Personal data processing policy
1 GENERAL PROVISIONS
Mechtarium, LLC Personal Data Processing Policy (hereinafter, the Policy) has been developed in accordance with Federal Law No. 152-FZ "On Personal Data" dd.27.07.2006 (hereinafter, FZ-152) and Roskomnadzor Recommendations on drafting a document governing data processor’s personal data processing policy, in accordance with the procedure established by Federal Law No. 152-FZ "On Personal Data" dd. July 27, 2006.
This Policy determines the personal data processing procedure and personal data security measures in Mechtarium, LLC (hereinafter, the Company, the Data Processor), in order to protect civil and political rights in personal data processing, including the protection of the right to personal and family privacy.
The Policy uses the following basic terms:
Automated Personal Data Processing shall mean computer-aided personal data processing;
Blocking of Personal Data shall mean suspension of personal data processing (except when processing is necessary for personal data update);
Personal Data Information System shall mean a set of personal data in databases and information technology and technical means supporting their processing;
Personal Data Anonymization shall mean actions making it impossible to identify a specific personal data owner without additional information;
Personal Data Processing shall mean any action (operation) or a set of actions (operations) on personal data performed with or without automation tools, including collection, recording, systematization, accumulation, storage, update (modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction;
Data Processor shall mean a public body, a municipal body, a legal entity or an individual, arranging and (or) carrying out, independently or jointly with other persons, personal data processing, as well as defining the purposes of processing personal data, the scope of personal data to be processed, actions (operations) performed on personal data;
Personal Data shall mean any information related to a directly or indirectly identified or identifiable individual (personal data owner);
Personal Data Disclosure shall mean actions aimed at disclosing personal data to a specific person or a specific group of persons;
Personal Data Distribution shall mean actions aimed at disclosing personal data to the public;
Cross-Border Personal Data Transfer shall mean the transfer of personal data to a foreign public authority, a foreign individual or a foreign legal entity in a foreign territory;
Destruction of Personal Data shall mean actions making it impossible to restore the contents of personal data in the personal data information system and (or) destroying physical personal data media.
The Company must publish or otherwise provide free access to this Personal Data Processing Policy under Part 2 Art. 18.1 FZ-152.
2 PERSONAL DATA PROCESSING PRINCIPLES, PURPOSES AND CONDITIONS
2.1 Personal Data Processing Principles
Personal data processing in the Company is based on the following principles:
- legitimacy and fair basis;
- limiting personal data processing to specific, pre-determined and legitimate purposes;
- prohibiting personal data processing for purposes other than the purposes of collecting personal data;
- prohibiting integration of databases with personal data processed for conflicting purposes;
-processing only the personal data that meet the purposes of their processing;
- compliance of content and scope of processed personal data with the purposes of processing;
- prohibiting processing personal data exceeding the stated purposes of their processing;
- ensuring the accuracy, adequacy and relevance of personal data in relation to the purposes of processing personal data;
- destruction or anonymization of personal data upon the achievement of their processing purposes or in case there is no need for these purposes any more, if the Company fails to eliminate processing personal data breaches, unless otherwise provided by the federal law.
2.2 Purposes of Personal Data Processing
- Data Processor's exercise of its rights and legitimate interests, in accordance with the main activities stipulated by the Articles of Association of Mechtarium, LLC, that require personal data processing, namely:
* activity of recreation and entertainment parks and theme parks,
* wholesaling and retailing;
* retailing directly via the Internet
* production of non-food consumer goods
* restaurant business and food delivery services
* development of new technologies, their implementation, investment in promising sectors;
* investment in the production of goods and services;
* advertising services;
* other activities directly or indirectly facilitating solution of the problems
* of the society, not prohibited by the applicable law.
- exercise of the rights and obligations imposed on the Company as an employer by the law;
- fulfillment of the Company's obligations under an agency agreement for personal data processing outsourcing.
- lawful disclosure of personal data to third parties in the course of the Company’s business activities;
- other processing purposes needed for Mechtarium, LLC activities which comply with the law.
2.3 Conditions of Personal Data Processing
The Company processes personal data if one or more of the following conditions is met:
- personal data are processed with the permission of the personal data owner to process its personal data;
- personal data processing is necessary to achieve the goals stipulated by an international treaty of the Russian Federation or a law, for the Company to perform its functions, powers and duties imposed by the law of the Russian Federation;
- personal data processing is necessary to administer justice, enforce a judicial act, an act of another body or an official subject to enforcement under the law of the Russian Federation on enforcement proceedings;
- personal data processing is necessary to perform a contract, with the personal data owner being a party or a beneficiary or a guarantor under it, as well as to enter into a contract on the personal data owner’s initiative or a contract with the personal data owner being a beneficiary or guarantor under it;
- personal data processing is necessary to exercise rights and legitimate interests of the Company or third parties or to contribute to public purposes, provided that the rights and freedoms of the personal data owner are not thereby violated;
- personal data processing the public access to which is provided by the personal data owner or at its request (hereinafter, publicly available personal data);
- personal data processing subject to publication or mandatory disclosure in accordance with the federal law.
2.4 Personal Data Confidentiality
The Company and other persons who have gained access to personal data undertake not to disclose to third parties or distribute personal data without the personal data owner’s permission, unless otherwise provided by the federal law.
2.5. Publicly Available Sources of Personal Data
For information support purposes, the Company may create publicly available sources of the owner’s personal data, including directories and address books. Publicly available sources of personal data, with the owner’s written consent, may include full name, date and place of birth, position, contact phone numbers, e-mail address and other personal data reported by the personal data owner.
At the personal data owner’s request or by decision of the court or other authorized government agencies, information on the personal data owners shall be excluded from the publicly available sources of personal data of the Company.
3 CATEGORIES OF PERSONAL DATA OWNERS AND CATEGORIES OF PROCESSED PERSONAL DATA
3.1 Categories of personal data owners
- Employees and former employees, as well as their relatives, whose personal data are provided to the Company by employees
- Candidates for the Company’s vacancies, counterparties
- Consumers and the Company’s counterparties (individuals)
- Representatives and employees of buyers and counterparties of the Company and persons to whom counterparties provide services / deliver certain goods (legal entities)
3.2 Categories of personal data
In terms of interaction with personal data owners, the following personal data can be processed:
full name; date of birth; place of birth, address; marital status; social status; property status; education; profession; income; TIN, Insurance Number of Individual Ledger Account, information contained in military service records; contact information (phone, e-mail), other information provided by standard forms and the established processing procedure.
The above personal data may refer to the relevant categories of personal data specified in FZ-152, which the Company shall lawfully process to comply with the legal requirements, as well as to meet its commercial, corporate and other needs in accordance with its statutory objectives and activities.
Special categories of personal data
The Company can process special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, private life, provided:
- the personal data owner has agreed in writing to processing its personal data;
- personal data have been made publicly available by the personal data owner;
- personal data are processed in accordance with the law on state social assistance, labor law, law of the Russian Federation on state provided pensions, on labor pensions;
- personal data processing is necessary to protect the life, health or other vital interests of the personal data owner or the life, health or other vital interests of other persons and obtaining the consent of the personal data owner is impossible;
- personal data are processed for medical and preventive purposes, with a view to establishing a medical diagnosis, providing medical and medical and social services, provided that the personal data are processed by a person professionally engaged in medical activities and required to maintain medical secrecy in accordance with the law of the Russian Federation;
- personal data processing is necessary to establish or exercise the rights of the personal data owner or third parties, as well as due to the administration of justice;
- personal data are processed in accordance with the law on compulsory insurance, the insurance law.
Processing of special categories of personal data must be immediately terminated if the reasons for their processing are eliminated, unless otherwise provided by the federal law.
Criminal personal data can be processed by the Company only in cases and in the manner determined in accordance with the federal laws.
Biometric Personal Data
Information characterizing physiological and biological properties of a person that can be used to identify him or her (biometric personal data) and that is used by the Data Processor to identity the personal data owner may not be processed by the Company without a written consent of the personal data owner.
3.3 Outsourcing Personal Data Processing
The Company may outsource personal data processing with the consent of the personal data owner, unless otherwise provided by the federal law, under a contract. A person engaged in the personal data processing on behalf of the Company is required to comply with the personal data processing principles and rules provided for by FZ-152.
3.4 Cross-Border Personal Data Transfer
The Company must ensure that the foreign state personal data are intended to be transferred to provides adequate protection of the personal data owners’ rights, prior to such transfer.
Cross-border personal data transfer to the territory of foreign states that do not provide adequate protection of the personal data owners’ rights is possible in the following cases:
- there is the personal data owner’s written consent to the cross-border transfer of its personal data
- there is a contract the personal data owner is a party to.
4 LEGAL BASIS OF PERSONAL DATA PROCESSING
The legal basis of the Personal Data Processing Policy shall be:
- Civil Code of the Russian Federation No. 51-FZ dd. 30.11.1994
- Federal Law No. 14-FZ "On Limited Liability Companies" dd. 08.02.1998
-Federal Law No. 273-FZ "On Education in the Russian Federation" dd. 29.12.2012
- Labor Code of the Russian Federation No. 197-FZ dd. 30.12.2001
- Tax Code of the Russian Federation No. 146-FZ dd. 31.07.1998
- Federal Law No. 167-FZ "On Compulsory Pension Insurance in the Russian Federation" dd. 15.12.2001
-Federal Law No. 63-FZ "On Electronic Signature" dd. 06.04.2011
- Articles of Association of Mechtarium, LLC
- License to educational activities No. 037780 dd. 19.08.2016
- Order of the Ministry of Culture of Russia No. 558 “On the Approval of the “List of Standard Administrative Archive Documents Generated in the Course of Activities of Government Agencies, Local Government Bodies and Organizations, and their Storage Periods” dd. 25.08.2010
- Order of the Ministry of Culture of Russia No. 526 “On the Approval of the Rules for the Organization of Storage, Acquisition, Accounting and Use of Documents of the Archive Fund of the Russian Federation and Other Archival Documents in Government Agencies, Local Government Bodies and Organizations” dd. 31.03.2015
- Resolution of the Government of the Russian Federation No. 1119 "On the Approval of the Requirements for the Protection of Personal Data when Processing them in Information Systems of Personal Data" dd. 01.11.2012
- Resolution of the Government of the Russian Federation No. 687 "On the Approval of the Regulation on the Specific Aspects of Processing Personal Data, Carried out Without the Use of Automation Equipment" dd. 15.09.2008
- other types of regulatory acts and documents
4.1 Types of local regulations and other documents developed by the Company:
- Regulation on the Personal data processing in Mechtarium, LLC
- Regulation on Ensuring Personal Data Security when Processing them in Information Systems of Mechtarium, LLC
- Regulation on Ensuring Personal Data Security when Processing them in Information Systems of Mechtarium, LLC
- Instructions on the Procedure for Handling Personal Data Storage Media in Mechtarium, LLC
- other local regulatory acts and documents of the Company
5 RIGHTS OF THE PERSONAL DATA OWNER
5.1 The personal data owner’s consent to the processing of its personal data
The personal data owner decides to provide its personal data and agrees to their processing freely, voluntarily and for its benefit. Consent to the personal data processing can be given by the personal data owner or its representative in any form that allows to confirm the its receipt, unless otherwise provided by the federal law.
The Company shall be responsible for the provision of evidence of the receipt of the personal data owner’s consent to the processing of its personal data or evidence of the existence of grounds specified in FZ-152.
5.2 Rights of the personal data owner
The personal data owner is entitled to receive information from the Company concerning the processing of its personal data, unless such right is restricted by federal laws. The personal data owner is entitled to request that the Company should update its personal data, block or destruct them in the event that personal data are incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as take legal measures to protect its rights.
Personal data processing in order to promote goods, works, services on the market by establishing direct contacts with a potential consumer by means of communication facilities is allowed only with the personal data owner’s prior consent. The stated personal data processing is considered to be carried out without the personal data owner’s prior consent, unless the Company proves that such consent has been obtained.
At the personal data owner’s request, the Company must immediately stop processing its personal data for the above purposes.
It is prohibited to make decisions based solely on the automated personal data processing resulting in legal consequences with respect to the personal data owner or otherwise affecting its rights and legitimate interests, with the exception of cases provided for by federal laws or with the personal data owner’s written consent.
If the personal data owner believes that the Company is processing its personal data in violation of the requirements of FZ-152 or otherwise violates its rights and freedoms, the personal data owner is entitled to appeal against the Company’s actions or omission to the authorized body for the protection of the rights of personal data owners or to a court.
The personal data owner is entitled to defend its rights and legitimate interests through a court under the pre-trial dispute resolution procedure.
6 ENSURING PERSONAL DATA SECURITY
The security of personal data processed by the Company is ensured by legal, administrative and technical measures taken to comply with the federal personal data protection laws.
While ensuring personal data security and preventing unauthorized access to personal data, the Company is guided by Resolution of the Government of the Russian Federation No. 1119 "On the Approval of the Requirements for the Protection of Personal Data when Processing them in Information Systems of Personal Data" dd. 01.11.2012, Resolution of the Government of the Russian Federation No. 687 "On the Approval of the Regulation on the Specific Aspects of Processing Personal Data, Carried out Without the Use of Automation Equipment" dd. 15.09.2008, as well as regulatory and administrative documents of the Federal Security Service FSB and Federal Service for Technical and Export Control of Russia on the personal data protection.
The Company has developed and applies local acts for the personal data protection, maintaining the requirements for the organization of measures aimed at protecting the owners’ personal data.
7 PERSONAL DATA STORAGE PERIOD
The personal data shall be stored in a form allowing identification of the personal data owner; upon the processing period expires or the owner withdraws its consent, personal data must be destroyed.
The period for storing personal data of employees and former employees is determined on the basis of the List of Standard Administrative Archive Documents Generated in the Course of Activities of Government Agencies, Local Government
Bodies and Organizations, and their Storage Periods, dd. 25.08.2010, approved by Order of the Ministry of Culture of the Russian Federation No. 558 dd. August 25, 2010.
8 UPDATING, AMENDMENT, DELETION AND DESTRUCTION OF PERSONAL DATA, RESPONSES TO REQUESTS TO ACCESS PERSONAL DATA
The Company, in accordance with the requirements of the law, shall consider and respond to inquiries (requests) of the personal data owners in the following manner, under Art. 165.1, Art. 191 and Art. 193 of the Civil Code of the Russian Federation:
- Upon request on the availability of personal data relating to the owner and the ability to access these personal data. The Company shall provide the owner or its representative with information and give the opportunity to review personal data or give a written reasoned refusal within 30 (thirty) days.
- Requirements to the form of the request are established by the law (Clause 3, Article 14 of Federal Law No. 152). The request must contain:
* the number of the main document certifying the identity of the personal data owner or its representative, the date of issue and the issuing authority;
* information confirming the relations between the personal data owner and the Data Processor (contract number, contract date, verbal reference designation and (or) other information) or information otherwise confirming the personal data processing by the Data Processor,
* signature of the personal data owner or its representative
- In case the owner or its representative provides information that the personal data are incomplete, inaccurate or irrelevant, within 30 (thirty) days from the date of the owner's application, the Company introduces the appropriate changes, upon which it notifies changes to the owner as well as third parties, in the case of transfer of incomplete, inaccurate or irrelevant personal data of the owner.
- In case the owner or its representative provides substantiated information that the personal data relating to the owner are obtained illegally or are not necessary for the stated purpose of processing, the Company shall, within 7 (seven) business days, destroy these personal data and notify changes to the owner or its representative. Also, if necessary, it shall notify third parties to whom such personal data have been disclosed.
- In case the Company or a person processing data for the Company is found to be unlawfully processing personal data, the Company must within 3 (three) business days stop unlawful personal data processing. If it is not possible to ensure lawful personal data processing, the Company must destroy such personal data or ensure
its destruction within 10 (ten) business days from the date of detection of unlawful personal data processing. The Company shall inform the personal data owner or its representative (and the relevant authorized body, if the request of the personal data owner or its representative or the request of the authorized body for the protection of the rights of personal data owners was sent by the authorized body for the protection of the rights of personal data owners) of the elimination of the violations or the destruction of personal data.
- In case the personal data owner withdraws its consent to the personal data processing, the Company must stop processing personal data or ensure the termination of such processing (if the personal data are processed by another person acting on the Data Processor’s behalf) and in case retention of personal data is no longer required for the purposes of personal data processing, destroy personal data or ensure its destruction (if the personal data are processed by another person acting on the Data Processor’s behalf) within 30 (thirty) days from the date of receipt of the said withdrawal, unless otherwise provided by a contract where the personal data owner acts as a beneficiary, guarantor or a party, by other agreement between the Company and the personal data owner, or if the Company is not entitled to process personal data without the personal data owner’s consent, on the grounds provided by law.
- If it is not possible to destroy personal data within the period specified in part 3 and Part 5 Art. 21 Federal Law No. 152, the Company shall block these personal data or ensure their blocking (if the personal data are processed by a third party acting on the Data Processor’s behalf) and ensures destruction of personal data within six months, unless otherwise stipulated by federal laws.
- Requests and appeals of personal data owners must be sent by registered mail, return receipt requested, to the Company’s address: 1252524, Moscow, 4 Khodynsky Blvd., floor 6, prem. 4002.2.210, as well as by e-mail to the Company's official e-mail address: firstname.lastname@example.org
- As soon as the processing purposes are achieved, the Company shall cease personal data processing within the time period established by law and take the required actions (destruction, blocking)
- Personal data processing of personal data owners who are the Company’s employees (former employees) shall also be subject to labor law and the Company’s local regulations.
9 FINAL PROVISIONS
Other rights and obligations of the Company as the Data Processor are determined by the personal data laws of the Russian Federation.
The Company’s officials violating the personal data processing and protection rules shall be subject to financial, disciplinary, administrative, civil or criminal sanctions under the procedure established by federal laws.
Appendix No. 1 to the Personal Data Processing Policy
You agree to the processing of information if you visit at least one of our website pages.
Your consent is voluntary, specific, informed, conscious.
What are cookies?
Cookies are text files or pieces of information that can be stored on your computer, phone or other device when you visit our Website.
Cookies are created by our Website and recorded by your browser on your personal computer or other device that you use when visiting our Website. After your web browser has saved these files, this information can be sent back to our Website when your browser opens the Internet page of our Website or a third party website, if it concerns third-party cookies (see below). This enables us and our partners to identify you (your browser).
There are two main types of cookies: session and persistent cookies. Session cookies are erased when you close your browser. Persistent cookies are kept in the memory of your device until they are erased or until they expire.
Our Website uses both types of cookies.
How to Disable Cookies (delete cookies)
Disabling cookies may result in Website failures, slowdown and limited functionality.
We recommend that you enable cookies and configure it as you think fit before visiting our Website, regardless of the device you use - a personal computer, tablet, smartphone, etc.