1. GENERAL PROVISIONS
  • The Regulation on Personal Data Processing (hereinafter referred to as the «Regulation») was issued and is applied by GRK EURASIA LLC (hereinafter referred to as the «Operator») in accordance with clause 2, part 1, article 1 of the Federal Law dated 27.07.2006 N 152-FZ «On Personal Data». 1, paragraph 1, part 1 of the Federal Law dated 27.07.2006 N 152-FZ «On Personal Data».
  • This Regulation defines the policy, procedure and conditions of the Operator in relation to personal data processing, establishes procedures aimed at prevention and detection of violations of the legislation of the Russian Federation, elimination of consequences of such violations related to personal data processing.
  • All issues related to the processing of personal data not regulated by this Regulation shall be resolved in accordance with the current legislation of the Russian Federation in the field of personal data.
  • The purpose of processing personal data is:
  • Provision of hotel services,
  • realization of functions related to the Operator’s participation in the system of registration at the place of stay of citizens in the hotel,
  • ensuring the protection of human and civil rights and freedoms in the processing of personal data, including the protection of the rights to privacy, personal and family secrecy in the course of labor relations, provision of hotel and other services,
  • promotion of the Operator’s goods, works, services in the market by means of direct contacts with potential consumers by means of communication means (allowed in accordance with the procedure stipulated in clause 3.7 of these Regulations);
  • The processing is organized by the Operator on the principles of:
  • legality of the purposes and methods of personal data processing, good faith and fairness in the Operator’s activities;
  • reliability of personal data, their sufficiency for the purposes of processing, inadmissibility of processing of personal data that are redundant in relation to the purposes stated in the collection of personal data;
  • processing only personal data that meet the purposes for which they are processed;
  • compliance of the content and scope of processed personal data with the stated purposes of processing. The personal data processed must not be redundant in relation to the stated purposes of their processing;
  • inadmissibility of merging databases containing personal data processed for incompatible purposes;
  • ensuring the accuracy of personal data, their sufficiency and, where necessary, relevance in relation to the purposes of personal data processing. The Operator shall take the necessary measures or ensure that they are taken to remove or clarify incomplete or inaccurate data;
  • storing personal data in a form that allows identification of the personal data subject for no longer than required by the purposes of personal data processing.
  • Personal data processing is carried out in compliance with the principles and rules stipulated by the Federal Law dated 27.07.2006 N 152-FZ «On Personal Data» and this Regulation.
  • Methods of personal data processing: mixed — with the use of automation means and without the use of automation means.
  • In accordance with the set goals and objectives, the Operator appoints a person responsible for personal data processing by issuing a relevant order before the commencement of personal data processing. The replacement of the responsible person is also carried out by issuing an order with subsequent notification of the supervisory authority.
  • The responsible person or other person appointed by the sole executive body of the Operator shall have the right to execute and sign the notification provided for in paragraphs 1 and 2 of this Article . 3 Art. 22 Federal Law of 27.07.2006 N 152-FZ «On Personal Data».
  • These Regulations and amendments thereto shall be approved by the Operator’s manager and introduced by the Operator’s order.
  • The Operator’s employees directly involved in personal data processing shall be familiarized under signature with the provisions of the Russian Federation legislation on personal data, including requirements to personal data protection, documents defining the Operator’s policy on personal data processing, local acts on personal data processing, with this Regulation and amendments thereto before starting work.
  • When processing personal data, the Operator shall apply legal, organizational and technical measures to ensure the security of personal data in accordance with Art. 19 Federal Law of 27.07.2006 N 152-FZ «On Personal Data».
  • Control over compliance of the Operator’s employees with the requirements of the legislation of the Russian Federation and provisions of local acts consists in checking compliance with the requirements of regulatory documents on information protection, as well as in assessing the validity and effectiveness of the measures taken and is carried out by the Operator on a regular basis. It may be conducted by the person responsible for ensuring personal data security or on a contractual basis by third-party organizations that have licenses for technical protection of confidential information.
  • The assessment of harm that may be caused to personal data subjects in case of violation by the Operator of the requirements of the Federal Law dated 27.07.2006 N 152-FZ «On Personal Data» shall be determined in accordance with Art. Art. 15151, 152, 1101 of the Civil Code of the Russian Federation.
  • The Operator publishes or otherwise provides unrestricted access to this Regulation, other documents defining the Operator’s policy on personal data processing, information on the implemented requirements to personal data protection in accordance with the general procedure of publishing documents in force at the Operator, including by placing them on the stand, organization, etc.
  • The terms and conditions of personal data processing by the Operator:
  • personal data processing is carried out with the consent of the personal data subject to the processing of his/her personal data;
  • processing of personal data is necessary to achieve the goals stipulated by the international treaty of the Russian Federation or by law, to implement and fulfill the functions, powers and duties assigned to the Operator by the legislation of the Russian Federation;
  • processing of personal data is necessary for the execution of a contract to which the personal data subject is a party or a beneficiary or guarantor, including in case the Operator exercises its right to assign rights (claims) under such a contract, as well as for the conclusion of a contract at the initiative of the personal data subject or a contract under which the personal data subject will be a beneficiary or guarantor;
  • processing of personal data is necessary to protect the life, health or other vital interests of the personal data subject, if it is impossible to obtain the consent of the personal data subject;
  • processing of personal data is necessary for realization of rights and legitimate interests of the Operator or third parties or for achievement of socially significant goals, provided that the rights and freedoms of the personal data subject are not violated;
  • personal data processing is carried out for statistical or other research purposes, except for the purposes specified in Article 15 of the Federal Law dated 27.07.2006 N 152-FZ «On Personal Data», subject to mandatory depersonalization of personal data;
  • processing of personal data is carried out, access to which is granted by the personal data subject or at his/her request;
  • Processing of personal data subject to publication or mandatory disclosure in accordance with federal law.
  • The operator may entrust the processing of personal data to a third party on the basis of a contract. An essential condition of such an agreement is the right of the person to process personal data, the obligation to ensure the confidentiality of personal data and the security of personal data during their processing.
  • Personal data shall be stored in a form that allows identification of the personal data subject for no longer than the purposes of their processing require, and they shall be destroyed upon achievement of the purposes of processing or in case of loss of necessity in their achievement.

 

  1. RESPONSIBLE PERSONS OF THE OPERATOR FOR PERSONAL DATA PROCESSING

 

  • Personal data processing is performed by the employees of the departments that receive the personal data of the Guests directly, by the system administrator, as well as by the persons specified in the company order.
  • Sole executive body:
    • bring to the attention of the Operator’s employees the provisions of the Russian Federation legislation on personal data, local acts on personal data processing, and personal data protection requirements;
    • organizes the processing of personal data by the Operator’s employees;
    • organizes reception and processing of appeals and requests of personal data subjects or their representatives.
  • The sole executive body is responsible for control over fulfillment by the Operator’s employees of the requirements of the legislation of the Russian Federation and the provisions of the Operator’s local regulatory acts when processing personal data.
  • PD processing is also performed in the following information systems (programs):
  • The Operator’s employee authorized to process personal data shall be provided with a unique login and password for access to the relevant Operator’s information system in accordance with the established procedure. Access is granted to application program subsystems in accordance with the functions stipulated in the Operator’s job descriptions.
  • Information may be entered both in automatic mode — when specifying, retrieving, using and transmitting information on a machine-readable medium, and in manual mode — when receiving information on paper or in another form that does not allow its automatic registration.
  • Ensuring security of PD processed in the Operator’s information systems is achieved by excluding unauthorized, including accidental, access to PD, as well as by taking the following security measures:
  • identification of current threats to the security of PD and information technologies used in information systems;
  • application of organizational and technical measures to ensure the security of personal data during their processing in the Operator’s information systems, necessary to meet the requirements for the protection of personal data, the execution of which ensures the levels of data security established by the Government of the Russian Federation;
  • assessment of the effectiveness of measures taken to ensure the security of data before the information system is put into operation;
  • accounting of PD machine carriers;
  • ensuring the operable functioning of computer equipment with PD in accordance with the operational and technical documentation of computer equipment and taking into account the technical requirements of information systems and information protection means;
  • detection and registration of facts of unauthorized access to PD, unauthorized repeated and additional recording of information after its extraction from the PD information system and taking measures;
  • recovery of PDs modified or deleted or destroyed due to unauthorized access to them;
  • Establishing rules for access to personal data processed in the Operator’s information systems, as well as ensuring registration and accounting of all actions performed with personal data in the Operator’s information systems;
  • control over the measures taken to ensure the security of PD and the security levels of information systems.
  • Operator’s system administrator (or other person who is assigned these functions in accordance with the company’s order, and if there is no such person, the sole executive body):
  • timely detection of the facts of unauthorized access to personal data and immediate communication of this information to the person responsible for organizing the processing of personal data;
  • prevention of impact on technical means of automated data processing, as a result of which their functioning may be disrupted;
  • recovery of PDs modified or destroyed due to unauthorized access to them;
  • constant control over ensuring the level of data security;
  • Compliance with the conditions for the use of information protection means stipulated in the operational and technical documentation;
  • accounting of applied information protection tools, their operational and technical documentation, and data carriers;
  • if violations of the PD provision procedure are detected, immediate suspension of PD provision to users of the PD information system until the reasons for the violations are identified and eliminated;
  • investigating and drawing conclusions on the facts of non-compliance with the conditions of storage of material data carriers, use of information protection means, which may lead to violation of confidentiality of data or other violations resulting in reduction of the level of data security, development and taking measures to prevent possible dangerous consequences of such violations.
  • The exchange of personal data during their processing in the Operator’s information systems is carried out via communication channels, the protection of which is ensured through the implementation of appropriate organizational measures and the use of software and hardware.
  • Access of the Operator’s employees to the data stored in the Operator’s information systems provides for mandatory identification procedure.
  • In case of detection of violations of the procedure for processing personal data in the Operator’s information systems, the authorized officials shall immediately take measures to identify the causes of violations and eliminate them.

 

  1. PROCEDURE FOR ENSURING THE RIGHTS OF THE PERSONAL DATA SUBJECT BY THE OPERATOR

 

  • Personal data subjects or their representatives have the rights provided by the Federal Law of 27.07.2006 N 152-FZ «On Personal Data» and other legal acts regulating the processing of personal data.
  • The Operator ensures the rights of personal data subjects in the manner prescribed by Chapters 3 and 4 of the Federal Law dated 27.07.2006 N 152-FZ «On Personal Data».
  • Authorization of the representative to represent the interests of each personal data subject shall be confirmed by a power of attorney, executed in the order of Art. Art. 185 and 1 of the Civil Code of the Russian Federation, ч. 2 Art. 53 of the Civil Procedure Code of the Russian Federation or notarized according to the Art. 59 Fundamentals of the Legislation of the Russian Federation on Notariate. A copy of the representative’s power of attorney, photocopied by the OPD Service from the original, shall be kept by the Operator for at least three years, and in case the period of personal data storage is longer than three years — not less than the period of personal data storage.
  • The information provided in ч. 7 Art. 22 Federal Law dated 27.07.2006 N 152-FZ «On Personal Data», shall be provided to the personal data subject by the OPD Service in an accessible form without personal data relating to other personal data subjects, except in cases where there are legitimate grounds for disclosure of such personal data, in electronic form. They may be duplicated on paper at the request of the personal data subject.
  • The information provided in ч. 7 Art. 22 Federal Law dated 27.07.2006 N 152-FZ «On Personal Data», shall be provided to the personal data subject or his/her representative upon personal contact or upon receipt of a request from the personal data subject or his/her representative. The request shall contain the number of the main personal data subject’s or his/her representative’s identity document, information on the date of issue of the said document and the issuing authority, information confirming the personal data subject’s participation in relations with the Operator (contract number, date of contract conclusion, word designation and (or) other information), or information otherwise confirming the fact of personal data processing by the Operator, signature of the personal data subject or his/her representative. If technically possible, the request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.
  • The right of the subject of personal data to access his/her personal data may be restricted in accordance with federal laws.
  • Processing of personal data for the purposes of promoting goods, works, services on the market by means of direct contacts with potential consumers through communication means, as well as for political agitation purposes is allowed only with the prior consent of the personal data subject. Consent may be oral or written.
  • The said processing of personal data is recognized to be carried out without prior consent of the personal data subject, unless the Operator proves that such consent was obtained.
  • The operator is obliged to immediately cease, at the request of the personal data subject, the processing of his/her personal data specified in the ч. 1 Art. 15 Federal Law of 27.07.2006 N 152-FZ «On Personal Data».
  • A decision giving rise to legal consequences in respect of a personal data subject or otherwise affecting his/her rights and legitimate interests may be made on the basis of exclusively automated processing of his/her personal data only with the consent in writing of the personal data subject or in cases provided for by the federal laws of the Russian Federation, which also establish measures to ensure observance of the rights and legitimate interests of the personal data subject.
  • The operator is obliged to explain orally, and at the written request of the personal data subject or his/her representative — in writing, to explain to the personal data subject the procedure of decision-making based on exclusively automated processing of his/her personal data and possible legal consequences of such decision, to provide the opportunity to object to such decision, as well as to explain the procedure of protection by the personal data subject of his/her rights and legitimate interests.
  • The text of the oral explanation shall be prepared in writing by the Operator prior to the commencement of automated processing of personal data and shall be stored for at least 3 (three) years.
  • In case of automated processing of personal data by different methods, the explanation is prepared separately for each method.
  • The operator is obliged to provide free of charge to the personal data subject or his/her representative the opportunity to familiarize with personal data related to this personal data subject at his/her location during working hours.
  • Within 15 working days from the date of correction or destruction of personal data at the request of the personal data subject or his/her representative, the Operator shall notify him/her of the changes made and measures taken, and shall take reasonable measures to notify third parties to whom the personal data of this subject have been transferred.

 

 

  1. CONTROL, LIABILITY FOR BREACH OR NON-ENFORCEMENT OF THE PROVISION

 

  • The sole executive body is responsible for control over the fulfillment of the Regulations.
  • Persons violating or failing to fulfill the requirements of the Regulations shall be subject to disciplinary, administrative (Art. Art. 5.39, 1113.14, Art. 19.7 Code of the Russian Federation on Administrative Offenses) or criminal liability (Art. Art. 137, 140, 272 of the Criminal Code of the Russian Federation).
  • Heads of structural subdivisions of the Operator shall be personally responsible for the performance of duties by their subordinates.