Position on the protection of personal Customer datathe
1. Terms and definitions
1.1. Personal information — any information relating to an identified or identifiable on the basis of such information individual (personal data subject), including his surname, name, patronymic, year, month, date and place of birth, address, email address, telephone number, family, social, property status, education, profession, income, other information.
1.2. personal data Processing — actions (operations) with personal data including collection, systematization, accumulation, storage, clarification (update, change), use, distribution (including transfer), depersonalization, blocking.
1.3. Privacy — binding is assigned to a responsible person who has gained access to personal data, the requirement to prevent their distribution without the consent of the subject or of other legal grounds.
1.4. disclosure — actions aimed at the transfer of personal data to a certain circle of persons (transfer of personal data) or on acquaintance with personal data of an unlimited circle of persons, including promulgation of personal data in mass media, placing in is information-telecommunication networks or granting of access to personal data in any other way.
1.5. Using personal information — actions (operations) with personal data performed for the purposes of making decisions or other actions that generate legal consequences in respect of personal data subjects or otherwise affect their rights and freedoms or the rights and freedoms of others.
1.6. Blocking of personal data — temporary suspension of collection, sistematizarAI, accumulation, use and distribution of personal data, including their transfer.
1.7. Destruction of personal data — actions in which result it is impossible to restore the contents of personal data in the information system of personal data or which are destroyed material carriers of personal data.
1.8. Depersonalization of personal data — actions, which is impossible without additional information to determine belonging of personal data to a particular subject.
1.9. Public personal information — personal information, unlimited access to which is provided with the consent of the subject or in accordance with the Federal laws not subject to the requirement of confidentiality.
1.10. Information — information (messages, data) regardless of the form of their presentation.
1.11. Client (the data subject) - an individual, consumer of services of “Hospitality”, then “Organization”.
1.12. Operator - state body, municipal body, legal or physical person who independently or together with other persons organizing and (or) carrying out processing of personal data, and also defining purposes of processing of personal data, the scope of personal data to be processed, actions (operations) committed with personal data. In the present Situation the Operator is OOO “Hospitality”the
2. General provisions.
2.1. The present regulations concerning the processing of personal data (further-the Provision) are developed in accordance with the Constitution of the Russian Federation, Civil code of the Russian Federation, Federal law "On information, information technologies and protection of information," Federal law 152-FZ "On personal data" other Federal laws.
2.2. The purpose of the development of the Situation — determination of the procedure for processing and protection of personal data of all Clients of the Organization whose data could be processed on the basis of the authority of the operator;
protect the rights and freedoms of man and citizen during processing of personal data, including protection of rights to inviolability of private life, personal and family privacy, as well as the establishment of responsibility of officials who have access to personal data, for failure to comply with the requirements of the norms regulating processing and protection of personal data.
2.3. The order of implementation and change.
2.3.1. This Regulation shall enter into force upon its approval by the General Director of the Organization and is valid indefinitely, until its replacement with a new Position.
2.3.2. Changes in Position are made on the basis of Orders of the Director of the Organization.the
3. The scope of personal data.
3.1. Part of nerealnyh Customer data, including:
3.1.1. Surname, name, patronymic.
3.1.2. The birth month.
3.1.3. E-mail address.
3.1.4. Phone number (home, mobile).
3.1.5. Address for delivery (goods/services).
3.2. In the Organization can create (creates, collects and maintains) the following documents and information, including in electronic form, containing information about the Clients:
3.2.1. Profile (profile) of the Client.
3.2.2. Application for registration-natural person.
3.2.3. Confirmation of the conclusion of the User agreement.
3.2.5. Copies of identity documents and other documents provided by the Client and containing personal data.
3.2.6. Data on payment orders (goods/services), containing the date and amount of payment, shipping address and contact information provided by the Client.
3.2.7. Data at addresses delivery orders (goods/services).
3.2.8. Recording telephone conversations and email correspondence.the
4. The purpose of the processing of personal data.
4.1. The purpose of the processing of personal data - implementation of a set of actions aimed at achieving the objective, including:
4.1.1. Provision of Advisory, information and mediation services.
4.1.2. Other transactions not prohibited by law, as well as a set of actions with personal data necessary for the execution of the above transactions.
4.1.3. In order to fulfill the requirements of the legislation of the Russian Federation.
4.2. Condition for the termination of personal data processing is the elimination of the Organization as well as the requirement of the Client.the
5. Collection, processing and protection of personal data.
5.1. The order of receiving (collecting) of personal data:
5.1.1. All Customer data should be obtained from him personally with his written consent, except as specified in clauses 5.1.4 and 5.1.6 of the present The provisions and other cases stipulated by the legislation of the Russian Federation.
5.1.2. The Customer's consent to the use of his personal data stored in your Organization in paper and/or electronic form.
5.1.3. The subject's consent to process personal data is valid during the entire term of the contract and for 5 years from the date of termination of the contractual relationship of the Customer with the Organization. After the specified period, the consent shall be deemed extended for each following five years in the absence of information about its revocation by the Client.
5.1.4. If a Customer's personal information may only be obtained from a third party, the Client must be notified in advance and there shall be obtained a written consent. The third person providing personal data the Client needs to have the subject's consent to the transfer of personal data to the Organization. The organization must obtain confirmation from the third party transferring the personal data of the Client that the personal ddata is transferred with his consent. Organization is required when interacting with third parties to conclude an agreement with them about the confidentiality of information regarding Clients ' personal data.
5.1.5. The organization is obliged to inform the Client of the purposes, expected sources and ways of obtaining personal data and on the nature of the receivable personal data and consequences of refusal of the Client's personal data to give written consent to receive them.
5.1.6. Processing of Customers ' personal data without their consent is carried out in the following cases:
126.96.36.199. Personal data are publicly available.
188.8.131.52. Upon the request of competent state bodies in cases stipulated by the Federal law of the Russian Federation.
184.108.40.206. The processing of personal data carried out on the basis of the Federal law establishing its purpose, conditions of obtaining personal data and the range of subjects that personal data which are subject to treatment, as well as defining the powers of the operator.
220.127.116.11. Personal data shall be processed for the conclusion and execution of the contract, one side of which is the subject of personal data – the Client.
18.104.22.168. Personal data are processed for statistical purposes under condition of obligatory personal data depersonalization.
22.214.171.124. In other cases stipulated by law.
5.1.7. The organization has the right to obtain and process personal data of the Client on his race, national origin, political opinions, religious or philosophical beliefs, state of health, intimate life.
5.2. The processing of personal data:
5.2.1. The data subject provides the Organization with reliable information about yourself.
5.2.2. To the processing of personal data of the Clients can have access only to employees of the Organization, admitted to dealing with personal data the Customerand signed a non-disclosure Agreement personal data of the Client.
5.2.3. The right of access to personal data of the Client within the Organization:the
- Director; the
- Employees, responsible for operational work (Accounting, Finance Department). the
- Employees of Department on work with Clients (CRM). the
- Employees of Department of support of Partners. the
- Employees of the marketing Department. the
- Employees of Service personnel. the
- Workers legal service. the
- professionals in IT (information technology Department).
on the Client, as personal data subject.
126.96.36.199. List of names of Organization employees who have access to personal data of the Clients is determined by the order of Director of the Organization.
5.2.4. The processing of Customer personal data may be used exclusively for the purposes prescribed by the regulations and in compliance with laws and other regulatory legal acts of the Russian Federation.
5.2.5. When Oprahthe division of the volume and content of processed personal data, the Organization is guided by the Constitution of the Russian Federation, the law on personal data, and other Federal laws.
5.3. Personal data protection:
5.3.1. Under the protection of the personal data of the Client is understood as the set of measures (administrative, technical, legal) to prevent unauthorized or accidental access, destruction, alteration, blocking, copying, distribution of personal data subjects, as well as other unlawful actions.
5.3.2. Protection of personal data of the Client is carried out by Organizations in the procedure established by the Federal law of the Russian Federation.
5.3.3. The organization in the protection of personal data of Customers shall take all necessary administrative, legal and technical measures, including:the
- Encryption (cryptographic) tools. the
- anti-virus protection. the
- Andnaliz security. the
- Detection and intrusion prevention. the
- access Control.
- integrity. the
- Organization of normative-methodical local acts regulating the protection of personal data.
5.3.4. The General organization of protection of Customers ' personal data carried out by the Director of the Organization.
5.3.5. Access to personal data of the Customer are employees of the Organization who need personal data in connection with the performance of their duties.
5.3.6. All staff involved with receiving, processing and protecting personal data Clients are required to sign a confidentiality Agreement of Clients ' personal data.
5.3.7. The procedure of registration of access to personal data of the Customer includes:the
- Familiarization of the employee against signature with the current Situation. In the presence of other normative acts (orders, orders, instructions etc.) regulatingthe following processing and protection of personal data of the Client, these acts also made the acquaintance of painting. the
- Recovery from the employee (except the CEO) a written commitment to respect the confidentiality of Customers ' personal data and compliance with the rules of their processing in accordance with the internal local normative acts, regulating the issues of security of confidential information.
5.3.8. Employee with access to personal Customer data in connection with the performance of duties:the
- Provides storage of information containing personal data of the Client, excluding access by third parties. the
- In the absence of the employee at his workplace should not be documents that contain personal client information. the
- When leaving on vacation, during business trips and in other cases of prolonged absence of the employee at his workplace, he is obliged to pass DocAmenti and other media containing personal data of Customers face to which a local act Companies (order, order) would be entrusted with the performance of his employment duties. the
- In the case where such a person is not appointed, the documents and other media containing personal data of Customers are transferred to another employee with access to personal data of the Clients as directed by the Director of the Organization. the
- in the dismissal of an employee with access to personal Customer data, documents and other media containing personal data of Customers are transferred to another employee with access to personal Customer data at the direction of the Director-General. the
- In order to perform assigned tasks and on the basis of an official note with a positive resolution of the Director General, access to personal data of the Client can be granted to another employee. Access to personal data of the Client other employees of the Organization, not having properlyforlenovo access is prohibited.
5.3.9. The HR Manager provides:the
- Familiarize staff with the painting under the present Statute. the
- Discovery employees with a written commitment to respect the confidentiality of personal data of the Client (confidentiality Agreement) and the rules of their processing. the
- General control over compliance by employees of measures to protect the personal data of the Client.
5.3.10. Protection of Customers ' personal data stored in electronic databases of the Organization, from unauthorized access, corruption or destruction of information, as well as other unlawful actions provided by your System administrator.
5.4. Storage of personal data:
5.4.1. Personal data of Customers are stored on paper in vaults.
5.4.2. Personal Customer data is electronically stored in a local computer network in electronic folders, and FAlah in personal computers of the Director and staff allowed to process personal data.
5.4.3. Documents containing personal data of Customers stored in lockers (safes), providing protection from unauthorized access. At the end of the day all documents containing personal information Clients are placed in lockers (safes), which provide protection from unauthorized access.
5.4.4. Protection of access to electronic databases containing personal data of the Clients is provided by:the
- Use of licensed antivirus and anti-hacker programs that do not allow unauthorized entry into a local network of the Organization. the
- access rights using the user account. the
- Two-stage password system: on the level of local computer networks and database-level. Passwords are set by the System administrator of the Organization and reported individually to employees with up tospeed to personal data of its Customers.
188.8.131.52. Unauthorized entry in PCs containing personal Customer data is locked by a password which is set by the System administrator and shall not be disclosed.
184.108.40.206. All electronic folders and files containing personal data of Customers are protected by the password that is set responsible for PC in the Organization and reported to the System administrator.
220.127.116.11. Changing passwords the System administrator is not less than 1 time per 3 months.
5.4.5. To copy and make extracts of Client's personal data is permitted solely for official purposes with the written permission of the Director of the Organization.
5.4.6. Responses to written requests from other organizations and institutions on personal data Clients are given only with the written consent of the Client, unless otherwise established by the legislation of the Russian Federation. Responses shall be in writing, on company letterhead and in that volume which allows it not to disclose the excessive amount of personal Customer data.the
6. Blocking, depersonalization, destruction of personal data
6.1. The procedure for locking and unlocking of personal data:
6.1.1. Lock the personal data of the Clients are provided with a written statement of the Client.
6.1.2. Locking of personal data implies:
18.104.22.168. The prohibition of editing of personal data.
22.214.171.124. Prohibition on dissemination of personal data by any means (e-mail, cell phones, tangible media).
126.96.36.199. Ban the use of personal data in mass mailings (sms, e-mail, mail).
188.8.131.52. Withdrawal of paper records relating to the Client and containing his personal data from the internal document flow of the Organization and prohibition of their use.
6.1.3. Lock personal data of the Client may be temporarily removed if required to comply with the lawDateList of the Russian Federation.
6.1.4. Unlock the Client's personal data is carried out with written consent (subject to necessary consent) or the Client's application.
6.1.5. Repeat the Customer's consent to the processing of personal data (if necessary obtain) will unlock his / her personal data.
6.2. The procedure of de-identification and destruction of personal data:
6.2.1. Depersonalization of personal data of the Customer occurs upon written request of the Customer, provided that all contracts are completed and the end date of the last contract took at least 5 years.
6.2.2. When depersonalization of personal data in information systems are replaced with character set by which it is impossible to determine the identity of personal data to a specific Client.
6.2.3. Hard copies of documents in the depersonalization of personal data are destroyed.
6.2.4. The organization shall ensure that confidentialenosti in relation to personal data, if necessary, testing of information systems on the territory of the developer and to produce depersonalization of personal data passed to the developer information systems.
6.2.5. Destruction of personal data of the Client implies the termination of any access to personal data of the Client.
6.2.6. With the destruction of the personal data of the Customer employees can access the personal data of the subject in information systems.
6.2.7. Hard copies of documents for destruction of personal information are destroyed, personal data in information systems are depersonalized. Personal data can not be recovered.
6.2.8. Operation destruction of personal data is not recoverable.
6.2.9. Period, after which operation is possible destruction of personal Customer data, is determined by the end of the period mentioned in paragraph 7.3 hereof.the
7. Transmission and storage of personal data
7.1. Transfer of personal data:
7.1.1. Transfer of personal data of the subject is the dissemination of information via communication channels and physical media.
7.1.2. When transferring personal data employees of the Organization must comply with the following requirements:
184.108.40.206. Not to disclose a Customer's personal information for commercial purposes.
220.127.116.11. Not to disclose personal Customer data to a third party without the written consent of the Client except for cases stipulated by the Federal law of the Russian Federation.
18.104.22.168. To warn the persons receiving personal data of the Client that these data can be used only for the purposes for which they are communicated, and to require such persons confirm that this rule is complied with;
22.214.171.124. Allow access to Clients ' personal data only to specially authorized persons, and these persons shall have the right to receive only those personal datas Clients are required to perform specific functions.
126.96.36.199. Transfer of personal Customer data within the Organization in accordance with these regulations, standard process documentation and job descriptions.
188.8.131.52. To provide Client access to their personal data at application or upon receipt of Customer's request. The organization is obliged to inform the Customer of the existence of personal data concerning him and to provide the opportunity to examine them within ten working days after the request.
184.108.40.206. Transfer personal Customer data to the Customer's representatives in order established by the legislation and normative-technological documentation and limit this information to only those personal data of the subject that are required to fulfil their functions.
220.127.116.11. To provide a log of issued Clients ' personal data, which fexeroise information about the person who transferred personal data of the Clients, the date of transfer of personal data or the date of notification of refusal to provide personal data, but also identifies what information has been transferred (in the form of Annex No. 1).
7.2. Storage and use of personal data:
7.2.1. Storage of personal data is existence of records in information systems and physical media.
7.2.2. Personal Customer data is processed and stored in information systems, as well as on paper in the Organization. Personal Customer data is also stored in electronic form: in the local computer network in electronic folders and files in the PC of the Director General and employees are allowed to process personal data.
7.2.3. Storage of personal Customer data may be no longer than needed for processing, unless otherwise provided by Federaland the laws of the Russian Federation.
7.3. The storage period of personal data:
7.3.1. The storage time of the civil contracts containing personal data of the Clients and related to their conclusion, the execution of documents - 5 years after expiry of agreements.
7.3.2. During the period of storage of personal data cannot be anonymised or destroyed.
7.3.3. After a period of storage personal data may be depersonalized in information systems and destroyed on paper in the manner prescribed in the regulations and the acting legislation of the Russian Federation.the
8. Rights of the data controller
8.1. To defend their interests in court.
8.2. To provide personal Customer data to third parties if required by applicable law (tax, law enforcement, etc.) or by agreement with the Client.
8.3. To refuse to provide personal data in the cases of PReducating legislation of the Russian Federation.
8.4. To use the personal data without the Customer's consent in cases stipulated by the legislation of the Russian Federation.the
9. The rights of the Client
the Client has the right to:
9.1. To demand clarification of their personal data, their blocking or destruction in case personal data are incomplete, outdated, false, unlawfully obtained or are not necessary for the declared purpose of the processing, and also to take legal measures to protect their rights;
9.2. Require the list of processed personal data available in the Organization and the source of their receipt.
9.3. To obtain information about the timing of the processing of personal data, including terms of their storage.
9.4. To require notification of persons who previously received incorrect or incomplete personal data about all of their exceptions, corrections or additions.
9.5. To appeal to polnomoceny the authority to protect the rights of personal data subjects or to a court against unlawful acts or omissions in the processing of his personal data.the
10. Responsibility for violation of norms regulating processing and protection of personal data
10.1. Employees of the company, guilty of violating the rules governing the receipt, processing and protection of personal data shall bear disciplinary, administrative, civil or criminal liability in accordance with the current legislation of the Russian Federation and internal local regulations of the Organization.