POLICY ON PERSONAL DATA PROCESSING
1. Basic concepts used in the Policy
This policy on personal data processing (hereinafter referred to as the Policy) has been drawn up in accordance with the requirements of the Federal Law of 27.07.2006 No. 152-FZ "On Personal Data" (hereinafter referred to as the Personal Data Law) and determines the procedure of personal data processing and measures to ensure the security of personal data taken by the LIMITED LIABILITY COMPANY "MARKET", legal address: 119602, Moscow, Troparevskaya str., possession 4, room 805, TIN - 7736588747, OGRN - 5087746670237 (hereinafter referred to as the Operator).
1.1. The Operator sets as its most important goal and condition of its activity the observance of human and citizen's rights and freedoms in the processing of personal data, including the protection of the rights to privacy, personal and family secrecy. 1.2. This Operator's policy on personal data processing (hereinafter referred to as the Policy) applies to all personal data of the subjects processed by the Company with or without the use of automation tools, including when using the Company's websites and applications.
1.3. This Policy is accessible to any subject of personal data, including through the Internet.
1.4.All issues related to the processing of personal data not regulated by this Policy shall be resolved in accordance with the applicable Russian legislation in the field of personal data.
1.5. Ignorance of the conditions set forth in this Policy shall not be the basis for the subject of personal data to make any claims against the Operator.
2. Basic rights and responsibilities of the Operator
2.1. Personal data is any information relating to a directly or indirectly identified or identifiable natural person (subject of personal data). Such information may include, in particular: Full name, year, month, date and place of birth, address, information about family, social, property status, information about education, profession, income, as well as other information that allows to determine (identify) the subject of personal data in the aggregate.
2.2. Personal data processing is any action (operation) or set of actions (operations) performed with or without the use of automation means with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
2.3. Personal data blocking is a temporary cessation of personal data processing (except for cases when processing is necessary to clarify personal data).
2.4. Personal data information system is a set of personal data contained in databases and information technologies and technical means ensuring their processing.
2.5. Personal data impersonalization includes actions as a result of which it is impossible to determine without using additional information whether personal data belong to a particular subject of personal data.
2.6. Operator is a legal entity that independently or jointly with other persons organizes and/or carries out processing of personal data, as well as determines the purposes of personal data processing, composition of personal data subject to processing, actions (operations) performed with personal data.
2.7. Personal data subject is a natural person whose personal data are processed.
3. Basic rights and obligations of personal data subjects
3.1. The Operator has the right to:
— receive from the personal data subject reliable information and/or documents containing personal data;
— in case the personal data subject revokes his/her consent to personal data processing, as well as submits a request to stop personal data processing, the Operator has the right to continue personal data processing without the consent of the personal data subject if there are grounds specified in the Personal Data Law;
— independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of obligations stipulated by the Personal Data Law and regulatory legal acts adopted in accordance with it, unless otherwise provided by the Personal Data Law or other federal laws.
3.2.The Operator is obliged to:
— provide the subject of personal data, upon his/her request, with information regarding the processing of his/her personal data;
— organize the processing of personal data in accordance with the procedure established by the current legislation of the Russian Federation;
— respond to appeals and requests of personal data subjects and their legal representatives in accordance with the requirements of the Law on Personal Data;
— report to the authorized body for the protection of the rights of personal data subjects at the request of this body the necessary information within 10 (ten) days from the date of receipt of such a request;
— publish or otherwise provide unrestricted access to this Policy on personal data processing;
— take legal, organizational and technical measures to protect personal data from unlawful or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other unlawful actions with regard to personal data;
— cease transfer (dissemination, provision, access) of personal data, stop processing and destroy personal data in the manner and cases stipulated by the Personal Data Law;
— fulfill other obligations stipulated by the Personal Data Law.
4. Principles, procedure, conditions and purposes of personal data processing
4.1. The person whose personal data are processed by the Company accepts the terms and conditions of the Policy and gives the Operator informed and informed consent to the processing of his/her personal data on the terms and conditions stipulated by the Policy and the legislation of the Russian Federation. 4.2. The subjects of personal data have the right to:
— receive information regarding the processing of his/her personal data, except as provided for by federal laws. Information shall be provided to the subject of personal data by the Operator in an accessible form and shall not contain personal data relating to other subjects of personal data, unless there are legal grounds for disclosure of such personal data. The list of information and the procedure for obtaining it is established by the Law on Personal Data;
— demand from the operator to clarify his personal data, block or destroy them in case the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect his rights;
— withdraw consent to the processing of personal data, as well as to submit a request to stop the processing of personal data;
— appeal to the authorized body for the protection of the rights of personal data subjects or in court against unlawful acts or omissions of the Operator in the processing of his/her personal data;
— exercise other rights provided for by the legislation of the Russian Federation.
4.3. The subjects of personal data are obliged to:
— provide the Operator with reliable data about themselves;
— notify the Operator about clarification (update, change) of their personal data. 4.4. Persons who have provided the Operator with false information about themselves or information about another subject of personal data without the consent of the latter shall be liable in accordance with the legislation of the Russian Federation.
4.5. The consent of the personal data subject to the processing of his/her personal data by the Operator shall be valid from the date of granting the consent to the processing of personal data and for the period necessary to achieve the purposes of personal data processing.
4.6. The consent of the personal data subject to the processing of personal data authorized for dissemination shall be provided to the Operator separately.
4.7. For all questions arising from the subject of personal data processing, he/she may contact the Company in accordance with the procedure provided for in Section 8 of the Policy.
5. Principles, procedure, conditions and purposes of personal data processing
5.1. The security of personal data processed by the Operator shall be ensured by implementing legal, organizational and technical measures necessary for full compliance with the requirements of the applicable legislation in the field of personal data protection. By security of personal data the Company understands the protection of personal data from unlawful or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions with regard to personal data and takes the necessary legal, organizational and technical measures to protect personal data.
5.2. The processing of the subject's personal data shall be carried out by the Operator on a lawful and fair basis.
5.2. The processing of personal data shall be limited to the achievement of specific, predetermined and legitimate purposes. Processing of personal data incompatible with the purposes of personal data collection is not allowed.
5.3. Only personal data that meet the purposes of processing shall be processed.
5.4. The content and scope of processed personal data correspond to the stated purposes of processing. Redundancy of processed personal data in relation to the stated purposes of their processing is not allowed.
5.6. The personal data shall be stored in a form that allows identification of the personal data subject for no longer than required by the purposes of personal data processing, unless the period of personal data storage is established by federal law, contract to which the personal data subject is a party, beneficiary or guarantor. Processed personal data shall be destroyed or depersonalized upon achievement of the purposes of processing or in case of loss of necessity to achieve these purposes, unless otherwise provided for by federal law.
5.8. The Company shall process personal data under the following conditions:
To perform and fulfill the functions, powers and duties assigned to the Operator by the legislation of the Russian Federation, in particular:
- fulfillment of legal requirements in the field of labor and taxation, by ensuring compliance with laws and other regulatory legal acts; assisting employees in employment, training and career development; ensuring personal safety of employees; controlling the quantity and quality of work performed; ensuring the safety of employee and employer property;
- maintenance of current accounting and tax accounting, formation, production and timely submission of accounting, tax and statistical reports;
- fulfillment of legal requirements to determine the procedure for processing and protection of personal data of citizens who are employees, clients or contractors of the Company.
• Employees.
• Family members of employees.
• Former employees.
• Applicants for vacant positions.
• Parties, beneficiaries or guarantors under a contract.
• Other subjects of personal data who interact with the Company in any way within the scope of the stated purpose.
-surname, first name, patronymic (including previous surnames, first names and (or) patronymics, if changed);
- gender;
- date, month, year of birth;
- place of birth;
- information on citizenship (including previous citizenships, other citizenships);
- passport data;
- residence address (address of registration, actual residence), date of registration; previous addresses of residence (to determine the amount of the northern allowance);
- contact phone number or information on other means of communication;
- details of the state pension insurance certificate;
- taxpayer identification number;
- marital status, family composition and information about close relatives (including former relatives);
- information on employment history (including, but not limited to: employment history, previous jobs, income from previous jobs);
- information on temporary disability and health status;
- information on military registration and details of military registration documents;
- information on education, including postgraduate professional education (name and year of graduation from an educational institution, name and details of the education document, qualification, specialty according to the education document);
- information on vehicles (if necessary);
- bank details;
- other personal data necessary to achieve the above purpose.
Conclusion and execution of contracts with participation of personal data subjects as parties, beneficiaries or guarantors under such contracts, including, but not limited to: consideration of customer requests, refunds for purchased goods, issuance of prizes and payment of remuneration based on the results of contests, promotions, etc.
• Users of the Company's online store and mobile application, as well as customers of retail outlets.
• Parties, beneficiaries or guarantors under the contract.
• Counterparties or representatives.
- Full name;
- date and place of birth;
- passport data;
- cell (cell phone) number, e-mail address;
- actual address of residence (delivery address);
- record of calls (telephone conversations when contacting the call-center);
- bank details;
- technical information: IP-address, cookies, type of mobile device used, address of referring websites, path the user takes through the Company's website and mobile application.
5.9. The Company shall process personal data only if at least one of the conditions below is met within the following timeframes:
5.10. The Company has the right to entrust the processing of personal data to third parties - processors - on the basis of contracts concluded with such parties. Such persons include, in particular, service providers who assist the Company in its activities: providers of hosting services, customer contact center, etc. Processors undertake to comply with the principles and rules of personal data processing provided for by Federal Law No. 152-FZ "On Personal Data" (including Article 18.1 and Part 5 of Article 18), other laws and bylaws. For each processor, the contract will define:
- list of processed personal data;
- purposes of their processing;
- list of actions (operations) to be performed with personal data by the processor;obligations of the Processor to maintain confidentiality and ensure security of personal data during their processing, as well as the list of measures taken by the Processor to ensure protection of personal data processed by it, including the requirement to notify the Company of incidents with personal data;
- obligation to provide the Company with documents and other information confirming the measures taken and compliance with the requirements set forth by Federal Law No. 152-FZ for the purpose of fulfillment of the Company's assignment, upon the Company's request during the term of validity of the order for personal data processing.
The Processor is not obliged to obtain the personal data subject's consent to the processing of his/her personal data. If processing of personal data on behalf of the Company requires the consent of the personal data subject, such consent shall be obtained directly by the Company.
5.11. In cases established by the legislation of the Russian Federation, the Company shall have the right to transfer personal data to third parties, including without entrusting such persons with the processing of personal data.
5.12. Unless otherwise provided for by the legislation of the Russian Federation, the Company shall cease processing of personal data (in respect of any of the purposes stated above) and destroy them in the following cases:
- liquidation of the Company;
- reorganization of the Company resulting in termination of its activity;
- the legal basis for personal data processing and/or achievement of personal data processing goals has ceased to exist.
The specific procedure for destroying personal data on media containing personal data, including external/removable electronic media, paper media and in personal data information systems, is determined by the Company in its internal documents and local regulations. 5.13. The Company may collect technical information when a user visits the websites or uses the Company's mobile applications and services. This includes information such as IP address, type of mobile device used, device operating system and browser type, unique device identifier, address of referring websites, the path the user takes through the Company's websites and mobile applications, and so on. The Society may also use technologies such as cookies, web beacons and mobile device identifiers to collect information about the use of the Society's websites and mobile services. Cookies allow the Society to provide users with relevant information as they use the Society's websites and mobile services (e.g., to open and load relevant pages). Web beacons allow the Society to recognize whether a particular page has been visited, whether an email has been opened, or whether banner ads on the Society's websites and other sites have been effective. The Company uses this information to ensure the performance of its websites and mobile applications, to improve the quality of its services, to correct errors and to improve the user experience in general. At the same time, the Company does not pursue the purpose of identifying a particular user of the Company's websites, mobile applications and services.
5.14. The Company in the course of personal data processing:
- takes measures necessary and sufficient to ensure compliance with the requirements of the legislation of the Russian Federation, internal documents and local regulations of the Company in the field of personal data;
- takes legal, organizational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other unlawful actions in relation to personal data;
- issues internal documents defining the Company's policy with regard to personal data processing, local acts on personal data processing, as well as local acts establishing procedures aimed at preventing and detecting violations of the laws of the Russian Federation and eliminating the consequences of such violations;
- publishes or otherwise provides unrestricted access to this Policy;
- terminates the processing of personal data and destroys it in cases stipulated by the legislation of the Russian Federation;
performs other actions stipulated by the legislation of the Russian Federation in the field of personal data.
6. Legal grounds and conditions of personal data processing
6.1. Processing and security of personal data in the Company is carried out in accordance with the requirements of the Constitution of the Russian Federation, Federal Law No. 152-FZ "On Personal Data", by-laws, other laws of the Russian Federation defining the cases and peculiarities of personal data processing, as well as guiding and methodological documents of the Government of the Russian Federation, the Ministry of Finance of Russia, Roskomnadzor, the Federal Service for Technical and Expert Control of Russia and the Federal Security Service of Russia.
6.2.The Operator carries out automated processing of personal data with or without receiving and/or transmitting the received information via information and telecommunication networks.
7. Confidentiality of personal data
The operator and other persons who have access to personal data are obliged not to disclose to third parties and not to disseminate personal data without the consent of the subject of personal data, unless otherwise provided for by federal law.
8. Appeals of personal data subjects
8.1. The personal data subject has the right to send to the Operator his/her requests and demands (hereinafter referred to as "Appeal"), including regarding the use of his/her personal data, as well as withdrawal of consent to the processing of personal data. The Appeal may be sent in the following ways:
— in writing to the Operator's address specified in this Policy;
— in the form of an electronic document to the Operator's e-mail address
info@simrussia.ru.
8.2. The personal data subject may obtain any explanations on issues of interest regarding the processing of his/her personal data.
8.3. The Application sent by the subject of personal data shall contain the following information:
— Full name of the personal data subject;
— Information confirming participation in relations with the Operator;
— The essence of the Application;
— Signature of the personal data subject or his/her legal representative.
8.4. The Operator shall consider the personal data subject's appeal in the following order:
— the appeal is registered in the register of appeals;
— the presence of mandatory requisites is checked;
— the validity of the appeal is checked;
— the response to the appeal is provided within a period not exceeding 10 (ten) calendar days from the date of registration of the appeal.
9. Final Statements
9.1. This document will reflect any changes to the Operator's personal data processing policy. The Policy is valid indefinitely until it is replaced by a new version.
9.2. The Company has taken the following measures to ensure fulfillment of obligations stipulated by the legislation of the Russian Federation:
- a person responsible for organization of personal data processing has been appointed;
- local acts on the issues of personal data processing and security, as well as local acts establishing procedures aimed at preventing and detecting violations of the Russian legislation and eliminating the consequences of such violations;
- internal control of compliance of personal data processing with the requirements of No. 152-FZ dated 27.07.2006 "On Personal Data" and regulatory legal acts adopted in accordance with it, this Policy, local acts of the Company;
- assessment of the damage that may be caused to the subjects of personal data in case of violation of the requirements of the federal legislation on personal data, correlation between the said damage and the measures taken by the Company to ensure fulfillment of the obligations stipulated by the requirements of No. 152-FZ of 27.07.2006 "On Personal Data" and the regulatory legal acts adopted in accordance therewith;
- the Company's employees who directly process personal data are familiarized with the provisions of No. 152-FZ dated 27.07.2006 "On Personal Data" and regulatory legal acts adopted in accordance with it, this Policy and local acts on personal data processing.
9.3. The Company implements the following requirements to the protection of personal data:
- security regime of the premises where the information systems are located is organized, preventing the possibility of uncontrolled entry or stay in these premises of persons who have no right of access to these premises;
- the security of personal data carriers is ensured;
- the head of the Company has approved a document defining the list of persons whose access to personal data processed in the information system is necessary for the performance of their official (labor) duties;
- information protection means are used that have undergone the procedure of conformity assessment to the requirements of the Russian legislation in the field of information security;
- the requirements established by the Resolution of the Government of the Russian Federation No. 68 of September 15, 2008 "On Approval of the Regulation on the Specifics of Personal Data Processing Performed Without the Use of Automation Means".
9.4. In case of changes in the current legislation of the Russian Federation, amendments to the regulatory documents on personal data protection, this Policy shall be effective in the part not contradicting the current legislation until it is brought into compliance.