
1.2.The company is a data operator in accordance with the laws of the Russian Federation.
1.3. Processing and ensuring the safety of Data in the Company is carried out in accordance with the requirements of the Constitution of the Russian Federation, the Labor Code of the Russian Federation, the Federal Law of the Russian Federation dated July 27, 2006 No. 152-FZ “On Personal Data”, the Federal Law of July 27, 2006 No. 149- Federal Law “On Information, Information Technologies and Information Protection”, Decree of the Government of the Russian Federation of November 01, 2012 No. 1119 “On approval of requirements for the protection of personal data during their processing in information systems of personal data”, Decree of the Government of the Russian Federation of September 15 2008 No. 687 “On approval of the Regulation on the peculiarities of the processing of personal data carried out without the use of automation”, other defining cases and features of the processing of Data from federal laws of the Russian Federation and by-laws of the Russian Federation.
1.4. The action of this Policy applies to any action (operation) or set of actions (operations) with Data performed using automation tools or without using such tools with Personal Data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing) , extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of Data.
1.5. This Policy applies to Data received both before and after the entry into force of this Policy.
2. DefinitionsData refers to any information relating to a directly or indirectly determined or determined individual (citizen), i.e. Such information, in particular, includes: name, year, month, date and place of birth, gestational age, delivery address, information about family, social, property status, information about education, profession, income, phone number, email address for communications, as well as information about clients or candidates for vacant positions left when filling out the questionnaire, including information contained in the candidate’s resume, as well as other information.
Data processing refers to any action (operation) or a set of actions (operations) with Data performed using automation tools and / or without using such tools. Such actions (operations) include: collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access, including to third parties), depersonalization, blocking, deletion, destruction of Data.
Data Security refers to the security of Data from unauthorized and / or unauthorized access to it, destruction, alteration, blocking, copying, provision, distribution of Data, as well as from other illegal actions in relation to Data.
3. Data Subjects3.1. Data subjects processed by the Company are:
- Clients - consumers, visitors to the website owned by the Company: IE Sosnin A.T., https://gutendata.de (hereinafter referred to as the "Site"), including for the purpose of placing an order on the Site with subsequent delivery to the client;
- employees of the Company, relatives of employees of the Company, to the extent determined by the legislation of the Russian Federation, if information about them is provided by the employee
- suppliers (individual entrepreneurs);
- representatives of legal entities;
- members of loyalty bonus programs;
- individuals whose data is processed in the interests of third parties - data processing operators on the basis of an agreement (instructions of data processing operators);
3.2. The company carries out the processing of these entities in order to:
- compliance with labor laws and other acts containing labor law, including accounting for labor and its payment, adoption of personnel and managerial decisions in relation to employees, control of labor discipline;
- conclusion and execution of an agreement, one of the parties of which is an individual;
- consideration of the possibilities of further cooperation of representatives of legal entities - contractors of the Company for the purposes of: negotiating, concluding and executing agreements for which the data of employees of such a legal entity are provided for the purpose of fulfilling the agreement in various areas of the Company's business.
- execution of contracts - instructions of Data operators; Relatives of the Company's employees in order to: compliance with the requirements of the legislation of the Russian Federation;
- providing information on services passing shares;
- loyalty program member identification;
- analysis of the quality of the service provided by the Company and improving the quality of customer service of the Company; informing about the status of the order;
- fulfillment by the Company of obligations under the loyalty program. Customers - consumers in order to: providing information on services, ongoing promotions and special offers;
- contract execution, including concluded remotely on the Site, paid services;
- the provision of services for the delivery of client equipment to the service for work, as well as accounting for services rendered to consumers for settlements;
- delivery of the client’s electronic equipment to the service for work that has completed the order on the Site and return.
4. Principles and conditions for data processingProcessing of Personal Data is carried out in the following cases:
- Processing of Personal Data is carried out with the consent of the subject of Personal Data to the processing of his Personal Data;
- Processing of Personal Data is necessary to achieve the goals stipulated by the international treaty of the Russian Federation or the law, to carry out and fulfill the functions, powers and duties assigned to the operator by the legislation of the Russian Federation;
- the processing of Personal Data is necessary for the execution of a contract to which either the beneficiary or guarantor of which the subject of Personal Data is a party, as well as for the conclusion of a contract at the initiative of the subject of Personal Data or the contract under which the subject of Personal Data will be the beneficiary or guarantor;
- the processing of Personal Data is necessary to exercise the rights and legitimate interests of the operator or third parties or to achieve socially significant goals, provided that this does not violate the rights and freedoms of the subject of Personal Data;
- Processing of Personal Data is carried out for statistical or other research purposes, subject to the mandatory depersonalization of Personal Data. An exception is the processing of Personal data in order to promote goods, works, services on the market through direct contacts with potential consumers using communication tools;
- Personal data is processed, an unlimited number of persons are accessed by a subject of Personal data or at his request
When processing Data, the Company adheres to the following principles:
- Data processing is carried out on a legal and fair basis;
- determination of specific legitimate purposes before the start of processing (including collection) of Data;
- Data processing incompatible with the purposes of the collection of Data is not allowed;
- the combination of databases containing Data whose processing is carried out for purposes incompatible with each other is not allowed;
- Data processing is limited to achieving specific, predetermined and legitimate goals;
- the processed data is subject to destruction or depersonalization upon achievement of the processing goals or in case of loss of the need to achieve these goals, unless otherwise provided by federal law.
- The Company may include the Data of entities in publicly available sources of Data, while the Company takes the written consent of the entity to process its Data.
- The Company does not process Data relating to race, nationality, political views, religious, philosophical and other beliefs, intimate life, membership in public associations, including trade unions.
- Biometric Data (information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity and which are used by the operator to establish the identity of the data subject) is not processed in the Company.
- In cases established by the legislation of the Russian Federation, the Company has the right to transfer data to third parties in cases stipulated by the legislation of the Russian Federation.
- The Company has the right to entrust the processing of Data of Data subjects to third parties with the consent of the Data subject, on the basis of an agreement concluded with these parties, provided that the persons who process the Data on the basis of an agreement concluded with the Company (operator’s order) are obligated to comply with the principles and rules of processing and protection Data provided by law. In cases where the Company entrusts the processing of Personal Data to another person, the Company bears responsibility to the subject of Personal Data for the actions of the specified person. A person processing personal data on behalf of the Company is responsible to the Company.
- If there is no need for the written consent of the subject to the processing of his Personal data, the consent of the subject can be given by the subject of Personal data or his representative in any form that allows to obtain the fact of its receipt.
- The Company prohibits the adoption on the basis of exclusively automated processing of the Data of decisions that give rise to legal consequences in relation to the data subject or otherwise affect his rights and legitimate interests, except as otherwise provided by the legislation of the Russian Federation.
5. Rights of Data SubjectsIn accordance with the Federal Law “On Personal Data”, the subject of Personal Data has the right:
5.1. Receive from the Company:
- confirmation of the fact of processing the Data and information about the availability of Data related to the relevant data subject;
- information on the legal grounds and purposes of processing the Data;
- information on the methods used by the Company for processing Data;
- Information on the name and location of the Company;
- information about persons (with the exception of Company employees) who have access to the Data or to whom Data may be disclosed on the basis of an agreement with the Company or on the basis of federal law;
- a list of processed Data relating to the subject of the Data, and information on the source of their receipt, unless otherwise provided by federal law;
- information on the data processing periods, including the periods of their storage;
- other information provided for by the Law or other regulatory legal acts of the Russian Federation;
- name (full name) and address of the person processing the data on behalf of the Company;
- information on the procedure for the exercise by the subject of these rights provided for by the Law;
5.3. Withdraw consent to the processing of Data at any time;
5.4.Demand the elimination of illegal actions of the Company in relation to its Data;
6. Company Rights6.1.The Company has the right to send informational, including advertising messages, to e-mail and a mobile phone of Data Subjects with his consent, expressed by means of taking actions that uniquely identify this subscriber and allowing him to reliably establish his will to receive the message. The Data Subject has the right to refuse to receive advertising and other information without explaining the reasons for the refusal by informing the seller of his refusal by phone +7 (495) 729-97-06 or by sending a corresponding application to the Company’s email address: email@example.com. Service messages informing the Data Subject about the order and the stages of its processing are sent automatically and cannot be rejected by the Data Subject.
6.2. The company receives information about the IP address of the site visitor. This information is not used to identify the visitor.
6.3. The Company is not responsible for the information provided by the Data Subject on the Site in a public form.
6.4.The Company has the right to record telephone conversations with the Data Subject. At the same time, the Company undertakes to: prevent attempts of unauthorized access to information obtained during telephone conversations, and / or transfer it to third parties that are not directly related to the execution of Orders, in accordance with paragraph 4 of Art. 16 of the Federal Law “On Information, Information Technologies and Information Protection”.
7. Company ResponsibilitiesIn accordance with the Federal Law “On Personal Data”, the Company is obligated:
7.1. Explain to the data subject the legal consequences of the refusal to provide Data, if the provision of Data is mandatory in accordance with federal law;
7.2. Prior to the processing of the Data (if the Data was received not from the data subject), provide the data subject with the following information, except as otherwise provided part 4 section 18 of the Law:
- name or surname, name, patronymic and address of the Company or its representative;
- purpose of data processing and its legal basis;
- prospective Data users;
- statutory rights of Data subjects;
- data source.
The following cases are an exception:
- the subject of Personal Data is notified of the processing by the Company of his Personal Data;
- Personal data was received by the Company in connection with the execution of a contract to which either the beneficiary or guarantor is a subject of Personal data or based on federal law;
- Personal data is made publicly available by the subject of Personal data or obtained from a public source;
- The company processes Personal data for statistical or other research purposes, if this does not violate the rights and legitimate interests of the subject of Personal data;
- providing the subject of Personal data with the information contained in the Notice on the processing of Personal data violates the rights and legitimate interests of third parties;
7.3.Keep a journal of records of appeals of data subjects, which should record the requests of data subjects for receiving data, as well as the facts of providing data on these requests;
7.4. Publish on the Internet and provide unrestricted access via the Internet to a document defining its policy regarding the processing of Data, to information about the data protection requirements being implemented;
7.5. Provide data subjects and / or their representatives free of charge the opportunity to familiarize themselves with the Data when making a corresponding request within 30 (thirty) days from the date of receipt of such a request;
7.6. Carry out the blocking of illegally processed Data related to the subject of the Data, or ensure their blocking (if the processing of the Data is carried out by another person acting on behalf of the Company) from the moment of requesting or receiving a request for a period of verification, in case of revealing the illegal processing of Data when contacting the data subject or his a representative either at the request of the data subject or his representative or the authorized body for the protection of the rights of personal data subjects;
7.7. Clarify the Data or ensure its refinement (if the Data processing is carried out by another person acting on behalf of the Company) within 7 working days from the date of submission of information and to remove the blocking of Data, in case of confirmation of the inaccuracy of the Data on the basis of information provided by the Data subject or his representative;
7.8.To stop the illegal processing of Data or to ensure the termination of the illegal processing of Data by a person acting on behalf of the Company, in case of detection of illegal processing of Data carried out by the Company or by a person acting on the basis of an agreement with the Company, within a period not exceeding 3 working days from the date of this detection;
7.9. Stop processing the Data or ensure its termination (if the processing of the Data is carried out by another person acting under an agreement with the Company) and destroy the Data or ensure their destruction (if the processing of the Data is carried out by another person acting under an agreement with the Company) to achieve the purpose of processing the Data, unless otherwise not provided for by the contract to which the data subject is the beneficiary or surety under which the data processing goal is achieved;
7.10. Stop processing the Data or ensure its termination and destroy the Data or ensure their destruction if the data subject withdraws consent to the processing of Data, if the Company is not entitled to process the Data without the consent of the data subject.
8. Measures to ensure the security of Data during its processing8.1. When processing the Data, the Company takes the necessary legal, organizational and technical measures to protect the Data from unauthorized and / or unauthorized access to it, destruction, alteration, blocking, copying, provision, distribution of the Data, as well as from other illegal actions in relation to the Data.
8.2.Such measures, in particular, include:
- appointment of a person responsible for organizing the processing of Data and a person responsible for ensuring the security of Data;
- development and approval of local acts on data processing and protection;
- application of legal, organizational and technical measures to ensure data security:
- detection of facts of unauthorized access to the Data and taking measures to prevent similar incidents in the future;
- control over measures taken to ensure the security of Data and the level of security of personal data information systems;
- identification of data security threats during their processing in personal data information systems;
- the application of organizational and technical measures to ensure the security of Data during its processing in personal data information systems necessary to fulfill the requirements for data protection, the implementation of which ensures the levels of data security established by the Government of the Russian Federation;
- detection of facts of unauthorized access to the Data and taking measures to prevent similar incidents in the future;
- recovery of Data modified or destroyed due to unauthorized access to it;
- compliance with conditions that exclude unauthorized access to material data carriers and ensure the safety of data;
9. Dates of data processing (storage)9.1. The terms for processing (storing) Data are determined on the basis of the purposes of processing the Data, in accordance with the term of the contract with the data subject, the requirements of federal laws, the requirements of the Data operators, on behalf of which the Company processes the Data, the basic rules of operation of archives of organizations, the limitation period.
9.2. The time period for making the necessary changes to Data that is incomplete, inaccurate or irrelevant may not exceed 7 (Seven) business days from the date the data subject or his representative submits information confirming that the Data is incomplete, inaccurate or irrelevant;
9.3. Data whose processing (storage) period has expired must be destroyed, unless otherwise provided by federal law. Data storage after termination of its processing is allowed only after its depersonalization.
10. The procedure for the exercise of rights by data subjects10.1.The appeal of the Data subject in order to exercise his rights is carried out in writing in the prescribed form at a personal visit of the Data subject or his representative to the Company or by sending a written request to the address of the Company: 125284, Moscow, st. Begovaya h. 7, floor 1, intercom 250
10.2.In case of sending an official request to the Company, the request text must indicate:
- surname, name, patronymic of the data subject or his representative;
- the number of the main document certifying the identity of the data subject or his representative, information on the date of issue of the specified document and the issuing authority;
- information confirming the presence of the subject of these relations with the Company;
- information for feedback in order to send a response to a request by the Company;
- Signature of the data subject (or his representative). If the request is sent in electronic form, then it must be executed in the form of an electronic document and signed by electronic signature in accordance with the legislation of the Russian Federation.
10.3. The response to the appeal is sent in writing to the subject of Personal Data by mail to the address indicated in the appeal
10.4. The time period for the response to be formed and forwarded to the post office for dispatch may not exceed 30 (thirty) days from the date the operator receives the appeal.
11. Final provisions11.1. This Policy is a local regulatory act of the Company..
11.2.This Policy is publicly available. The general availability of this Policy is ensured by publication on the Company Website.
11.3. This Policy comes into force from the moment of its approval and is valid indefinitely..
11.4.This Policy may be revised and, if necessary, updated in case of changes in the legislation of the Russian Federation.