1. General Provisions
1.1. This Personal Data Processing Policy (hereinafter referred to as the «Policy») is made according to paragraph 2 of art. 18.1 of the Federal Law of the Russian Federation «On Personal Data» No. 152-FZ dated July 27, 2006 and applies to all the personal data processed by LLC «NTT» (hereinafter referred to as the «Processor»).
1.2. The goal of this Policy is to define the categories and the basic processing principles of personal data handled by the Processor.
1.3. The provisions of this Policy are binding on all the employees of the Processor, entities that receive or provide personal data to the Processor, as well as individuals in contractual relations with the Processor.
1.4. This Policy uses the following terms:
— personal data — any information relating to a directly or indirectly identified or identifiable individual (personal data subject);
— personal data processor (Processor) — state or municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as defining the purpose of personal data processing, the composition of personal data to be processed, actions (processes) performed with personal data;
— personal data processing — any action (process) or a set of actions (processes) with personal data, performed with or without automation technologies. Personal data processing includes, but is not limited to:
- сollection;
- recording;
- systematization;
- accumulation;
- storage;
- clarification (update, change);
- extraction;
- use;
- transfer (distribution, provision, access);
- blocking;
- deletion;
- destruction.
— automated personal data processing — personal data processing by means of computer technologies;
— personal data distribution — actions aimed at disclosure of personal data to an indefinite number of persons;
— personal data provision — actions aimed at disclosure of personal data to a certain person or a certain number of persons;
— personal data blocking — temporary suspension of personal data processing (except when processing is necessary to clarify personal data);
— personal data destruction — actions that result in permanent deletion of personal data from personal data information systems with inability of further restoration and (or) the destruction of physical personal data storage devices;
— personal data information system — a set of information technologies and technical means contained in databases of personal data and providing its processing;
— transborder transfer of personal data — transfer of personal data to the territory of a foreign state, a foreign authority, a foreign individual or a foreign legal entity.
— personal data privacy — Processor and other persons with access to personal data must not disclose it to third parties or otherwise disclose it without the consent of the personal data subject, unless otherwise provided by the federal law.
1.5. Personal data subjects or their legal representatives have the right to:
— receive complete information about their personal data and its processing (including automated processing);
— free access to their personal data, including the right to obtain copies of any record containing the subject’s personal data, except as required by the federal laws of the Russian Federation;
— demand the exclusion or correction of incorrect or incomplete personal data, as well as data processed in violation of the legislation of the Russian Federation;
— declare in writing their disagreement with an appropriate justification if the Processor or a person authorized by him refuses to exclude or correct the subject’s personal data;
— require the Processor or a person authorized by him to notify all the persons who were previously provided with incorrect or incomplete personal data of the subject, of all the changes made to or deletions from such data;
— appeal in court any illegal actions or inaction of the Processor or a person authorized by him, carried out during the processing and protection of the subject’s personal data.
1.6. Personal data subjects or their legal representatives are obliged to:
— provide the Processor with faithful personal data;
— timely notify the Processor of all the changes in personal data.
1.7. The Processor has the right to process personal data, provided that there is a legitimate reason, the compliance with the stated purposes of processing and the legislation of the Russian Federation, the provisions of this Policy and other local acts of the Processor.
1.8. The Processor is obliged to:
— at his/her own expense, protect personal data from misuse or loss in accordance with the procedures established by the legislation of the Russian Federation;
— provide the personal data subject, upon his/her request, information relating to the processing of his/her personal data, or legally provide a refusal;
— provide the subject with free access to his/her personal data, including the right to obtain copies of any record containing the subject’s personal data, except as required by the federal laws of the Russian Federation;
— at the request of the personal data subject, clarify the processed personal data, block or delete the incomplete, outdated, inaccurate, illegally obtained personal data or which is unnecessary for the stated purpose of processing;
— keep a log of personal data subjects’ requests about their personal data, as well as the facts of providing personal data on these requests;
— notify the personal data subject on the processing of personal data in case the personal data was not received from the personal data subject;
— in case the purpose of personal data processing is achieved, immediately stop processing of personal data and destroy the relevant personal data within a period not exceeding thirty business days from the date the purpose of personal data processing is achieved, unless otherwise provided by the federal laws of the Russian Federation;
— stop processing personal data if the subject sends a request to do so, and destroy this personal data within a period not exceeding ten business days from the date of receipt of the specified request. This period may be extended, but for no more than five business days, if the Processor sends a reasoned notification to the personal data subject, indicating the reasons for extending the period for providing the requested information. The Processor has the right to continue processing personal data in cases stipulated by paragraphs 2 — 11 of part 1 of article 6; part 2 of article 10 and part 2 of article 11 of the Federal Law No. 152-FZ «On Personal Data»;
— provide the subject’s personal data only to authorized persons and only to the extent necessary for them to perform their employment duties in accordance with this Policy and the legislation of the Russian Federation.
2. Purposes, Categories of Subjects, their Scope and Legal Basis for Personal Data Processing
2.1. For each of the purposes of personal data processing, the Processor defined and approved specific categories of personal data, their scope and the legal basis for personal data processing. It is not allowed to process personal data not in accordance with the approved purposes.
2.2. The purposes, categories of subjects, their scope and legal basis for personal data processing, according to which the Processor carries out the processing, are given in Appendix No. 2 to this Personal Data Processing Policy.
2.3. The processing of personal data provided in Appendix No. 1, among other things, is carried out in accordance with the requirements of the Tax Code of the Russian Federation, Federal Law No. 402-FZ «On Accounting», Federal Law No. 125-FZ «On Archival Affairs in the Russian Federation», Order of the Federal Archival Agency of Russia dated 20/12/2019 No. 236 «On approval of the List of standard administrative archival documents formed in the course of activities of state bodies, local governments and organizations, indicating the terms of their storage», by the Civil Code of the Russian Federation and other Federal laws and regulations adopted on their basis regulating relations connected with the activities of the Processor, as well as other regulations of the Russian Federation, within the framework of implementation and fulfillment of the functions, powers and duties assigned by the legislation of the Russian Federation to the Processor.
3. Procedure and Conditions of Personal Data Processing
3.1. The Processor receives all personal data directly from the personal data subject, his/her representative or from the person who instructed the Processor to process personal data, except as provided for by the legislation of the Russian Federation.
3.2. The processing of personal data is carried out with the consent of the personal data subject, except as required by the legislation of the Russian Federation. Consent may be expressed in various forms that make it possible to confirm the fact of its receipt, including through implicative actions, in writing as a separate document, or as part of a document signed by the subject. Consent may be given by the subject’s representative, if he or she provides evidence of his or her authority.
3.3. Consent to the processing of personal data can be withdrawn by the personal data subject. In cases stipulated by the legislation of the Russian Federation, the processing of personal data may be continued even after the subject withdrew his or her consent to the processing.
3.4. In making decisions that affect the interests of the subject, the Processor shall never rely on the subject’s personal data obtained solely as a result of its automated processing or electronic receipt.
3.5. Personal data is not used for the purpose of causing property and/or moral damage to citizens, making it difficult to exercise the rights and freedoms of citizens of the Russian Federation.
3.6. Access to personal data is granted to the Processor’s employees who need personal data in connection with the performance of their official duties.
3.7. Transfer of personal data of the Processor’s employees to the third parties is carried out only with the written consent of the subject, except as required by the legislation of the Russian Federation.
3.8. The Processor has the right to transfer personal data to investigative authorities and other authorized bodies on the grounds stipulated by the current legislation of the Russian Federation.
3.9. The Processor has the right to create public sources of personal data, which may include the subject’s personal data with his or her written consent.
3.10. It is prohibited to transfer the subject’s personal data for commercial purposes without his or her written consent.
3.11. If the Processor needs to transfer personal data to the third parties, it is carried out only after signing an agreement between the Processor and the third party on nondisclosure of confidential information, except as provided for by the legislation of the Russian Federation.
3.12. Personal data processing is carried out with or without computer equipment.
3.13. The duration for personal data processing by the Processor is generally determined in accordance with the Federal Law of 27/07/2006 No. 152-FZ «On Personal Data»; the validity period of the relevant contract; the duration specified in the order for personal data processing; the validity periods of the documents established by the Federal Law No. 125-FZ «On Archival Affairs in the Russian Federation»; Order of the Federal Archival Agency of Russia dated 20/12/2019 No. 236 «On approval of the List of standard administrative archival documents formed in the course of activities of state bodies, local governments and organizations, indicating the terms of their storage», the limitation of action period; the validity period of the consent given by the personal data subject for its processing; as well as other requirements of the legislation of the Russian Federation.
3.14. Personal data, when processed without the use of automation means, is separated from other information, in particular by storing on separate physical personal data carriers (hereinafter referred to as the «Physical Carriers»), in special sections or in the margins of forms.
3.15. When storing personal data on Physical Carriers, personal data with different purposes for its processing may not be stored on the same Physical Carrier. For the non-automated processing of different categories of personal data, a separate Physical Carrier is used for each category of personal data.
3.16. Persons who process personal data without the use of automation means must be informed about the fact that the processing of personal data is carried out by the Processor without the use of automation means, about categories of processed personal data, as well as about the specifics and rules of such processing.
3.17. When using standard forms of documents filled in by the personal data subject in his/her own hand, the nature of information in which involves or allows for inclusion of personal data (hereinafter referred to as the «Standard Form»), the following conditions shall be observed:
— standard form or related documents (instructions for its completion, cards, registers and journals) must contain information about the purpose of personal data processing carried out without the use of automation means, name and address of the Processor, full name and address of the personal data subject, the source of obtaining personal data, the duration and the list of actions to be performed for processing personal data, a general description of the methods used by the Processor for processing personal data;
— if written consent to the processing of personal data is required, the standard form must provide a field where the personal data subject can put a mark of his/her consent to the personal data processing carried out without the use of automation means;
— the standard form must be drawn up so that each of the personal data subject contained in the document had the opportunity to review his or her personal data contained in the document, without violating the rights and legitimate interests of other personal data subjects;
— the standard form must exclude the combination of fields for personal data, the purposes of which are known to be incompatible.
3.18. Personal data shall be destroyed upon attainment of the purpose of processing, upon cancellation of the purposes of processing, upon expiration of the storage period, upon detection of unlawful processing or at the request of the person who commissioned the processing of personal data, within a period not exceeding ten business days from the date the purpose of personal data processing is achieved, or from the receipt of revocation of its processing. This period may be extended, but for no more than five business days, if the Processor sends a reasoned notification to the personal data subject, indicating the reasons for extending the period for providing the requested information. Destruction is carried out in the presence of the commission, after which an act of destruction is drawn up.
4. Protection of Personal Data
4.1. The Processor ensures the protection of the personal data of the subject from unauthorized or accidental access, destruction, modification, blocking, copying, distribution, as well as from other unlawful actions.
4.2. The Processor ensures the protection of personal data in accordance with the current legislation of the Russian Federation and the local acts of the Processor, by implementing a set of organizational and technical measures to ensure its security.
4.3. All the protection measures for collection, processing, storage and transfer of the subject’s personal data apply to both paper and electronic (automated) media.
5. Updating, Correction, Deletion and Destruction of Personal Data
5.1. The Processor has the right to enter, supplement, change, block or delete personal data in accordance with the federal laws of the Russian Federation.
5.2. At the request of the personal data subject, the Processor is obliged to:
— provide information about the availability of the subject’s personal data;
— provide an opportunity to get acquainted with the subject’s personal data (except as provided for by the Federal Law No. 152, article 14, paragraph 5);
— clarify inaccurate or modified personal data;
— block or destroy personal data in case they are illegally obtained, unnecessary for the stated purpose of processing, or if the subject’s consent is withdrawn.
5.3. The request of the personal data subject must be sent to the Processor in paper form and shall contain the number of the main document proving the identity of the personal data subject or his/her legal representative, information on the date of issue of the said document and the authority issuing it, and handwritten signature of the personal data subject or his/her legal representative. A standard form is provided in Appendix 1 to this Policy.
5.4. The request may be sent electronically to e-mail: info@newtraveltech.ru and signed by electronic digital signature in accordance with the legislation of the Russian Federation.
5.5. Upon receipt of the subjects’ request, the responsible employee of the Processor shall register such request in the log of subjects’ requests.
5.6. A response, or a reasoned refusal, must be sent within ten business days from the date of receipt of the request from the personal data subject. This period may be extended, but for no more than five business days, if the Processor sends a reasoned notification to the personal data subject, indicating the reasons for extending the period for providing the requested information. The response should be in the same form in which the relevant appeal or request was sent, unless otherwise specified in the appeal or request, and should contain specific and comprehensive information relating to the essence of the issue.
6. Policy Modification
6.1. The Processor has the right to make changes to this Policy. When making changes, the date of the last revision is indicated in the Policy header. The updated revision of the Policy comes into force from the moment of its posting on the Processor’s website, unless otherwise stipulated in the updated revision of the Policy.
6.2. The current revision is stored at the location of the Processor’s executive body at: 115230, Moscow, 1st Nagatinsky proezd, 10, bldg. 1, floor 13, the electronic version of the Policy is stored on the Processor’s website at: https://www.tutu.ru/2read/legal_information/legal_personal/.
6.3. The law of the Russian Federation is applicable to this Policy and the relations between the personal data subjects and the Processor.
7. Contact Details
7.1. E-mail address: info@newtraveltech.ru
7.2. Mailing address: 115230, Moscow, 1st Nagatinsky proezd, 10, bldg. 1, floor 13.
7.3. Contact phone number: +7 (499) 715-42-05, +7 (800) 511-55-63.
Appendix No. 1
Form of a written request
for information concerning the processing of personal data
Appendix No. 2
The set of purposes, categories of subjects, their scope and legal basis for personal data processing, approved by the Processor
Была ли полезна статья:
Да
Нет
