Position on the protection of personal Customer data


1. Terms and definitions

1.1. Personal information — any information relating to an identified or identifiable on the basis of such information individual (personal data subject), including his surname, name, patronymic, year, month, date and place of birth, address, email address, telephone number, family, social, property status, education, profession, income, other information.

1.2. personal data Processing — actions (operations) with personal data including collection, systematization, accumulation, storage, clarification (update, change), use, distribution (including transfer), depersonalization, blocking.

1.3. Privacy — binding is assigned to a responsible person who has gained access to personal data, the requirement to prevent their distribution without the consent of the subject or of other legal grounds.

1.4. disclosure — actions aimed at the transfer of personal data to a certain circle of persons (transfer of personal data) or on acquaintance with personal data of an unlimited circle of persons, including promulgation of personal data in mass media, placing in is information-telecommunication networks or granting of access to personal data in any other way.

1.5. Using personal information — actions (operations) with personal data performed for the purposes of making decisions or other actions that generate legal consequences in respect of personal data subjects or otherwise affect their rights and freedoms or the rights and freedoms of others.

1.6. Blocking of personal data — temporary suspension of collection, sistematizarAI, accumulation, use and distribution of personal data, including their transfer.

1.7. Destruction of personal data — actions in which result it is impossible to restore the contents of personal data in the information system of personal data or which are destroyed material carriers of personal data.

1.8. Depersonalization of personal data — actions, which is impossible without additional information to determine belonging of personal data to a particular subject.

1.9. Public personal information — personal information, unlimited access to which is provided with the consent of the subject or in accordance with the Federal laws not subject to the requirement of confidentiality.

1.10. Information — information (messages, data) regardless of the form of their presentation.


1.11. Client (the data subject) - an individual, consumer of services of “Hospitality”, then “Organization”.

1.12. Operator - state body, municipal body, legal or physical person who independently or together with other persons organizing and (or) carrying out processing of personal data, and also defining purposes of processing of personal data, the scope of personal data to be processed, actions (operations) committed with personal data. In the present Situation the Operator is OOO “Hospitality”


2. General provisions.

2.1. The present regulations concerning the processing of personal data (further-the Provision) are developed in accordance with the Constitution of the Russian Federation, Civil code of the Russian Federation, Federal law "On information, information technologies and protection of information," Federal law 152-FZ "On personal data" other Federal laws.
2.2. The purpose of the development of the Situation — determination of the procedure for processing and protection of personal data of all Clients of the Organization whose data could be processed on the basis of the authority of the operator;

protect the rights and freedoms of man and citizen during processing of personal data, including protection of rights to inviolability of private life, personal and family privacy, as well as the establishment of responsibility of officials who have access to personal data, for failure to comply with the requirements of the norms regulating processing and protection of personal data.

2.3. The order of implementation and change.

2.3.1. This Regulation shall enter into force upon its approval by the General Director of the Organization and is valid indefinitely, until its replacement with a new Position.

2.3.2. Changes in Position are made on the basis of Orders of the Director of the Organization.


3. The scope of personal data.

3.1. Part of nerealnyh Customer data, including:

3.1.1. Surname, name, patronymic.

3.1.2. The birth month.

3.1.3. E-mail address.

3.1.4. Phone number (home, mobile).

3.1.5. Address for delivery (goods/services).

3.2. In the Organization can create (creates, collects and maintains) the following documents and information, including in electronic form, containing information about the Clients:

3.2.1. Profile (profile) of the Client.

3.2.2. Application for registration-natural person.

3.2.3. Confirmation of the conclusion of the User agreement.

3.2.5. Copies of identity documents and other documents provided by the Client and containing personal data.

3.2.6. Data on payment orders (goods/services), containing the date and amount of payment, shipping address and contact information provided by the Client.

3.2.7. Data at addresses delivery orders (goods/services).

3.2.8. Recording telephone conversations and email correspondence.


4. The purpose of the processing of personal data.

4.1. The purpose of the processing of personal data - implementation of a set of actions aimed at achieving the objective, including:

4.1.1. Provision of Advisory, information and mediation services.

4.1.2. Other transactions not prohibited by law, as well as a set of actions with personal data necessary for the execution of the above transactions.

4.1.3. In order to fulfill the requirements of the legislation of the Russian Federation.

4.2. Condition for the termination of personal data processing is the elimination of the Organization as well as the requirement of the Client.


5. Collection, processing and protection of personal data.

5.1. The order of receiving (collecting) of personal data:

5.1.1. All Customer data should be obtained from him personally with his written consent, except as specified in clauses 5.1.4 and 5.1.6 of the present The provisions and other cases stipulated by the legislation of the Russian Federation.

5.1.2. The Customer's consent to the use of his personal data stored in your Organization in paper and/or electronic form.
5.1.3. The subject's consent to process personal data is valid during the entire term of the contract and for 5 years from the date of termination of the contractual relationship of the Customer with the Organization. After the specified period, the consent shall be deemed extended for each following five years in the absence of information about its revocation by the Client.

5.1.4. If a Customer's personal information may only be obtained from a third party, the Client must be notified in advance and there shall be obtained a written consent. The third person providing personal data the Client needs to have the subject's consent to the transfer of personal data to the Organization. The organization must obtain confirmation from the third party transferring the personal data of the Client that the personal ddata is transferred with his consent. Organization is required when interacting with third parties to conclude an agreement with them about the confidentiality of information regarding Clients ' personal data.


5.1.5. The organization is obliged to inform the Client of the purposes, expected sources and ways of obtaining personal data and on the nature of the receivable personal data and consequences of refusal of the Client's personal data to give written consent to receive them.

5.1.6. Processing of Customers ' personal data without their consent is carried out in the following cases: Personal data are publicly available. Upon the request of competent state bodies in cases stipulated by the Federal law of the Russian Federation. The processing of personal data carried out on the basis of the Federal law establishing its purpose, conditions of obtaining personal data and the range of subjects that personal data which are subject to treatment, as well as defining the powers of the operator. Personal data shall be processed for the conclusion and execution of the contract, one side of which is the subject of personal data – the Client. Personal data are processed for statistical purposes under condition of obligatory personal data depersonalization. In other cases stipulated by law.

5.1.7. The organization has the right to obtain and process personal data of the Client on his race, national origin, political opinions, religious or philosophical beliefs, state of health, intimate life.

5.2. The processing of personal data:

5.2.1. The data subject provides the Organization with reliable information about yourself.

5.2.2. To the processing of personal data of the Clients can have access only to employees of the Organization, admitted to dealing with personal data the Customerand signed a non-disclosure Agreement personal data of the Client.

5.2.3. The right of access to personal data of the Client within the Organization:

the List of names of Organization employees who have access to personal data of the Clients is determined by the order of Director of the Organization.

5.2.4. The processing of Customer personal data may be used exclusively for the purposes prescribed by the regulations and in compliance with laws and other regulatory legal acts of the Russian Federation.

5.2.5. When Oprahthe division of the volume and content of processed personal data, the Organization is guided by the Constitution of the Russian Federation, the law on personal data, and other Federal laws.

5.3. Personal data protection:
5.3.1. Under the protection of the personal data of the Client is understood as the set of measures (administrative, technical, legal) to prevent unauthorized or accidental access, destruction, alteration, blocking, copying, distribution of personal data subjects, as well as other unlawful actions.

5.3.2. Protection of personal data of the Client is carried out by Organizations in the procedure established by the Federal law of the Russian Federation.

5.3.3. The organization in the protection of personal data of Customers shall take all necessary administrative, legal and technical measures, including:


5.3.4. The General organization of protection of Customers ' personal data carried out by the Director of the Organization.

5.3.5. Access to personal data of the Customer are employees of the Organization who need personal data in connection with the performance of their duties.

5.3.6. All staff involved with receiving, processing and protecting personal data Clients are required to sign a confidentiality Agreement of Clients ' personal data.

5.3.7. The procedure of registration of access to personal data of the Customer includes:


5.3.8. Employee with access to personal Customer data in connection with the performance of duties:


5.3.9. The HR Manager provides:


5.3.10. Protection of Customers ' personal data stored in electronic databases of the Organization, from unauthorized access, corruption or destruction of information, as well as other unlawful actions provided by your System administrator.

5.4. Storage of personal data:

5.4.1. Personal data of Customers are stored on paper in vaults.

5.4.2. Personal Customer data is electronically stored in a local computer network in electronic folders, and FAlah in personal computers of the Director and staff allowed to process personal data.

5.4.3. Documents containing personal data of Customers stored in lockers (safes), providing protection from unauthorized access. At the end of the day all documents containing personal information Clients are placed in lockers (safes), which provide protection from unauthorized access.

5.4.4. Protection of access to electronic databases containing personal data of the Clients is provided by:

the Unauthorized entry in PCs containing personal Customer data is locked by a password which is set by the System administrator and shall not be disclosed. All electronic folders and files containing personal data of Customers are protected by the password that is set responsible for PC in the Organization and reported to the System administrator. Changing passwords the System administrator is not less than 1 time per 3 months.

5.4.5. To copy and make extracts of Client's personal data is permitted solely for official purposes with the written permission of the Director of the Organization.

5.4.6. Responses to written requests from other organizations and institutions on personal data Clients are given only with the written consent of the Client, unless otherwise established by the legislation of the Russian Federation. Responses shall be in writing, on company letterhead and in that volume which allows it not to disclose the excessive amount of personal Customer data.


6. Blocking, depersonalization, destruction of personal data

6.1. The procedure for locking and unlocking of personal data:

6.1.1. Lock the personal data of the Clients are provided with a written statement of the Client.

6.1.2. Locking of personal data implies: The prohibition of editing of personal data. Prohibition on dissemination of personal data by any means (e-mail, cell phones, tangible media). Ban the use of personal data in mass mailings (sms, e-mail, mail). Withdrawal of paper records relating to the Client and containing his personal data from the internal document flow of the Organization and prohibition of their use.

6.1.3. Lock personal data of the Client may be temporarily removed if required to comply with the lawDateList of the Russian Federation.

6.1.4. Unlock the Client's personal data is carried out with written consent (subject to necessary consent) or the Client's application.

6.1.5. Repeat the Customer's consent to the processing of personal data (if necessary obtain) will unlock his / her personal data.

6.2. The procedure of de-identification and destruction of personal data:

6.2.1. Depersonalization of personal data of the Customer occurs upon written request of the Customer, provided that all contracts are completed and the end date of the last contract took at least 5 years.

6.2.2. When depersonalization of personal data in information systems are replaced with character set by which it is impossible to determine the identity of personal data to a specific Client.

6.2.3. Hard copies of documents in the depersonalization of personal data are destroyed.

6.2.4. The organization shall ensure that confidentialenosti in relation to personal data, if necessary, testing of information systems on the territory of the developer and to produce depersonalization of personal data passed to the developer information systems.

6.2.5. Destruction of personal data of the Client implies the termination of any access to personal data of the Client.

6.2.6. With the destruction of the personal data of the Customer employees can access the personal data of the subject in information systems.

6.2.7. Hard copies of documents for destruction of personal information are destroyed, personal data in information systems are depersonalized. Personal data can not be recovered.

6.2.8. Operation destruction of personal data is not recoverable.

6.2.9. Period, after which operation is possible destruction of personal Customer data, is determined by the end of the period mentioned in paragraph 7.3 hereof.


7. Transmission and storage of personal data

7.1. Transfer of personal data:

7.1.1. Transfer of personal data of the subject is the dissemination of information via communication channels and physical media.

7.1.2. When transferring personal data employees of the Organization must comply with the following requirements: Not to disclose a Customer's personal information for commercial purposes. Not to disclose personal Customer data to a third party without the written consent of the Client except for cases stipulated by the Federal law of the Russian Federation. To warn the persons receiving personal data of the Client that these data can be used only for the purposes for which they are communicated, and to require such persons confirm that this rule is complied with; Allow access to Clients ' personal data only to specially authorized persons, and these persons shall have the right to receive only those personal datas Clients are required to perform specific functions. Transfer of personal Customer data within the Organization in accordance with these regulations, standard process documentation and job descriptions. To provide Client access to their personal data at application or upon receipt of Customer's request. The organization is obliged to inform the Customer of the existence of personal data concerning him and to provide the opportunity to examine them within ten working days after the request. Transfer personal Customer data to the Customer's representatives in order established by the legislation and normative-technological documentation and limit this information to only those personal data of the subject that are required to fulfil their functions. To provide a log of issued Clients ' personal data, which fexeroise information about the person who transferred personal data of the Clients, the date of transfer of personal data or the date of notification of refusal to provide personal data, but also identifies what information has been transferred (in the form of Annex No. 1).

7.2. Storage and use of personal data:

7.2.1. Storage of personal data is existence of records in information systems and physical media.

7.2.2. Personal Customer data is processed and stored in information systems, as well as on paper in the Organization. Personal Customer data is also stored in electronic form: in the local computer network in electronic folders and files in the PC of the Director General and employees are allowed to process personal data.

7.2.3. Storage of personal Customer data may be no longer than needed for processing, unless otherwise provided by Federaland the laws of the Russian Federation.

7.3. The storage period of personal data:

7.3.1. The storage time of the civil contracts containing personal data of the Clients and related to their conclusion, the execution of documents - 5 years after expiry of agreements.

7.3.2. During the period of storage of personal data cannot be anonymised or destroyed.

7.3.3. After a period of storage personal data may be depersonalized in information systems and destroyed on paper in the manner prescribed in the regulations and the acting legislation of the Russian Federation.


8. Rights of the data controller


8.1. To defend their interests in court.

8.2. To provide personal Customer data to third parties if required by applicable law (tax, law enforcement, etc.) or by agreement with the Client.

8.3. To refuse to provide personal data in the cases of PReducating legislation of the Russian Federation.

8.4. To use the personal data without the Customer's consent in cases stipulated by the legislation of the Russian Federation.


9. The rights of the Client

the Client has the right to:

9.1. To demand clarification of their personal data, their blocking or destruction in case personal data are incomplete, outdated, false, unlawfully obtained or are not necessary for the declared purpose of the processing, and also to take legal measures to protect their rights;

9.2. Require the list of processed personal data available in the Organization and the source of their receipt.

9.3. To obtain information about the timing of the processing of personal data, including terms of their storage.

9.4. To require notification of persons who previously received incorrect or incomplete personal data about all of their exceptions, corrections or additions.

9.5. To appeal to polnomoceny the authority to protect the rights of personal data subjects or to a court against unlawful acts or omissions in the processing of his personal data.


10. Responsibility for violation of norms regulating processing and protection of personal data

10.1. Employees of the company, guilty of violating the rules governing the receipt, processing and protection of personal data shall bear disciplinary, administrative, civil or criminal liability in accordance with the current legislation of the Russian Federation and internal local regulations of the Organization.