Keep an eye out for new projects
on Telegram @redrobotdesign
PERSONAL DATA PROCESSING POLICY
1. GENERAL PROVISIONS
1.1. This Personal Data Processing Policy (hereinafter – the "Policy") has been developed in compliance with the requirements of paragraph 2 of Part 1 of Article 18.1 of the Federal Law No. 152–FZ "On Personal Data" dated 27.07.2006 (hereinafter – the "Law on Personal Data") in order to ensure the protection of human and civil rights and freedoms when personal data processing, including the protection of the rights to privacy, personal and family secrets.
1.2. This Policy applies to the following categories of personal data subjects, information about which is processed by the Operator: employees; counterparties; customers; site visitors.
1.3. Basic terms used in the Policy:
Personal Data – any information directly or indirectly referential to an identified or identifiable natural person (personal data subject);
Personal Data Operator (Operator) – RRD Limited Liability Company (OGRN (Primary State Registration Number)/INN (Taxpayer Identification Number) 5167746383943 / 7707375960), independently or jointly with other persons, organizing and (or) carrying out the processing of personal data, as well as determining the purposes of personal data processing, the composition of personal data, to be subject to processing, actions (operations) performed with personal data;
Personal Data Processing (Processing of personal data) – any action (operation) or set of actions (operations) with personal data performed with or without automation tools. The Personal Data Processing includes, but is not limited to: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transmission (dissemination, provision, access), depersonalization, blocking, deletion, destruction;
Automated Personal Data Processing – processing of personal data by computer or automated machines;
Dissemination of personal data – actions aimed at disclosure of personal data to an unspecified group of people;
Provision of personal data – actions aimed at disclosure of personal data to a certain person or a specified group of people;
Blocking of personal data — suspension of personal data processing (except for cases when processing is necessary to clarify personal data);
Destruction of personal data — actions making it impossible to restore the content of personal data in the personal data information system and/or resulting in destruction of physical carriers of personal data;
Depersonalization of personal data — actions making it impossible to determine the owner of specific personal data without the use of additional information;
Personal data information system – a set of personal data contained in information databases as well as information technologies and technical means that ensure data processing;
Website – a set of programs for computers and electronic processing machines and other information contained in an information system, access to which is provided via the information and telecommunications network Internet and located at: https://redrobotdesign.ru.
1.4. Basic Rights and Obligations of the Operator.
1.4.1. The Operator shall have the right to:
· independently determine the composition and scope of measures necessary and sufficient to ensure the fulfillment of obligations stipulated by the Law on Personal Data and regulatory legal acts adopted in accordance with it, unless otherwise provided by the Law on Personal Data or other federal laws;
· entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, on the basis of an agreement concluded with this person. The person entrusted to process personal data on behalf of the Operator is obliged to comply with the principles and rules of personal data processing provided for by the Law on Personal Data;
· if the Personal Data Subject revokes the Consent to the processing of personal data, the Operator has the right to continue personal data processing without the consent of the Personal Data Subject if there are grounds specified in the Law on Personal Data.
1.4.2. The Operator is obliged to:
· organize the processing of personal data in accordance with the requirements of the Law on Personal Data;
· respond to requests and demands from personal data subjects and their legal representatives in accordance with the requirements of the Law on Personal Data;
· upon request, notify the authorized body for the protection of the rights of personal data subjects (hereinafter – “Roskomnadzor”) of the necessary information within 10 business days from the date of receipt of such request.
1.5. Basic rights of Personal Data Subjects. The Personal Data Subject shall have the right to:
· receive information concerning the processing of his/her personal data, except in cases provided for by federal laws. The information shall be provided to the Personal Data Subject by the Operator in an accessible form, and it should not contain personal data related to other Personal Data Subjects, except in cases where there are legitimate grounds for the disclosure of such personal data. The list of information and the procedure for obtaining it are established by the Law on Personal Data;
· demand from the Operator to clarify his/her personal data, block it or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of data processing, and also take measures provided by law to protect his/her rights;
· appeal to Roskomnadzor or to a court against illegal actions or inaction of the Operator when processing his/her personal data.
The Personal Data Subject may exercise the rights to receive information regarding the processing of his/her personal data, as well as the rights to clarify, block or destroy his/her personal data, by contacting the Operator with an appropriate request at: 21 Poryadkovy pereulok, premise I, room 6, Moscow, 127055, or by contacting the Operator with a relevant request by email at info@redrd.ru. In both cases, the request must be made in compliance with the requirements of Section 8 of this Policy.
1.6. Control over the fulfillment of the requirements of this Policy is carried out by an authorized person. which is designated by the Operator and is responsible for organizing the processing of personal data.
1.7. Responsibility for violation of the requirements of the legislation of the Russian Federation and local acts of the Operator in the field of personal data processing and protection shall be determined in accordance with the legislation of the Russian Federation.
2. PRINCIPLES OF PERSONAL DATA PROCESSING
2.1. The processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation and on the basis of the following principles:
· legality and fair basis;
· limiting the processing of personal data to the achievement of specific, predetermined and legitimate purposes;
· preventing the processing of personal data that is incompatible with the purposes of collection of personal data;
· preventing the consolidation of databases containing personal data, the processing of which is performed for purposes that are incompatible with each other;
· processing only those personal data that meet the purposes of their processing;
· compliance of the content and scope of processed personal data with the stated purposes of processing;
· preventing the processing of personal data, that are excessive in relation to the stated purposes of their processing;
· ensuring the accuracy, sufficiency and relevance of personal data in relation to the purposes of personal data processing;
· destruction or depersonalization of personal data upon achieving the purposes of their processing or in the event of loss of the need to achieve these purposes, if it is impossible for the Operator to eliminate the violations of personal data committed, unless otherwise provided by federal law.
3. LEGAL GROUNDS FOR PERSONAL DATA PROCESSING
3.1. The legal basis for the processing of personal data is a set of regulatory legal acts, in pursuance of which and in accordance with which the Operator processes personal data, including:
· The Constitution of the Russian Federation;
· The Labor Code of the Russian Federation;
· The Civil Code of the Russian Federation;
· The Tax Code of the Russian Federation;
· Federal Law No. 402-FZ "On Accounting" dated 6 December 2011;
· other regulatory legal acts regarding relationships arising from the Operator's activities.
3.2. The legal basis for personal data processing also includes:
· consent of the Personal Data Subject to the processing of personal data.
4. SCOPE, CATEGORIES AND CONDITIONS OF PERSONAL DATA PROCESSED, CATEGORIES OF PERSONAL DATA SUBJECTS IN RELATION TO THE STATED PURPOSES OF PERSONAL DATA PROCESSING
4.1. The processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes. The personal data processing that is incompatible with the purposes of collecting (collection of) personal data is not allowed. Only those personal data that meet the purposes of their processing are subject to processing.
4.2. The content and scope of personal data processed must correspond to the stated purposes of processing provided for in this section. The processed personal data should not be excessive in relation to the stated purposes of their processing. Personal data shall be processed by the Operator for the purposes of:
· ensuring compliance with the labor legislation of the Russian Federation (assistance to employees in finding employment, education and career advancement, ensuring the personal safety of employees, monitoring the quantity and quality of work performed, ensuring the safety of property, ensuring compliance with laws and other regulatory legal acts)
· preparation, conclusion and execution of contracts
· offering and promoting its own products and brand on the market through marketing (advertising, PR) activities and sales promotion
· processing incoming requests from the Website
· maintaining statistics of visits to the Website
4.3. In accordance with this Policy, the Operator may process personal data belonging to the following categories of Personal Data Subjects:
· to the Operator's employees
· to the Operator's counterparties
· to the Operator's clients
· to visitors of the Operator's Website
4.4. Processing of personal data in order to ensure compliance with Russian labor legislation.
4.4.1. In accordance with this section of the Policy, the Operator determines the categories and the list of personal data to be processed, the categories of subjects whose personal data is being processed, the methods and timing of their processing and storage, and the procedure for destroying personal data when the purpose of their processing is achieved or when other legal grounds arise for such purposes as "ensuring compliance with labor legislation of the Russian Federation (including assisting employees in finding employment, obtaining education and career advancement, ensuring the personal safety of employees, monitoring the quantity and quality of work performed, ensuring the safety of property, ensuring compliance with laws and other regulatory legal acts)".
4.4.2. For the purpose specified in this section of the Policy, the Operator processes personal data belonging to the following category (categories) of personal data subjects:
· the Operator's employees
4.4.3. The Operator processes the following categories and the list of personal data of employees in accordance with the purpose specified in this section of the Policy:
a) the processing of general (other) categories of personal data of employees is carried out in accordance with the following list:
· surname, name, patronymic
· residential address
· education
· occupation
· passport details
· contact phone number
· income
· position
· INN (Taxpayer Identification Number)
· SNILS (Individual Insurance Account Number)
· marital status
b) the processing of special categories of personal data of employees shall be carried out in accordance with the requirements of the legislation of the Russian Federation, namely:
· health information
· nationality
c) the processing by the Operator of biometric personal data of employees (information that characterizes the physiological and biological characteristics of a person, on the basis of which his/her identity can be established) shall be carried out in accordance with the requirements of the legislation of the Russian Federation, namely:
· face image data obtained using photo-video devices
4.4.4. The Operator carries out mixed processing of personal data of employees for the purpose specified in this section of the Policy with data transfer via an internal network, and via the Internet.
4.4.5. The list of actions performed by the Operator with personal data of employees for the purpose specified in this section of the Policy: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transmission (provision, access), blocking, deletion, destruction.
4.4.6. The processing of personal data of employees does not require obtaining appropriate consent, provided that the scope of personal data processed by the Operator corresponds to the purpose of ensuring compliance with the labor legislation of the Russian Federation specified in this section of the Policy, based on paragraph 2 of Part 1 of Article 6 of the Law on Personal Data.
4.4.7. When concluding an employment contract, employees shall provide the Operator with the following documents containing their personal data:
· passport or other document proving the identity;
· work record book and (or) information about work activity, except in cases where an employment contract is concluded for the first time;
· a document confirming registration in the system of individual (personalized) accounting, including in the form of an electronic document;
· military registration documents – for those liable for military service and those subject to conscription;
· a document on education and/or qualifications or the presence of special knowledge – when applying for a job that requires special knowledge or special training;
· other documents in accordance with the requirements of the legislation.
4.4.8. In the case an employment contract with an employee/employees is/are concluded for the first time, the work record book(s) and the state pension insurance certificate(s) shall be issued by the Operator.
4.4.9. In the event that other documents are required for the employment of employees in accordance with the law, the Operator shall contact persons applying for employment with a request to provide such documents containing their personal data.
4.4.10. The Operator stores the personal data of employees in a form that allows the identification of the personal data subjects, for no longer than required by the purpose of processing the personal data specified in this section of the Policy, unless the storage period for the personal data is established by federal law.
4.4.11. The Operator processes the personal data of dismissed employees in cases and within the terms stipulated by the legislation of the Russian Federation. Such cases include, among other things, the processing of personal data within the accounting and tax recording, including to ensure the safety of documents necessary for the calculation, withholding and transfer of taxes.
4.4.12. The Operator is obliged to store accounting documentation for the periods established in accordance with the rules for organizing state archival affairs, but the minimum storage period may not be less than 5 (five) years.
4.4.13. After the expiration of the periods specified by the legislation of the Russian Federation, personal files of employees and other documents shall be transmitted to archival storage for a period of 50 years.
4.4.14. The consent of employees to the processing of their personal data in the cases provided for in paragraphs 4.4.11. – 4.4.13 hereof is not required.
4.4.15. The Operator shall not disclose or distribute personal data of employees to third parties without the consent of employees for the purpose specified in this section of the Policy, unless otherwise provided for by the legislation of the Russian Federation.
4.4.16. When transmitting personal data of employees, the Operator must comply with the following requirements:
· it is prohibited to disclose personal data of employees to a third party without the written consent of employees, except in cases where this is necessary to prevent threats to the life and health of employees, as well as in cases established by the current legislation of the Russian Federation;
· an employee who transmits personal data of the Operator's employees is obliged to warn persons receiving the personal data of the employees that this data may only be used for the purposes for which it was communicated, and to require these persons to confirm compliance with this rule. Persons receiving personal data of the Operator's employees shall comply with their confidentiality regime. This provision does not apply to the exchange of personal data of employees in accordance with the procedure established by the current legislation of the Russian Federation;
· an employee who transmits personal data of the Operator's employees has the right to transmit their personal data to representatives of the employees in accordance with the procedure established by the Labor Code of the Russian Federation, and to limit this information to only those personal data of employees that are necessary to these representatives for the performance of their functions.
· personal data of employees to the Pension and Social Insurance Fund of the Russian Federation (Social Fund of Russia) in the manner established by federal laws, in particular the Federal Law "On Compulsory Pension Insurance in the Russian Federation", the Federal Law "On the Fundamentals of Compulsory Social Insurance", the Federal Law "On Compulsory Medical Insurance in the Russian Federation" shall be transmitted without the consent of employees.
· The consent of employees is not required in cases where the Operator transmits personal data of employees to tax authorities, military commissariats, labor union bodies provided for by the current legislation of the Russian Federation, and also upon receipt, within the established powers, of reasoned requests from prosecutorial authorities, law enforcement agencies, security agencies, from state labor inspectors when they exercise state supervision and control over compliance with labor legislation and other bodies authorized to request information about employees in accordance with the competence provided for by the current legislation of the Russian Federation.
4.4.17. The Operator does not carry out cross-border transfer of personal data of employees for the purpose specified in this section of the Policy.
4.4.18. The terms for processing and storing personal data for the purpose specified in this section of the Policy are established during the term of the employment contract and 5 (five) years after the termination of the employment contract.
4.5. Processing of personal data for the purposes of preparation, conclusion and execution of contracts.
4.5.1. In accordance with this section of the Policy, the Operator determines the categories and the list of personal data processed, the categories of subjects whose personal data are processed, the methods and terms of their processing and storage, the procedure for the destruction of personal data upon achieving the purpose of their processing or upon the occurrence of other legal grounds applicable to such a purpose as “preparation, conclusion and execution of contracts”.
4.5.2. For the purpose specified in this section of the Policy, the Operator processes personal data belonging to the following category (categories) of personal data subjects:
· the Operator's counterparties
· the Operator's clients
4.5.3. The Operator processes the following categories and the list of personal data of counterparties and clients for the purposes specified in this section of the Policy:
a) processing of general (other) categories of personal data of counterparties and clients shall be carried out in accordance with the following list:
· surname, name, patronymic
· residential address
· passport details
· contact phone number
· e-mail address
· gender
b) special categories of personal data of counterparties and clients are not processed;
c) the processing of biometric personal data of clients (information that characterizes the physiological and biological characteristics of a person, on the basis of which his/her identity can be established) shall be carried out in accordance with the requirements of the legislation of the Russian Federation, namely:
· face image data obtained using photo-video devices
4.5.4. The Operator performs mixed processing of personal data of counterparties and clients for the purpose specified in this section of the Policy with data transfer via an internal network, and via the Internet.
4.5.5. The list of actions performed by the Operator with the personal data of counterparties and clients for the purpose specified in this section: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, blocking, deletion, destruction.
4.5.6. The processing of personal data of counterparties and clients does not require obtaining appropriate consent, provided that the scope of personal data processed by the Operator corresponds to the purpose of preparing, concluding and executing a civil contract specified in this section of the Policy, based on paragraph 5 of Part 1 of Article 6 of the Law on Personal Data.
4.5.7. The operator, without the consent of the personal data subject, does not disclose to third parties or distribute the personal data of counterparties or clients for the purpose specified in this section of the Policy, unless otherwise provided by the legislation of the Russian Federation.
4.5.8. The Operator does not carry out cross-border transfer of personal data of counterparties or clients for the purpose specified in this section of the Policy.
4.5.9. The terms for processing and storage of personal data for the purpose specified in this section of the Policy are established during the term of the contract with a client and 5 (five) years after the termination of such contract.
4.6. Processing of personal data for the purpose of offering and promoting of own products and brand on the market by implementing marketing (advertising, PR) activities and sales promotion.
4.6.1. In accordance with this section of the Policy, the Operator determines the categories and the list of personal data to be processed, the categories of subjects whose personal data being processed, the methods and timing of their processing and storage, and the procedure for destroying personal data when the purpose of their processing is achieved or when other legitimate grounds arise for such purposes as "offering and promoting own products and brand on the market through marketing (advertising, PR) activities and sales promotion."
4.6.2. For the purpose specified in this section of the Policy, the Operator processes personal data belonging to the following category (categories) of personal data subjects:
· the Operator's clients
· visitors of the Operator's Website
4.6.3. The Operator processes the following categories and the list of personal data of clients, visitors for the purposes specified in this section of the Policy:
a) processing of general (other) categories of personal data of clients, visitors shall be carried out in accordance with the following list:
· surname, name, patronymic
· contact phone number
· e-mail address
· gender
b) special categories of personal data of clients, visitors are not processed;
c) biometric personal data of clients, visitors (information that characterizes the physiological and biological characteristics of a person, on the basis of which his/her identity can be established) are not processed.
4.6.4. The Operator performs mixed processing of personal data of clients, visitors for the purpose specified in this section of the Policy with data transfer via an internal network, and via the Internet.
4.6.5. The list of actions performed by the Operator with the personal data of clients, visitors for the purpose specified in this section: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, blocking, deletion, destruction.
4.6.6. The processing of personal data of clients and visitors for the purpose specified in this section of the Policy is subject to prior consent to such processing.
4.6.7. Without the consent of the personal data subject, the Operator, does not disclose to third parties or distribute the personal data of clients and visitors for the purpose specified in this section of the Policy, unless otherwise provided by the legislation of the Russian Federation.
4.6.8. The Operator does not carry out cross-border transfer of personal data of clients and visitors for the purpose specified in this section of the Policy.
4.6.9. The terms of processing and storing personal data of visitors for the purposes specified in this section of the Policy are set from the moment of receiving personal data of visitors until the goal of personal data processing is achieved – offering and promoting own products and brand on the market through marketing (advertising, PR) activities and sales promotion.
4.7. Processing of personal data for the purpose of processing incoming requests from the Website.
4.7.1. In accordance with this section of the Policy, the Operator determines the categories and the list of personal data processed, the categories of subjects whose personal data are processed, the methods and terms of their processing and storage, the procedure for the destruction of personal data upon achieving the purpose of their processing or upon the occurrence of other legal grounds applicable to such a purpose as “processing incoming requests from the Website”.
4.7.2. For the purpose specified in this section of the Policy, the Operator processes personal data belonging to the following category (categories) of personal data subjects:
· visitors of the Operator's Website
4.7.3. The Operator processes the following categories and the list of personal data of visitors for the purposes specified in this section of the Policy, including through an external form of personal data collection (https://form.gle):
a) processing of general (other) categories of personal data of visitors shall be carried out in accordance with the following list:
· surname, name, patronymic
· contact phone number
· e-mail address
b) special categories of personal data of visitors are not processed;
c) biometric personal data of visitors (information that characterizes the physiological and biological characteristics of a person, on the basis of which his/her identity can be established) are not processed.
4.7.4. The Operator performs mixed processing of personal data of visitors for the purpose specified in this section of the Policy with data transfer via an internal network, and via the Internet.
4.7.5. The list of actions performed by the Operator with the personal data of visitors for the purpose specified in this section: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, blocking, deletion, destruction.
4.7.6. The processing of personal data of visitors for the purpose specified in this section of the Policy is subject to prior consent to such processing.
4.7.7. The operator, without the consent of the personal data subject, does not disclose to third parties or distribute the personal data of visitors for the purpose specified in this section of the Policy, unless otherwise provided by the legislation of the Russian Federation.
4.7.8. The Operator does not carry out cross-border transfer of personal data of visitors for the purpose specified in this section of the Policy.
4.7.9. The terms of processing and storage of personal data of visitors for the purpose specified in this section of the Policy shall be established from the moment of receipt of personal data of visitors until the moment of achieving the purpose of personal data processing – processing incoming requests from the Website.
4.8. Processing of personal data for the purpose of maintaining statistics of Website visits.
4.8.1. In accordance with this section of the Policy, the Operator determines the categories and the list of personal data processed, the categories of subjects whose personal data are processed, the methods and terms of their processing and storage, the procedure for the destruction of personal data upon achieving the purpose of their processing or upon the occurrence of other legal grounds applicable to such a purpose as “maintaining statistics of Website visits”.
4.8.2. For the purpose specified in this section of the Policy, the Operator processes personal data belonging to the following category (categories) of personal data subjects:
· visitors of the Operator's Website
4.8.3. The Operator processes the following categories and the list of personal data of visitors for the purposes specified in this section of the Policy:
a) processing of general (other) categories of personal data of visitors shall be carried out in accordance with the following list:
· information collected through metric programs
b) special categories of personal data of visitors are not processed;
c) biometric personal data of visitors (information that characterizes the physiological and biological characteristics of a person, on the basis of which his/her identity can be established) are not processed.
4.8.4. The Operator performs mixed processing of personal data of visitors for the purpose specified in this section of the Policy with data transfer via an internal network, and via the Internet.
4.8.5. The list of actions performed by the Operator with personal data of visitors for the purpose specified in this section: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transmission (provision, access), blocking, deletion, destruction.
4.8.6. The processing of personal data of visitors for the purpose specified in this section of the Policy is subject to prior consent to such processing.
4.8.7. The operator, without the consent of the personal data subject, does not disclose to third parties or distribute the personal data of visitors for the purpose specified in this section of the Policy, unless otherwise provided by the legislation of the Russian Federation.
4.8.8. With the consent of visitors within the country, the Operator may transmit their personal data for the purpose specified in this section of the Policy to Yandex LLC (INN 7736207543), address: 16 Lva Tolstogo St., Moscow, 119021, using the Yandex.Metrica software tool.
4.8.9. The content of the visitors' consent must be specific, substantive, informed, conscious and unambiguous, i.e. it must contain information that makes it possible to unambiguously draw a conclusion about the purposes, methods of processing, indicating the actions performed with personal data, and the scope of personal data being processed.
4.8.10. The Operator does not carry out cross-border transfer of personal data of visitors for the purpose specified in this section of the Policy.
4.8.11. The terms of processing and storage of personal data of visitors for the purpose specified in this section of the Policy shall be established from the moment of receipt of personal data of visitors until the moment of achieving the purpose of personal data processing – maintaining statistics of Website visits.
5. THE PROCEDURE FOR VISITORS’ PERSONAL DATA PROCESSING USING COOKIES
5.1. Cookies transferred to the technical devices of the Personal Data Subject may be used to provide the Personal Data Subject with personalized functions of the Website, for personalized advertising that is shown to the Personal Data Subject, for statistical and research purposes, and to improve the operation of the Website.
5.2. The Personal Data Subject is aware that the hardware and software he/she uses to visit websites on the Internet may have the function of prohibiting operations with cookies (for any websites or for certain websites), as well as deleting previously received cookies.
5.3. The Operator has the right to establish that the provision of certain functions of the Website is possible only on condition that the acceptance and receipt of cookies is permitted by the Personal Data Subject.
5.4. The structure of the cookie file, its content and technical parameters are determined by the Operator and may change without prior notice to the Personal Data Subject.
5.5. The counters posted on the Website or the application of the Website can be used to analyze the cookies of the Personal Data Subject, to collect and process statistical information about the use of the Website, as well as to ensure the operability of the Website as a whole or its individual functions in particular. The technical parameters of the counters shall be determined by the Operator and may be changed without prior notice to the Personal Data Subjects.
5.6. The Operator uses the Yandex.Metrica software tool, the use of which functionality allows one to identify a unique Website visitor, generate information about his/her preferences and behavior on the Website.
6. PROCEDURE FOR COLLECTION AND STORAGE OF PERSONAL DATA
6.1. When collecting personal data, including through the information and telecommunications network Internet, the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation.
6.2. Persons who have transmitted information about another Personal Data Subject to the Operator, including through the Website, without having the consent of the subject whose personal data was transmitted, shall be liable in accordance with the legislation of the Russian Federation.
6.3. The Operator shall store personal data in a form that allows the identification of the Personal Data Subject, no longer than required by the purposes of personal data processing, unless the storage period for personal data is established by federal law, an agreement to which the Personal Data Subject is a party, beneficiary or guarantor.
6.4. The Operator strictly adheres to the principles of data minimization and data processing time. Processed personal data shall be subject to destruction in the event of:
· achieving the purposes of personal data processing;
· receipt of revocation of consent to the processing of personal data or expiration of the consent to the processing of personal data;
· loss of the need to achieve the purposes of personal data processing;
· exclusion of the Operator from the Unified State Register of Individual Entrepreneurs.
Upon expiration of the specified terms, the Operator may process personal data if the processing is necessary for the Operator to comply with the legislation of the Russian Federation.
7. PROTECTION OF PERSONAL DATA
7.1. The Operator shall take the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, distribution and other unauthorized actions, including:
· identifies threats to the security of personal data during their processing;
· adopts local regulations and other documents regulating relations in the field of personal data processing and protection;
· appoints persons responsible for ensuring the security of personal data in the structural divisions and information systems of the Operator;
· creates the necessary conditions for working with personal data;
· organizes accounting of documents containing personal data;
· organizes work with information systems in which personal data is processed;
· stores personal data in conditions that ensure their safety and prevent unauthorized access to them;
· organizes training for the Operator’s employees who process personal data.
8. UPDATING, CORRECTING, DELETING AND DESTROYING PERSONAL DATA, RESPONDING TO REQUESTS FROM DATA SUBJECTS FOR ACCESS TO THEIR PERSONAL DATA
8.1. Confirmation of the fact of processing of personal data by the Operator, the legal grounds and purposes of processing of personal data, as well as other information specified in Part 7 of Article 14 of the Law on Personal Data, shall be provided by the Operator to the Personal Data Subject or his/her representative upon demand or upon receipt of a request from the Personal Data Subject or his/her representative within 10 (ten) business days from the date of receipt of the demand or receipt of the request. The information provided shall not include personal data related to other Personal Data Subjects, except in cases where there are legitimate grounds for the disclosure of such personal data.
8.2. The request must contain:
· the number of the main document certifying the identity of the Personal Data Subject or his/her representative, information on the date of issue of the specified document and the body that issued it;
· information confirming the Personal Data Subject's participation in the relationship with the Operator (contract number, date of conclusion of the contract, conditional designation and (or) other information), or information otherwise confirming the fact of personal data processing by the Operator;
· signature of the Personal Data Subject or his/her representative.
8.3. The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.
8.4. If the Personal Data Subject’s request (demand) does not reflect all the necessary information in accordance with the requirements of the Law on Personal Data or the subject does not have the right to access the requested information, then a reasoned refusal is sent to him/her.
8.5. The right of the Personal data Subject to access his/her personal data may be restricted in accordance with part 8 of Article 14 of the Law on Personal Data, including if the Personal Data Subject's access to his/her personal data violates the rights and legitimate interests of third parties.
8.6. In the event that inaccurate personal data is discovered upon an appeal by the Personal Data Subject or his/her representative or at the request of those or of Roskomnadzor, the Operator shall block the personal data related to this Personal Data Subject from the moment of such appeal or receipt of the specified request for a verification period, if the blocking of the personal data does not violate the rights and legitimate interests of the Personal Data Subject or third parties.
8.7. In case of confirmation of the inaccuracy of personal data, the Operator, based on information provided by the personal data subject or his/her representative or Roskomnadzor, or other necessary documents, clarifies the personal data within seven business days from the date of submission of such information and removes the blocking of personal data.
8.8. Personal data is subject to destruction by the Operator in the following cases:
· achieving the purposes of personal data processing;
· revocation by the Personal Data Subject of consent to the processing of his/her personal data;
· identification of illegal actions with personal data, as well as in other cases provided for by the current legislation of the Russian Federation.
8.9. In the event that the purpose of personal data processing is achieved, the Operator undertakes to stop personal data processing or ensure its termination (if the processing of personal data is carried out by another person acting on behalf of the Operator) and destroy personal data or ensure their destruction (if the processing of personal data is carried out by another person acting on behalf of the Operator) within a period not exceeding thirty days from the date of achieving the purpose of personal data processing, unless otherwise provided by an agreement to which the Personal Data Subject is a party, beneficiary or guarantor, another agreement between the Operator and the Personal Data Subject, or if the Operator does not have the right to process personal data without the consent of the Personal Data Subject.
8.10. If the Personal Data Subject has revoked his consent to the processing of personal data, the Operator undertakes to terminate their processing or ensure the termination of such processing (if the processing of personal data is carried out by another person acting on behalf of the Operator) and if the storage of personal data is no longer required for the purposes of personal data processing, to destroy personal data or ensure their destruction (if the processing of personal data is carried out by another person acting on behalf of the Operator) within a period not exceeding thirty days from the date of receipt of the specified revocation, unless otherwise provided by an agreement to which the Personal Data Subject is a party, beneficiary or guarantor, another agreement between the Operator and the Personal Data Subject, or if the Operator does not have the right to process personal data without the consent of the Personal Data Subject.
8.11. In the event of detection of unlawful processing of personal data carried out by the Operator or a person acting on behalf of the Operator, and the impossibility of ensuring the legality of the processing of personal data, the Operator undertakes to destroy such personal data or ensure their destruction within a period not exceeding ten business days from the date of detection of the unlawful processing of personal data. The Operator undertakes to notify the Personal Data Subject or his/her representative about the destruction of personal data, and if the request of the Personal Data Subject or his/her representative or the request of the authorized body for the protection of the rights of Personal Data Subjects has been sent by the authorized body for the protection of the rights of Personal Data Subjects, also notify the specified body.
9. FINAL PROVISIONS
9.1. The Operator has the right to send advertising and informational messages to the Personal Data Subject via e-mail, SMS and push notifications only subject to prior consent to receive advertising in accordance with part 1 of Article 18 of Federal Law No. 38-FZ "On Advertising" dated 13.03.2006. Consent to receive advertising messages from the Operator via e-mail, SMS and push notifications shall be provided in writing or in electronic form by checking the appropriate box on the Website.
9.2. The Personal Data Subject has the right to refuse to receive advertising messages by clicking on the relevant link in the emails received from the Operator, by sending a notice of refusal to receive advertising messages to the support service at the address of the Operator’s location: 21 Poryadkovy pereulok, premise I, room 6, Moscow, 127055, or by contacting the Operator with a relevant request by email at info@redrd.ru.
9.3. In compliance with the requirements of Part 2 of Article 18.1 of the Law on Personal Data, this Policy is posted at the Operator's location, freely available on the Website in the information and telecommunications network Internet.
