Protection policy and personal data processing data of an individual entrepreneur Krikheli Irakli Shalvovich.

Moscow-20.03.2020

Please read carefully before continuing to use the site!

  • Terms and definitions

1.1. At the current protection policy and processing personal data of an individual entrepreneur Krikheli Irakli Shalvovich (Policy,

SP Krikheli I.Sh.) the following basic terms and definitions are used:

Automatic processing of personal data- processing personal data utilizing computing devices;

Blockage of personal data- temporary termination of personal data processing (except in cases where processing is necessary to clarify personal data).

Personal data information system- set of contents in the personal database, and ensuring the processing of information technologies and technical means (hereinafter-PDIS).

IP-address&mdash- the unique network address of the host in the computer network, built over the IP protocol.

Personal data privacy-mandatory for the Operator or other person who has access to personal data to comply with the requirement not to allow their distribution without the consent of the subject of personal data or the presence of other legal grounds.

Cookies&mdash- a small piece of data sent by the webserver stored on the user’s computer, which web client or web browser each time sends it to the webserver in an HTTP request when trying to open a page on the corresponding site.

Personal data sanitization- actions that make it impossible to determine whether personal data belongs to a specific personal data subject without using additional information.

Personal data processing- any action(operation), or a set of actions(operations), committed with the use of means of automation or without the use of such means with personal data, including collection, recording, systematization, accumulation, storing, clarification (update, change), extraction, utilization, transfer (distribution, provision, access), depersonalization, blocking, deleting, personal data destruction.

Operator- organization, that independently or co-organized with other persons arrange the processing of personal data, as well as defining the purposes of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data.

The operator within the meaning of this Policy is SP Krikheli I.Sh. (5/2 apt. 12 Pogorel’skiy lane, Moscow 119017, Russia).

TIN 772864198539, PSRNSP 312774626300804.

Personal data- any information relating directly or indirectly to a specific or identifiable individual (personal data subject).

Personal data made publicly available by the personal data subject- personal information, access of an unlimited number of persons to which is provided by the subject of personal data, or at his request.

Provision of personal data- actions, aimed at disclosure of personal data to a certain person or a certain circle of persons.

Website user- (hereinafter- User, the subject of personal data)- an individual (the subject of personal data) who has access to the site via the Internet.

Dissemination of personal data- actions, aimed at disclosure of personal data to an indefinite number of persons (transfer of personal data) or the acquaintance with the personal data of an unlimited number of persons, including the disclosure of personal data in the mass media, information and telecommunications networks or providing access to personal data in any other way.

Website- a set of software and hardware for computers that ensure the publication of information and data for public viewing, United by a common purpose, through technical means used for communication between computers on the Internet.

In this Policy, a site is defined as a site located on the Internet at: bernes.ru (hereinafter-Site).

Cross-border supply of personal data- transfer of personal data to the territory of a foreign state to the authority of a foreign state, to a foreign individual or foreign legal entity.

Personal data destruction- actions that make it impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed.

2.General provisions.

2.1. This Policy has been developed in accordance with the Russian Federation Constitution, Civil code of Russian Federation, Federal law «On personal data» № 152-ФЗ от 27.07.2006

(hereinafter- Federal law № 152-ФЗ), as well as other legal acts of the Russian Federation in the field of personal data protection and processing and applies to all personal data, which the Operator may receive from a personal data subject who is a party to a civil contract during the use of any of the sites, services, programs, products or services of SP Krikheli I. sh.

2.2. This Policy sets out the Operator’s obligations to ensure non-disclosure and confidentiality of personal data, which the user presents to the Operator when registering on the site or when making a request (order).

2.3 This Policy sets out the procedure for processing personal data of Site Users by the Operator: actions of the Operator to collect, systematize, accumulate, store, clarify (update, change), and destroy personal data.

2.4 This Policy sets out general requirements and rules mandatory for the Operator to work with all types of media containing personal data of Site users.

2.5 Personal data security issues are not considered in the Policy, assigned in accordance with the established procedure to the data, constituting a state secret of the Russian Federation.

2.6 The purposes of this Policy are:

  • protection of constitutional rights, human and civil liberties when processing personal data, this includes the protection of the rights to privacy, personal and family secrets, the confidentiality of information, constituting personal data, and prevention of possible threats to the security of Site Users;
  • exclusion of unauthorized actions of any third parties, collection, systematization, accumulation, storage, clarification (updating, changing) of personal data, other forms of illegal interference in the information resources and local computer network of the Operator, ensuring the legal and regulatory confidentiality of undocumented information of Site Users;

2.7 This Policy applies to personal data processed by the Operator, both with the use of automation tools, including in information and telecommunications networks and without the use of such tools.

2.8 This Policy comes into force from the moment it is posted on the Site and is valid indefinitely until it is replaced by a new Policy. Providing unrestricted access to the policy is implemented by publishing It on the Website.

2.9 The user is obliged to familiarize himself with the text of this Policy.

2.10 The User’s use of the Site means acceptance of this Policy and the terms of processing of the User’s personal data. When visiting the Site, the User undertakes to comply with this Policy and agrees to its terms.

In case of disagreement with the terms of Policy, the user must suspend using the site.

2.11 This Policy applies to all information which the Operator can get about the User while using the Site.

2.12 The operator assumes that the subject of personal data provides accurate and reliable information during interaction with the Operator, notifies the Operator of changes to their personal data.

The operator doesn’t check the accuracy of personal data provided by the Site user.

2.13 The Operator protects the processed personal data from unauthorized access and disclosure, misuse, or loss in accordance with the requirements of Federal law No. 152-FZ.

2.14 The Operator has the right to make changes in this Policy.

When making changes, the Policy header specifies the date when the revision was last updated. This policy comes into force from the moment it is posted on the Site unless otherwise provided for in the new version of the Policy.

2.15 All suggestions or questions about this Policy should be sent to the following email address: info@bernes.ru

This Policy supplements the Public offer and is an integral part of it.

3.Principles and terms of personal data processing

3.1 Principles of personal data processing.

3.1.1 Personal data processing must be carried out on a legal and fair basis.

3.1.2 Personal data processing must be limited to the achievement of specific, predetermined, and legitimate goals.

3.1.3 It is not allowed to combine databases containing personal data that are processed for purposes that are incompatible with each other.

3.1.4 Only personal data that meets the purposes of processing are subject to processing.

3.1.5. The content and volume of personal data processed must correspond to the stated purposes of processing. The processed personal data must not be excessive regarding the stated purposes of their processing.

3.1.6. When processing personal data, the accuracy of personal data, their sufficiency, and, where necessary, their relevance to the purposes of personal data processing must be ensured.

3.1.7. Personal data should be stored no longer than the purposes of personal data processing require unless the term of personal data storage is established by Federal law No. 152. the agreement to which the User is a party.

3.1.8. The processing of personal data is terminated when the processing goals are achieved, the legal grounds for processing are lost, document storage terms expire established by the law of Russian Federation.

3.1.9 The processed personal data is subject to destruction or depersonalization for use in statistical or other research purposes after the expiration of the period for processing personal data, upon reaching the processing goals or in case of loss of the need to achieve these goals, unless otherwise provided by Federal law No. 152.

3.2 Terms of personal data processing

3.2.1 Personal data of Users are classified as confidential information of restricted access.

3.2.2 Ensuring the confidentiality of personal data is not required if they are depersonalized, as well as in relation to publicly available personal data.

3.2.3 Personal data processing is carried out under the Constitution of Russian Federation, Civil code of the Russian Federation, legislation of the Russian Federation in the field of personal data protection.

3.2.4 Personal data is processed on the Site

in compliance with the principles and rules provided for by this Policy and the legislation of the Russian Federation.

3.2.5 The operator processes personal data in the presence of at least one of the following conditions:

  • the processing of personal data is carried out with the consent of the personal data subject to the processing of his data;
  • the processing of personal data is necessary to achieve the goals stipulated by an international agreement of the Russian Federation or by law, to perform and fulfill the functions, powers, and duties assigned to the Operator by the legislation of the Russian Federation;
  • processing of personal data is necessary for the implementation of justice, execution of a judicial act, processing of personal data is necessary for the administration of justice, execution of a judicial act, or an act of another authority or official that is subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;
  • the processing of personal data is necessary for the performance of a contract to which the personal data subject is a party or a beneficiary or guarantor, as well as for the conclusion of a contract on the initiative of the personal data subject or a contract under which the personal data subject will be a beneficiary or guarantor;
  • processing of personal data is necessary for the exercise of rights and legitimate interests of the operator or third parties, or to achieve socially significant goals if the rights and freedoms of the personal data subject are not violated;
  • personal data is processed, access to which is granted to an unlimited number of persons by the subject of personal data or at his request (hereinafter-publicly available personal data);
  • personal data processing is subject to publication or mandatory disclosure in accordance with Federal law is processed;

3.2.6 The operator and other persons who have obtained access to personal data are obliged not to disclose or distribute personal data to third parties without the consent of the personal data subject unless otherwise provided by Federal law No. 152.

3.2.7 For information purposes, the Operator may have publicly available sources of personal data subjects, including reference books and address books.

With the written consent of the personal data subject, the publicly available sources of personal data may include, his last name, first name, patronymic, date, and place of birth, contact phone numbers, email address, and other personal data provided by the personal data subject.

Information about a personal data subject must be excluded from publicly available sources of personal data at any time at the request of the personal data subject, the authorized body for the protection of the rights of personal data subjects, or by a court decision.

3.2.8 The operator does not have the right to collect and process the User’s personal data about their race, nationality, political views, religious or philosophical beliefs, or private life, except in cases stipulated by the legislation of the Russian Federation.

3.2.9 Information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity — biometric personal data — can be processed by the Operator only with the consent of the subject of personal data in a written form.

3.2.10 The operator has the right to entrust the processing of personal data to another person with the consent of the personal data subject unless otherwise provided by Federal law, on the basis of a contract concluded with this person. A person who processes personal data on behalf of the Operator must comply with the principles and rules of personal data processing provided for by Federal law No. 152 and this Policy.

3.2.11 According to article 2 of Federal law No. 242 of 21.07.2014 «On amendments to certain legislative acts of the Russian Federation in terms of clarifying the procedure for processing personal data in information and telecommunications networks» when collecting personal data, including through the information and telecommunications network «Internet», the Operator is obliged to ensure the recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases, located on the territory of the Russian Federation, except for the following cases:

  • personal data processing is necessary to achieve the goals stipulated by an international agreement of the Russian Federation or by law, to perform and fulfill the functions, powers, and duties assigned to the operator by the legislation of the Russian Federation;
  • personal data processing is necessary for the administration of justice, execution of a judicial act, or an act of another authority or official that is subject to execution under the legislation of the Russian Federation on enforcement proceedings (hereinafter-execution of a judicial act);
  • personal data processing is necessary for the execution of the powers of Federal Executive authorities, bodies of state extra-budgetary funds, and Executive bodies of state power of the subjects of the Russian Federation, local self-government bodies and the functions of organizations participating in providing state and municipal services, respectively, provided by Federal law No. 210 of 27.07.2010 «On the organization of state and municipal services», including registration of the personal data subject on the unified portal of state and municipal services and (or) regional portals of state and municipal services;
  • the processing of personal data is necessary for the professional activity of a journalist and (or) legal activity of the mass media or scientific, literary, or other creative activity, provided that the rights and legitimate interests of the subject of personal data are not violated.

3.2.12. The operator must make sure that a foreign state, to the territory where personal data is supposed to be transferred, adequate protection of the rights of personal data subjects is provided prior to the start of such transfer.

Cross-border transfer of personal data on the territory of foreign states that do not provide adequate protection of the rights of personal data subjects may be carried out in the following cases:

  • availability of written consent of the personal data subject to the cross-border transfer of their data;
  • execution of a contract to which the party is the subject of personal data.

4.Sources for obtaining Users’ personal data

4.1 The user himself is considered the source of information about all his personal data.

4.2 The source of information about the User’s personal data is the information obtained as a result of the Operator granting the User rights to use the Site.

5.Personal data processing

5.1. Receiving personal data.

5.1.1  The operator processes personal data of the following categories of personal data subjects:

  • individuals who are the Site Users;
  • individuals who have civil-law relations with the Company;

5.1.2 All the personal data Operator receives from the subject itself. If the subject’s personal data can only be obtained from a third party, the subject must be notified of this or consent must be obtained from him.

5.1.3 The operator must inform the subject about the purposes, intended sources and methods of obtaining personal data, the nature of the personal data to be obtained, the list of actions with personal data, the period during which the consent is valid, and the procedure for revoking it, as well as the consequences of the subject’s refusal to give written consent to receive them.

5.1.4 Personal data that is allowed to be processed under this Policy is provided by the User (or his representative) by filling out the registration form on the Site and may include the following information:

  • surname, name, patronymic of the User;
  • gender of the user
  • date of birth
  • telephone number, email address;
  • address;
  • the text of the message and (or) any other information forwarding using the feedback form.

5.1.5 The operator protects data that is automatically transmitted

when viewing ad blocks and visiting pages where the «pixel» statistical script is installed.

  • IP address;
  • information from cookies;
  • information about the browser (or any other program which provides access to display advertisements);
  •  access time;
  • address of the page where the ad block is located;
  • referrer (address of the previous page).

5.1.6. Disabling cookies may make it impossible to access parts of the Site that require authorization.

5.1.7. The operator collects statistics about the IP addresses of its users. This information is used to identify and solve technical problems.

5.1.8. Any other personal information not mentioned above (browsers and operating systems used, etc.) is subject to secure storage and non-proliferation, except for the cases provided for in subparagraphs 5.8.2 and 5.8.3 of this Policy.

5.1.9. Documents containing personal data are generated by:

  • receiving copies of documents from the User:
  • entering information in accounting forms;

5.2 Personal data processing 

5.2.1 Processed by the operator:

  • personal data received from the Site user;
  • personal data obtained in the implementation of civil-law relations;

5.2.2 Personal data is processed:

  • with the consent of the personal data subject to the processing of his data;
  • in cases when the processing of personal data is necessary for the performance and fulfillment of the functions, powers, and duties assigned by the legislation of the Russian Federation;
  •  in cases where personal data is processed, access to an unlimited number of persons to whom the subject of personal data is provided, or at his request (hereinafter – personal data made publicly available by the subject of personal data).
  • The operator independently manages the processing of the User’s personal data
  • The operator may assign the processing of personal data to another person if the following conditions are met:
  • the subject’s consent has been obtained to entrust the processing of personal data to another person;
  • the order for processing of personal data is carried out based on the contract concluded with this person.

5.3 Purposes of personal data processing:

5.3.1 The operator processes personal data for the following purposes:

  • user identification;
  • establishing feedback with the User, including sending notifications and requests related to the use of the Site, as well as processing requests and applications (orders) from the User;
  • fulfillment of contractual obligations;
  • determining the location of the User to ensure security, prevent fraud;
  • confirmation of the accuracy and completeness of personal data provided by users;
  • providing the User with their consent, special offers, pricing information, newsletters, and other information on behalf of the Operator.
  • depersonalization of personal data in order to obtain depersonalized statistical data that is transmitted to a third party for conducting research, performing work, or providing services on behalf of the store.

5.4 Methods and terms of processing personal information

5.4.1 Personal data processing is carried out through mixed processing of personal data (collection, recording, systematization, accumulation, storage, clarification, including updating and change, extracting, using, transferring (distribute), grant access, depersonalization, block, deletion, destruction).

5.4.2 The processing of the User’s personal data is carried out without limitation in any legal way, including in PDIS with or without the use of automation tools.

5.4.3 The Operator informs the User about the loss or disclosure of personal data.

5.4.4 The operator takes the necessary organizational and technical measures to protect the User’s personal information from unauthorized or random access, destruction, modification, blocking, copying, distribution, as well as from other illegal actions of third parties.

5.4.5 The operator together with the User takes all the necessary measures to

prevent losses or other negative consequences caused by the loss or disclosure of the User’s personal data.

5.5 The procedure and conditions to store personal data on the site.

5.5.1 Personal data of subjects can be received, processed and stored both on paper and in electronic form.

5.5.2 Personal data that is recorded on paper is stored in locked cabinets or locked rooms with restricted access rights.

5.5.3 Personal data of subjects that are processed using automation tools for different purposes are stored in different folders.

5.5.4 It is not allowed to store and place documents containing personal data in open e-catalogs (file sharing sites) in PDIS.

5.5.5 The storage of personal data in a form that allows you to identify the subject of personal data is carried out no longer than the processing purpose requires, and are subject to destruction when the processing goals are achieved or if it is no longer necessary to achieve them.

5.5.6 Personal data of Users are stored on the Site until the User declares their desire to delete their personal data from the Site.

5.5.7 If data is deleted from the Site at the initiative of one of the parties, namely, the termination of the use of the Site, the User’s personal data is stored in the Operator’s databases for five years in accordance with the legislation of the Russian Federation.

5.5.8 After the specified period, the User’s personal data is deleted automatically by the specified algorithm, which is set by the Operator.

5.6 Blocking of personal data

5.6.1 Blocking of personal data is understood as temporary termination by the Operator of operations on their processing at the request of the User if they detect the inaccuracy of the processed information or illegal actions in the opinion of the personal data subject concerning their data.

5.6.2 Blocking of personal data on the Site is carried out based on a written Declaration from the subject of personal data.

5.7 Personal data destruction

5.7.1 Destruction of personal data refers to actions that make it impossible to restore the content of personal data on the Site and/or as a result of which the material carriers of personal data are destroyed.

5.7.2 The personal data subject has the right to request the destruction of their personal data in a written form if the personal data is incomplete, outdated, unreliable, illegally obtained, or is not necessary for the stated purpose of processing.

5.7.3 If it is not possible to destroy personal data, the Operator will block them.

5.7.4 Destruction of personal data is carried out by erasing information using certified software with guaranteed destruction (in accordance with the specified characteristics for the installed software with guaranteed destruction).

5.7.5 Destruction of documents (media) containing personal data is performed by burning, crushing (grinding), chemical decomposition, transformation into a shapeless mass, or powder. To destroy paper documents, you can use a schroeder.

5.7.8 The fact of the destruction of personal data is documented by the act of destruction of media.

5.8 Transfer of personal data

5.8.1 The operator transfers personal data to third parties in the following cases:

  • the subject has expressed its approval; to such actions;
  • the transfer is provided for by Russian or other applicable law in accordance with the procedure established by law.

5.8.2 The user agrees that the Operator has the right to transfer personal data to third parties solely to process the User’s request made on the Site.

5.8.3 The user’s personal data may be transferred to the authorized state bodies of the Russian Federation only on the grounds and in accordance with the procedure established by the legislation of the Russian Federation.

6.Consent of the personal data subject to process personal data.

6.1 The user, by providing their consent to the processing of personal data when registering on the Site, when placing an order or when sending messages via the feedback form, agrees to this Policy and its application in the processing of personal data.

6.2 The user has the right to revoke the previously given consent to the processing of personal data at any time by sending a corresponding application to the Operator at: 5/2 apt. 12 Pogorel’skiy lane, Moscow 119017.

6.3 The operator has the right to continue personal data processing without the consent of the personal data subject if there are grounds provided for by Federal law No. 152 (e.g. for the full performance of obligations).

6.4 User’s consent to the processing of personal data given on the Site, is equivalent to written consent, as defined in part 4 of article 9 of Federal law No. 152

6.5 The user takes the decision on granting his / her personal data and gives consent to their processing and to his interest. Consent to the processing of personal data may be given by the personal data subject or its representative in any form that allows it to confirm the fact of its receipt unless otherwise established by Federal law No. 152

6.6 The consent given on the Site is valid until the Operator reaches the goal of processing personal data.

6.7 The user agrees that the Operator may transfer the User’s personal data to its service providers and agents in order to achieve the above purpose. This will be done confidentially and only to the extent permitted by the legislation of the Russian Federation on personal data and advertising. These service providers and agents may, without limitation, by any third parties involved in providing services to customers, processing payments, delivering goods, verifying the identity or detecting fraud, hosting, or supporting the Site.

7.Rights of personal data subjects (Users)

7.1 The subject of personal data has the right to receive information about the processing of his personal data in the manner and within the time limits provided for by Federal law No. 152.

7.2 The rights of a personal data subject to access their personal data may be restricted in accordance with Federal law No. 152.

7.3 The user has the right to receive information about the Operator, its location, and whether the Operator has personal data related to

a specific personal data subject (User), as well as to get acquainted with such personal data, except for the cases stipulated by part 8 of article 14 of the Federal law «On personal data».

7.4 The personal data subject has the right to demand from the Organization to clarify his personal data, block or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, as well as take measures provided for by Federal law No. 152-Fed. Law to protect their rights;

7.5 The user has the right to receive a personal request from the Operator or a written request from the Operator (sent to the following email address: info@bernes.ru) from the User of the following information related to the processing of their personal data, including:

  • confirmation the fact of personal data processing by the Operator, as well as the purpose of such processing;
  • legal grounds and purposes of personal data processing;
  • purposes and methods of personal data processing used by the Operator;

name and location of the Operator, information about persons

  • (except for employees of the operator) who have access to personal data or to whom personal data may be disclosed under a contract with the Operator or under Federal law No. 152.
  • processed personal data relating to the relevant personal data subject, the source of their receipt, unless otherwise provided for by Federal law No. 152.
  • terms of personal data processing, including the terms of their storage;
  • the procedure of the exercise by a personal data subject of the rights provided for by Federal law;
  • information about cross-border data transfers that have taken place or are expected to take place;
  • name or surname, first name, patronymic, and address of the person who processes personal data on behalf of the Operator, if the processing is entrusted or will be entrusted to such person;
  • other information provided by Federal law or other Federal laws;

7.6 The user has the right to appeal to the authorized body

to protect the rights of personal data subjects or in court actions or omissions of the operator if it believes that he processes its personal data in violation of the requirements of the Federal law «on personal data» or otherwise violates its rights and freedom.

7.7 The user of personal data has the right to protect his rights and legitimate interests, including compensation for damages and (or) compensation for moral damage in court.

8.The system of personal data protection

8.1 When processing personal data, the operator is obliged to take the necessary legal, organizational and technical measures or ensure their acceptance to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions concerning personal data.

8.2 Ensuring the security of personal data is achieved, in particular:

  • detecting threats to the security of personal data during personal data processing in information systems;
  • implementation of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems that are necessary to meet the requirements for personal data protection;
  • using informational security tools that have passed the compliance assessment procedure in accordance with the established procedure;
  • evaluating the effectiveness of measures taken to ensure the security of personal data prior to commissioning of the personal data information system;
  • taking into account machine-based personal data carriers;
  • detection the unauthorized access to personal data and taking measures;
  • recovery of personal data that are modified or destroyed due to unauthorized access to them;
  • setting rules for access to personal data that are processed in the informational system of personal data as well as ensuring registration and accounting of all actions performed with personal data in the information system;
  • control over the measures taken to ensure the security of personal data and the level of protection of personal data informational systems.

8.3 For the purposes of this Policy, threats to the security of personal data are defined as a set of conditions and factors that create a risk of unauthorized, including accidental, access to personal data, which can result to the destruction, modification, blocking, copying, provision, distribution of personal data, as well as other illegal actions during their processing in the personal data information system.

The level of personal data protection is a complex indicator that describes the requirements that ensure the neutralization of certain threats to the security of personal data during their processing in the personal data information system.

8.4 The protected information about the subject of personal data on the Site includes data that allows you to identify the subject of personal data and/or obtain additional information about it, as provided by law and this Policy.

8.5 Protected personal data items on the Site include:

  • objects of informatization and technical means of automated processing of information containing personal data;
  • information resources (databases, files, etc.) containing data about information and telecommunications systems that distribute personal data, events that occurred with the managed entity, business continuity plans, and procedures for transition to emergency management;
  • channel networks that are used to transmit personal data in the form of informative electrical signals and physical fields;
  • removable media of information on the magnetic, magneto-optical, or other basis used for the processing of personal data.

8.6 Technological information about informational systems

and elements of the personal data protection system that are subject to protection include:

  • information about the access control system for information objects where personal data is processed;
  • controlling information (configuration files, routing tables, security settings, etc.);
  • technological information of access means to control systems (authentication information, access keys, and attributes, etc.);
  • characteristics of network channels that are used for transmitting personal data in the form of informative electrical signals and physical fields;
  • service data (metadata) that appears during the operation of software, messages, and inter-network communication protocols, as a result of personal data processing.

8.7 The personal data protection system must comply with the requirements of the decree of the Russian Federation Government dated 01.11.2012 No. 1119 «On approval of requirements for the protection of personal data during their processing in personal data information systems».

8.8 The personal data protection system must provide:

  • timely detection and prevention of unauthorized access to personal data and (or) their transfer to persons who do not have the right to access such information;
  • preventing the impact on the technical means of automated personal data processing, which may result to the disruption of their functioning.
  • the ability to immediately restore personal data that has been modified or destroyed due to unauthorized access to it;
  • constant monitoring of the level of personal data protection.

8.9 Security tools for information used in informational systems must pass the conformity assessment procedure in accordance with the established procedure.

8.10 Methods and means of information protection in personal data informational systems.

8.11 Methods and means of information protection in the Operator’s personal data informational systems must meet the requirements:

  • order of the FSTEC of the Russian Federation dated 18.02.2013 No. 21 » on approval of the Composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems»;
  • the order of FSB of Russia dated 10.07.2014 № 378 «About the statement of Structure and content of organizational and technical measures for ensuring personal data security during their processing in informational systems of personal data using the means of cryptographic protection of information necessary to comply with Russian Government requirements for the protection of personal data for each of the levels of security» (in the case of determining an Operator having the use of cryptographic protection of information to ensure the security of personal data).

8.12 The main methods and means of information protection in informational systems of Users ‘ personal data, are methods and means of protecting information from unauthorized, including accidental, access to personal data, which may result in destruction, modification, blocking, copying, distribution of personal data, as well as other unauthorized actions (hereinafter – methods and methods of protecting information from unauthorized access).

8.13 The selection and implementation of methods and means for protecting information on the Site are carried out in accordance with the recommendations of the information protection regulators – the FSTEC of Russia and the FSB of Russia, taking into account the threats to personal data security determined by the Operator and depending on the information system class.

8.14 The chosen and implemented methods and means for protecting information on the Site should ensure the neutralization of alleged threats to the security of personal data during their processing.

8.15 Measures taken by the Operator to protect databases containing personal data should include:

  • determining the list of information constituting personal data;
  • restricting access to information containing personal data by establishing procedures for handling this information and monitoring compliance with such procedures.

8.16 Measures to protect the confidentiality of information are considered reasonably sufficient if:

  • access to personal data of any third parties without the Operator’s consent is excluded;
  • it is possible to use information containing personal data without violating the law about personal data;
  • when working with the User, the Operator’s procedure is established, which ensures the safety of information containing the User’s personal data.

8.17 Personal data may not be used for purposes contrary to the requirements of Federal law No. 152, to protect the foundations of the constitutional order, morality, health, rights and legitimate interests of other persons, to ensure national defense and state security.

9 Obligations of the parties

9.1 The user must:

9.1.1 Provide information about personal data necessary for using the Site.

9.1.2 Update or supplement the provided information about personal data in case of changes to this information.

9.2 Operator must:

9.2.1 Use the received information exclusively for the purposes specified in paragraph 5.3 of this Policy.

9.2.2 Ensure that confidential information is kept confidential and not disclosed without the User’s prior written permission, and not to sell, exchange, publish, or disclose the User’s personal data in any other possible way, except for the cases specified in sub-clauses 5.8.2. and 5.8.3. of this Policy.

9.2.3 Take precautionary measures to protect the confidentiality of the User’s personal data in accordance with the procedure usually used to protect this type of information in existing business transactions.

9.2.4 Block personal data related to the relevant User, from the moment of request or request of the User or his legal representative or authorized body for the protection of the rights of personal data subjects for the period of verification, in case of identification of inaccurate personal data or illegal actions.

9.2.5 Notify the User if personal data was not received from them.

9.2.6 Explain to the User the consequences of refusing to provide personal data to the Operator.

9.2.7 Publish or otherwise provide unrestricted access to the document defining its policy on personal data processing, to information about the implemented requirements for personal data protection; take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions concerning personal data;

9.2.8 Provide responses to User requests and appeals and their representatives, within the period established by Federal law No. 152.

9.2.9 The operator is obliged to inform the User about the purposes, intended sources and methods of obtaining their personal data, the nature of the personal data to be obtained, and the list of actions with personal data, the period during which the consent and the procedure for revoking it are valid, as well as the consequences of the User’s refusal to allow to receive them.

10.Responsibility of parties

10.1 The operator who has not fulfilled its obligations is accountable for losses incurred by the User related to the misuse of personal data, under the legislation of the Russian Federation, except for the cases provided for in sub-clauses 5.8.2., 5.8.3. and 9.2.2. of this Policy.

10.2 In case of loss or disclosure of Confidential information, the Operator is not responsible if this confidential information:

  • became public domain before it was lost or disclosed;
  • received from a third party prior to its receipt by the Operator;
  • disclosed with the User’s consent.

11.Dispute resolution

11.1 Before filing a claim in court for disputes arising from the relationship between the site User and the Operator, it is mandatory to submit a pretension.

11.2 The recipient of the claim within 30 calendar days from the date of receipt of the claim, notifies the declarer of the results of its consideration in a written form.

11.3 If an agreement is not solved, the dispute will be referred to a judicial authority under the current legislation of the Russian Federation.

11.4 This Policy and the relationship between the User

and the Operator applies the legislation of the Russian Federation.

  1. Final provision

12.1 If the legislation of the Russian Federation changes or alterations are made to the regulatory documents on personal data protection, this Policy shall apply to the extent that it does not contradict the law until it is brought into compliance.

12.2 Other rights and obligations of the Operator in connection with the processing of personal data are determined by the legislation of the Russian Federation in the field of personal data.