Regulation (Policy) on the protection and storage of personal data of counterparties, customers, website users and other persons who are not employees of Promo Travel LLC
1. General Provisions
1.1. This Regulation determines the procedure for processing personal data of counterparties, customers, users of the website and other persons who are not employees of Promo Travel Limited Liability Company (hereinafter referred to as the Company).
1.2. The processing of personal data of the subject of personal data is carried out solely to ensure compliance with laws and other regulatory legal acts, fulfilling civil obligations, and ensuring the personal security of subjects of personal data by the provisions of the Federal Law of July 27, 2006, N 152-FZ "On Personal Data" and other regulatory acts of the Russian Federation.
2. Basic concepts. Composition of personal data
2.1. For this Regulation, the following basic concepts are used:
subject of personal data - an individual who is directly or indirectly determined or determined with the help of personal data (hereinafter referred to as the subject of personal data/subject);
personal data - any information relating to a directly or indirectly identified or identifiable individual (subject of personal data) (clause 1, article 3 of the Federal Law of July 27, 2006, N 152-FZ), including the User of the website
http://promotravel.ru/;
- personal data authorized by the subject of personal data for dissemination,
- personal data, access of an unlimited number of persons to which is provided by the subject of personal data by giving consent to the processing of personal data permitted by the subject of personal data for distribution in the manner prescribed by Federal Law No. 152-FZ of July 27, 2006 (hereinafter referred to as personal data permitted distribution) (clause 1.1, article 3 of the Federal Law of July 27, 2006, N 152-FZ);
operator - a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, the actions (operations) performed with personal data (clause 2, article 3 of the Federal Law of July 27, 2006, N 152-FZ);
processing of personal data of the subject - any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data (clause 3, article 3 of the Federal Law of July 27, 2006 N 152-FZ);
dissemination of personal data - actions aimed at disclosing personal data of subjects of personal data to an indefinite circle of persons (clause 5, article 3 of the Federal Law of July 27, 2006 N 152-FZ);
provision of personal data - actions aimed at disclosing personal data of personal data subjects to a certain person or a certain circle of persons (clause 6, article 3 of the Federal Law of July 27, 2006, N 152-FZ);
blocking of personal data - temporary suspension of the processing of personal data subjects (except when processing is necessary to clarify personal data) (clause 7, article 3 of the Federal Law of July 27, 2006, N 152-FZ);
destruction of personal data - actions as a result of which it becomes impossible to restore the content of personal data in the information system of personal data of subjects of personal data and (or) as a result of which material carriers of personal data of subjects of personal data are destroyed (clause 8 of article 3 of the Federal Law of 27.07. 2006 N 152-FZ);
depersonalization of personal data - actions as a result of which it becomes impossible, without the use of additional information, to determine the ownership of personal data by a specific subject of personal data (clause 9, article 3 of the Federal Law of July 27, 2006 N 152-FZ);
Company client:a) an individual - a customer of a tourist product (subject of personal data), who has concluded an agreement with the Company or another legal entity for the sale of a tourist product;
b) an individual - a tourist (personal data subject), on whose behalf the customer of the tourist product has concluded an agreement with the Company for the sale of the tourist product.
website - a set of graphic and information materials, as well as computer programs and databases that ensure their availability on the Internet at the network address
http://promotravel.ru/;
website user - any visitor to the website
http://promotravel.ru/;
other individuals - an individual (subject of personal data) who has entered into an agreement with the Company for the provision of a certain type of service or work for an employee of a third-party legal entity that has a contractual relationship with the Company;
сookies are data that are automatically transferred to the Operator during the use of the Site using software installed on the User's device, including IP address, geographic location, information about the browser and type of operating system of the User's device, technical characteristics of the equipment and software used by the User, date and time of access to the Site.
2.2. To fulfil obligations under civil law contracts and in connection with other relationships with counterparties and other persons who are not employees of the Company, the Company, in obligatory compliance with the norms of the current legislation of the Russian Federation on the protection of personal data, processes the following categories of data:
- personal data - any information relating to a directly or indirectly identified or identifiable natural person (subject of personal data).
- biometric personal data - information that characterizes the physiological and biological characteristics of a person, based on which it is possible to establish his identity and which is used by the operator to identify the subject of personal data;
- information about the client of the Company in the amount necessary for the sale of the tourist product to conclude and properly fulfil the contract, including, but not limited to last name, first name, patronymic of the client, data of a general passport, data of a foreign passport, gender, date of birth, citizenship, telephone number and others personal data (by Article 10 of the Federal Law of November 24, 1996 No. 132-FZ "On the Fundamentals of Tourism in the Russian Federation");
- anonymized data of website Users (including cookies) using Internet statistics services (Yandex Metrica).
2.3. The main subdivision of the Company creates and stores the following groups of documents containing data on subjects of personal data in a single or consolidated form:
- sets of documents accompanying the process of rendering services, fulfilling obligations within the framework of civil law relations of the Company with subjects of personal data;
- a set of materials for questioning subjects;
- personal files, including an electronic copy of the passport (pages with data on the last name, first name, patronymic, date and place of issue of the passport, registration at the place of residence, marriage registration and the presence of children); an electronic copy of a foreign passport; an electronic copy of the document on education, advanced training, retraining, etc.; information about the marital status of the subject of personal data, the change of his surname;
- a set of materials at the request of Users of the website
- planning, accounting, analysis and reporting documents on settlements with entities.
2.5. Categories of personal data subjects.
The subjects whose personal data are processed by the Company by the Regulations include:
- The company's clients are individuals;
- employees of the Company's clients;
- counterparties of the Company - individuals;
- employees of the Company's counterparties;
- website users;
- other persons whose personal data the Company is obliged to process by the legislation on personal data.
3. Purposes of personal data processing,
categories and lists of processed personal data
3.1. According to the Regulation, personal data is processed for:
a) application and enforcement of civil law in the framework of contractual and other directly related relations;
b) fulfilment of the obligations of the Company and the exercise of the rights of the Company under agreements concluded with customers for the sale of a tourist product by the norms of Federal Law No. 132-FZ of November 24, 1996 “On the Basics of Tourist Activities in the Russian Federation”;
c) execution of an agreement to which the client is a party or a beneficiary or guarantor, as well as to agree on the initiative of the client or an agreement under which the client will be the beneficiary or guarantor;
d) fulfilment of the obligations of the Company and exercise of the rights of the Company under agreements concluded with legal entities by the norms of the Civil Code of the Russian Federation and Federal Law No. 132-FZ of November 24, 1996 “On the Basics of Tourist Activities in the Russian Federation”;
e) performing marketing and promotional activities to establish and further develop relationships with customers and users of the website;
f) conducting statistical research to collect information about the actions of Users on the website, to improve the quality of the website and its content.
g) obtaining data for Yandex Metrica analytics services (Yandex Privacy Policy
https://yandex.ru/legal/confidential/)
3.2. By the purpose specified in clause 3.1 of the Regulations, the Company processes the following personal data:
- surname, name, patronymic (if any), as well as previous surname, first name, patronymic (if any), date and place of their change (if any);
- gender;
- date (day, month, year) and place of birth;
- photographic image;
- information about citizenship;
- type, series, number of the identity document, name of the authority that issued it, date of issue;
- insurance number of an individual personal account (SNILS);
- taxpayer identification number (TIN);
- address and date of registration at the place of residence (place of stay), address of actual residence;
- contact phone number, e-mail address and (or) information about other methods of communication;
- details of certificates of state registration of acts of civil status and the information contained therein;
- information about the marital status, family composition (degree of relationship, surnames, first names, patronymics (if any), dates (day, month, year) and place of birth);
- information about education and (or) qualifications or any special knowledge (including the name of the educational and (or) other organization, year of graduation, level of education, qualifications, details of the document on education, training);
- information about knowledge of foreign languages;
- information contained in documents giving the right to stay and work on the territory of the Russian Federation (for foreign citizens staying in the Russian Federation);
- information contained in a temporary residence permit in the Russian Federation (for foreign citizens temporarily residing in the Russian Federation), a residence permit (for foreign citizens permanently residing in the Russian Federation);
- current account number, bank card;
- information about the presence (absence) of a criminal record and (or) the fact of criminal prosecution or the termination of criminal prosecution on rehabilitating grounds (for certain categories of subjects);
- telephone, email, social networks;
- other personal data contained in documents, the submission of which is required by law, if the processing of these data complies with the purpose of processing provided for in clause 3.1 of the Regulations;
- other personal data that the subject wished to disclose about himself and the processing of which corresponds to the purpose of processing provided for in clause 3.1 of the Regulations.
3.3. The Operator may access, collect and use technical and other information related to the Personal Data Subject for the purposes specified in the Policy. Technical information is not personal data, but the Operator uses cookies that allow the Personal Data Subject to be identified. Technical information also means information that is automatically transferred to the Operator during the Personal Data Subject's use of the Site using the software installed on the Personal Data Subject's device, namely:
3.3.1. Data on the Personal Data Subject's activity on the Internet, in particular, on the pages visited, date and time of URL transitions, etc.;
3.3.2. Information about the device, browser type and version, operating system type and version used by the Personal Data Subject to access the Internet: IP address and (if the Personal Data Subject accesses the Site from a mobile device) device type, device screen resolution and its unique identifier;
3.3.3. Information about the resource from which the Personal Data Subject came to the Operator's Website (from which website or via which advertising link);
3.3.4. Information about the location of the Personal Data Subject's device;
3.3.5. Information about the Internet resources visited by the Personal Data Subject;
3.3.6. Data about interaction with the Operator's advertisements displayed outside the resource, their quantity, frequency and viewing depth.
4. Collection and processing of personal data of personal data subjects
4.1. The source of information about all personal data of the subject is directly the subject of personal data. If personal data can only be obtained from a third party, then the subject must be notified in writing in advance of this and written consent must be obtained from him. The Company is obliged to inform the subject of the purposes, alleged sources and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the subject's refusal to give written consent to receive them.
4.2. The Company collects and processes the personal data of the Website User only if the User sends it through the forms on the website. The User expresses his/her consent to this Policy by sending his/her personal data to the Company through the forms on the website.
4.3 The Company collects and processes anonymized data about the User if it is allowed in the User's browser settings (enabled saving of cookies and using JavaScript technology).
4.4. Processing of personal data permitted for distribution from among the special categories of personal data specified in Part 1 of Art. 10 of the Federal Law of July 27, 2006, N 152-FZ, is allowed if the prohibitions and conditions provided for in Art. 10.1 of the said Law.
4.5. The Company does not have the right to receive and process the subject's data on his membership in public associations or his trade union activities, except as provided for by the Labor Code of the Russian Federation or other federal laws.
4.6. The processing of personal data of subjects by the Company is possible only with their consent. The exception is cases provided for by the legislation of the Russian Federation (in particular, consent is not required if there are grounds and the conditions listed in paragraphs 2 - 11, part 1, article 6, paragraphs 2.1 - 10, part 2, article 10, Part 2, Article 11 of the Federal Law of July 27, 2006, N 152-FZ).
4.7. The written consent of the subject to the processing of his data must include, in particular, the information specified in paragraphs 1 - 9 of part 4 of Art. 9 of the Federal Law of July 27, 2006, N 152-FZ.
4.8. The subject's written consent to the processing of personal data permitted for distribution is issued separately from other consents to the processing of his data. At the same time, the conditions provided for, in particular, Art. 10.1 of the Federal Law of July 27, 2006 N 152-FZ. The requirements for the content of the consent to the processing of personal data permitted by the subject of personal data for distribution are approved by the Order of Roskomnadzor dated February 24, 2021, N 18.
4.9. The subject provides written consent to the processing of personal data permitted for distribution to the Company personally or in the form of an electronic document signed with an electronic signature using the information system of Roskomnadzor.
4.10. The Company is obliged, no later than three working days from the date of receipt of the specified consent, to publish information on the conditions of processing, on the existence of prohibitions and conditions for the processing by an unlimited number of persons of personal data permitted for distribution.
4.11. Consent to the processing of personal data permitted for distribution terminates from the moment the Company receives the request specified in clause 5.2.5 of these Regulations.
4.12. The subject of the Company submits reliable information about himself to the personnel department. The personnel department checks the accuracy of the information.
4.13. To ensure the rights and freedoms of man and citizen, the Company and its representatives, when processing the personal data of the subject, must comply, in particular, with the following general requirements:
- When determining the scope and content of the processed personal data of the subject, the Company must be guided by the Constitution of the Russian Federation and other federal laws.
- When making decisions affecting the interests of the subject, the Company does not have the right to rely on personal data obtained solely as a result of their automated processing or electronic receipt.
- Protection of the personal data of the subject from their unlawful use and loss is provided by the Company at its expense in the manner prescribed by federal laws.
- Subjects and their representatives must be familiarized against receipt with the documents of the Company establishing the procedure for processing personal data, as well as their rights and obligations in this area.
- Subjects must not waive their rights to maintain and protect secrets.
5. Transfer of personal data
5.1. When transferring personal data of the subject, the Company must comply with the following requirements:
- Do not disclose the personal data of the subject to a third party without the written consent of the subject, except when it is necessary to prevent a threat to the life and health of the subject, as well as in cases established by legislation on personal data.
- Do not disclose personal data of the subject for commercial purposes without his written consent. The processing of the personal data of subjects to promote goods works, and services on the market by making direct contact with a potential consumer using means of communication is allowed only with his prior consent.
- Warn persons who have received the subject's data that these data can only be used for the purposes for which they are reported, and require these persons to confirm that this rule has been observed. Persons who have received the personal data of the subject are obliged to observe the regime of secrecy (confidentiality).
- To carry out the transfer of personal data of subjects within the Company by these Regulations, with which the subjects must be familiarized under signature.
- Allow access to personal data of subjects only to specially authorized persons, while these persons should have the right to receive only those personal data that are necessary to perform a specific function.
- Transfer the personal data of the subject to representatives of the subjects in the manner prescribed by the legislation on personal data and other federal laws, and limit this information only to those personal data that are necessary for the specified representatives to perform their functions.
5.2. The prohibitions established by the subject on the transfer (except for granting access), as well as on the processing or processing conditions (except for obtaining access) of personal data permitted for distribution, do not apply in cases of processing personal data in state, public and other public interests determined by the legislation of the Russian Federation.
5.3. The personal data of the subjects are processed and stored in the Main division of the Company.
5.4. Personal data of subjects can be obtained, further processed and transferred to storage both on paper and in electronic form (via a local computer network).
5.5. When receiving personal data not from the subject (except cases provided for in Part 4 of Article 18 of the Federal Law of July 27, 2006, N 152-FZ), the Company, before processing such personal data, is obliged to provide the subject with the following information:
- name (surname, name, patronymic) and address of the operator or his representative;
- the purpose of processing personal data and its legal basis;
- intended users of personal data;
- the rights of the subject of personal data established by Federal Law No. 152-FZ of July 27, 2006;
- source of personal data.
6. Access to personal data of subjects
6.1. The following persons have the right to access personal data of subjects:
- CEO;
- Project manager;
- Chief Accountant;
- Tourism manager;
- Third parties to the extent necessary to carry out their functions.
6.2. The subject, in particular, has the right:
- Receive access to and familiarize themselves with their data, including the right to receive free of charge a copy of any record containing their data, except as otherwise provided by federal law.
- Require the Company to exclude or correct incorrect or incomplete personal data, as well as data processed in violation of the requirements of the Labor Code of the Russian Federation or other federal law. If the Company refuses to exclude or correct the personal data of the subject, he has the right to declare in writing to the Company his disagreement with the appropriate justification for such disagreement. The subject has the right to supplement personal data of an evaluative nature with a statement expressing his point of view.
- Receive from the Company information about the name and location of the operator, information about persons (excluding the subjects of the operator) who have access to personal data or to whom personal data may be disclosed based on an agreement with the operator or based on federal law.
- Require the Company to notify all persons who were previously provided with incorrect or incomplete personal data of all exceptions, corrections or additions made to them.
- Appeal to the authorized body for the protection of the rights of subjects of personal data or in court against illegal actions or inaction of the Company in the processing and protection of its data.
7. Terms of processing and storage of personal data
7.1. The processing of personal data in the Company is terminated in the following cases:
- when detected and the fact of unlawful processing of personal data. The term for terminating processing is within three working days from the date of detection of such a fact;
- upon achievement of the purposes of their processing (with some exceptions);
- upon expiration or withdrawal by the subject of personal data of consent to the processing of his data (with some exceptions), if, by the Law on Personal Data, their processing is allowed only with consent.
7.2. Personal data is stored in a form that allows you to identify the subject of personal data, no longer than required by the purposes of their processing. An exception is cases when the period of storage of personal data is established by federal law, an agreement to which the subject of personal data is a party (beneficiary or guarantor).
8. Procedure for blocking and destroying personal data
8.1. The Company blocks personal data in the manner and on the terms provided for by the legislation in the field of personal data.
8.2. Upon reaching the goals of processing personal data or in case of loss or the need to achieve these goals, personal data is destroyed or depersonalized. An exception may be provided by federal law.
8.3. Illegally obtained personal data or those that are not necessary for processing are destroyed within seven working days from the date the subject of personal data (his representative) submits confirming information.
8.4. Personal data, the processing of which was terminated due to its illegality and the legality of the processing of which cannot be ensured, is destroyed within 10 working days from the date of detection of illegal processing.
8.5. Personal data is destroyed within 30 days from the date of achievement of the purpose of processing, unless otherwise provided by the agreement to which the subject of personal data is a party (beneficiary or guarantor), another agreement between him and the Company, or if the Company is not entitled to process personal data without the consent of the subject personal data on the grounds provided for by federal laws.
8.6. Upon reaching the maximum storage period for documents containing personal data, personal data is destroyed within 30 days.
8.7. Personal data are destroyed (if their storage is not required to process personal data) within 30 days from the date of receipt by the subject of personal data of the consent to their processing. Another may provide for an agreement to which the subject of personal data is a party (beneficiary or guarantor), another agreement between him and the Company. In addition, personal data is destroyed within the specified period, if the Company is not entitled to process them without the consent of the subject of personal data on the grounds provided for by federal laws.
8.8. The selection of material media (documents, hard drives, flash drives, etc.) and (or) information in information systems containing personal data that is subject to destruction is carried out by the Company's divisions that process personal data.
8.9. The destruction of personal data is carried out by a commission established by order of the General Director.
8.9.1. The commission draws up an act indicating documents, other material carriers and (or) information in information systems containing personal data that are subject to destruction.
8.9.2. Personal data on paper is destroyed using a shredder. Personal data on electronic media are destroyed by mechanical violation of the integrity of the media, which does not allow reading or recovering personal data, as well as by deleting data from electronic media by methods and means of guaranteed removal of residual information.
8.9.3. Immediately after the destruction of personal data, an act on their destruction is drawn up. The form of the act is approved by the order of the General Director.
9. Protection of personal data. Procedures,
aimed at preventing and detecting violations
legislation, elimination of the consequences of such violations
9.1. Without the written consent of the subject of personal data, the Company does not disclose to third parties and does not distribute personal data, unless otherwise provided by federal law.
9.1.1. Disclosure and dissemination of personal data of subjects of personal data by telephone is prohibited.
9.2. To protect personal data in the Company, by orders of the General Director, the following are appointed (approved):
- the subject responsible for organizing the processing of personal data;
- form of consent to the processing of personal data, a form of consent to the processing of personal data authorized by the subject of personal data for distribution;
- consent form for the transfer of personal data;
- other local regulations adopted by the requirements of legislation in the field of personal data.
9.3. Material carriers of personal data are stored in lockers. Premises The facilities of the Society in which they are located are equipped with locking devices. Issuance of keys to cabinets and rooms is carried out under the signature.
9.4. Access to personal information contained in the information systems of the Company is carried out using individual passwords.
9.5. The Company uses certified anti-virus software with regularly updated databases.
9.6. Employees of the Company processing personal data are periodically trained in the requirements of legislation in the field of personal data.
9.7. The job descriptions of the Company's entities processing personal data include, in particular, provisions on the need to report any cases of unauthorized access to personal data.
9.8. The Company conducts internal investigations in the following situations:
- in case of unlawful or accidental transfer (provision, distribution, access) of personal data, which caused a violation of the rights of subjects of personal data;
- in other cases stipulated by the legislation in the field of personal data.
9.9. The entity responsible for organizing the processing of personal data exercises internal control:
- for compliance by employees authorized to process personal data with the requirements of legislation in the field of personal data, and local regulations;
- compliance of these acts with the requirements of legislation in the field of personal data.
Internal control takes place in the form of internal audits.9.9.1. Internal scheduled audits are carried out based on an annual plan, which is approved by the General Director.
9.92. Internal unscheduled inspections are carried out by the decision of the entity responsible for organizing the processing of personal data. The basis for them is information about the violation of legislation in the field of personal data, received orally or in writing.
9.9.3. Based on the results of the internal audit, a memorandum addressed to the General Director is drawn up. In case of violations, the document provides a list of measures to eliminate them and the corresponding deadlines.
9.10. An internal investigation is carried out if a fact of illegal or accidental transfer (provision, distribution, access) of personal data is revealed, which resulted in a violation of the rights of personal data subjects (hereinafter referred to as the incident).9.10.1. In the event of an incident, the Company notifies Roskomnadzor within 24 hours:
- about the incident;
- its alleged causes and harm caused to the rights of the subject (several subjects) of personal data;
- measures taken to eliminate the consequences of the incident;
- a representative of the Company who is authorized to interact with Roskomnadzor on issues related to the incident.
9.10.2. Within 72 hours, the Company must do the following:
- notify Roskomnadzor of the results of the internal investigation;
- provide information about the persons whose actions caused the incident (if any).
9.11. If the subject of personal data (his representative) provides confirmed information that personal data is incomplete, inaccurate or out of date, changes are made to them within seven working days. The Company notifies in writing the subject of personal data (his representative) of the changes made and informs (by e-mail) about the third parties to whom personal data was transferred.
9.12. The Company notifies the subject of personal data (his representative) about the elimination of violations in terms of unlawful processing of personal data. Roskomnadzor is also notified if it sent a request from the personal data subject (his representative) or made a request himself.
9.12.1. In case of destruction of personal data that was illegally processed, a notification is sent by clause 9.12 of the Regulations.
9.13. In the event of the destruction of personal data illegally obtained or not necessary for the stated purpose of processing, the Company notifies the subject of personal data (his representative) of the measures taken in writing. The Company also notifies by e-mail third parties to whom such personal data were transferred.
10. Responsibility for violation of the norms governing
processing of personal data
10.1. Persons guilty of violating the provisions of the legislation of the Russian Federation in the field of personal data when processing the personal data of the subject are subject to disciplinary and material liability in the manner established by the current legislation of the Russian Federation and are also subject to administrative, civil or criminal liability in the manner established by federal laws.
10.2. Moral damage caused to the subject as a result of violation of his rights, violation of the rules for processing personal data, as well as non-compliance with the requirements for the protection of personal data established by Federal Law No. 152-FZ of July 27, 2006, is subject to compensation by the legislation of the Russian Federation. Compensation for non-pecuniary damage is carried out without depending on compensation for property damage and losses incurred by the subject.
11. Final provisions
11.1. The Company has the right to apply any changes to the current Policy by publishing the new edition of the Policy on the Company's website. Changes come into force from the moment the new edition of the Policy is published on the Company's website
http://promotravel.ru/.
11.2. The Subject of personal data may obtain any clarifications on issues of interest regarding the processing of his/her personal data by contacting the Company via e-mail at info@promotravel.ru.