1.1 For the purposes of this document defining the policy of a limited liability company “vinotekadonquixote.com” with regard to the processing of personal data, the following basic concepts are used:
“Automated processing of Personal data” – Processing of Personal data using computer technology;
“Actual threats to the security of Personal data” – a set of conditions and factors that create an actual risk of unauthorized, including accidental, access to Personal data during their Processing in the Personal data information system, which may result in the Destruction, modification, Blocking, copying, Provision, Distribution of Personal data, as well as other illegal actions;
“Biometric Personal data” – data which characterize physiological and biological features of humans (including human images photo and video), on the basis of which to establish his identity and used by the Society to establish the identity of the data Subject;
“Blocking” – temporary termination of Personal data Processing (except for cases when Personal data Processing is necessary to clarify Personal data);
“Access” means the ability to access and use Personal data;
“Personal data information system” – a set of Personal data contained in databases and information technologies and technical means that ensure their Processing;
“Material carrier” means a paper or machine-readable information carrier (including magnetic and electronic) on which Personal data is recorded and stored;
“Non-automated processing of Personal data” – Processing of Personal data contained in the Personal data information system or extracted from the Personal data information system, if such actions with Personal data as the use, clarification, Dissemination, Destruction of Personal data in relation to each of the Personal data Subjects are carried out with the direct participation of a person;
“Depersonalization” – actions that make it impossible to determine whether Personal data belongs to a specific Personal data Subject without using additional information;
“Depersonalized data” means data that cannot be identified as belonging to a specific Personal data Subject without additional information;
“Personal data processing” or” Processing ” means any action (operation) or a set of actions (operations) performed with Personal data using automation tools or without using such tools, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, Provision, Access), Depersonalization, Blocking, deletion, Destruction of Personal data;
“Request” means a proposal, application or complaint sent to the Company in writing or in the form of an electronic document, as well as an oral request from a person;
“Public Personal data” – Personal data, Access of an unlimited circle of persons to which is provided by the Personal data Subject or at the request and the Personal information included in public sources of Personal data (reference) with the written consent of the data Subject;
“Company” – limited liability company “vinotekadonquixote.com»;
“Responsible for organizing Processing” – a person appointed by the order to be responsible for organizing the processing of Personal data;
“Personal data” means any information relating directly or indirectly to a specific or identifiable individual (Subject of Personal data);
“Policy” – this Policy of the limited liability company “vinotekadonquixote.com” regarding the processing of personal data of user Subjects Site and App;
“Provision” – actions aimed at disclosure of Personal data to a certain person or a certain group of persons;
“Disclosure” – actions (inaction) that result in Personal data in any possible form (oral, written, or other form, including using technical means) becoming known to third parties in the absence of a legal basis for providing such Personal data to the relevant third parties;
“Disclosure” – providing an opportunity to get acquainted with Personal data processed by the Company;
“Distribution” – actions aimed at disclosure of Personal data to an indefinite circle of persons;
“Site” means the Company’s website located on the Internet at: www.nova-delo.com and its sub-domains;
“Special categories of Personal data” – information related to race, nationality, political views, religious or philosophical beliefs, health status, intimate life, criminal record;
“Subject” directly or indirectly identifiable natural person to whom the Personal data refer.;
“Cross-border transfer of Personal data” – transfer of Personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity;
“Destruction” – actions that make it impossible to restore the content of Personal data in the Personal data information system and (or) as a result of which the Material carriers of Personal data are destroyed.
2. GENERAL PROVISIONS
2.1 This Policy defines the purposes, procedure and conditions for Processing Personal data of user Subjects The rights and obligations of Subjects and the Company in connection with the Processing of Personal data collected by the Company through the Site and the Application, as well as the requirements for Personal data protection implemented by the Company.
2.2 the Electronic version of the Policy is available on the Website at www.vinotekadonquixote.com and in the App in the “About” section. The company reserves the right to Update and change the Policy at any time.
2.3 the Policy comes into force from the date of its approval and applies to personal data of Subjects received by the Company through the Website and Application.
3. RIGHTS AND OBLIGATIONS OF THE COMPANY WHEN PROCESSING PERSONAL DATA
3.1 the Company, when Processing Personal data, has the right to:
(a) Process Personal data obtained by the Company in a lawful manner for the purposes set forth in this article. Policies and consents to the Processing of Personal data;
(b) entrust the Processing of Personal data to another person with the consent of the Personal data Subjects on the basis of a contract concluded with this person;
(C) restrict the Personal data Subject’s Access to their Personal data in accordance with Federal laws, including if Access violates the rights and legitimate interests of third parties;
(d) perform other actions with Personal data that do not contradict the legislation of the Russian Federation in the field of Personal data.
3.2 when Processing Personal data the Company performs the following duties:
(a) does not disclose, disclose or distribute Personal data to third parties without the consent of the Personal data Subjects, except in cases where such Disclosure and/or Distribution is permitted or required by Federal laws;
(h) upon request of the data Subject or his representative in statutory terms makes the necessary changes to Personal data if they are incomplete, inaccurate, or irrelevant, or destroys Personal data if in accordance with the provided Subject or his representative of the information Personal information are not necessary for the declared Processing purposes;
(I) inform in writing the recipients of documents, electronic files and other information containing Personal data, about the need to respect the confidentiality of the Personal data received;
4.1 the Company processes personal data of Subjects for the following purposes: (a) providing access to the Site and Application, registration on the Site and in the Application;
(b) getting technical support from the site or App administrator if there are problems with the operation Site or App;
(C) execution of orders, conclusion and execution of contracts with Personal data Subjects;
(d) providing feedback and ensuring communication with the Subjects, including on the issue of order Assembly and delivery;
(e) conducting audits and other internal research to improve the quality of services provided;
(e) sending materials and messages of the relevant trade organization to the Subject, including advertising newsletters, notifications about events and promotions held by the relevant trade organization, and news of the relevant trade organization;
(g) ensuring the protection and security of Personal data, including in the investigation of cyber attacks, fraud and other abuses;
4.2 Processing of Personal data that is not compatible with the stated purposes of Processing is not allowed by the Company.
4.2 the Company Processes Personal data in accordance with the following guidelines::
(a) the company’s Charter;
(b) local acts of the Company regulating the Processing of Personal data;
(C) agreements concluded by the Company with Personal data Subjects;
(d) the consent of the Personal data Subjects to the Processing of their Personal data.
5. THE VOLUME AND CATEGORIES OF PERSONAL DATA PROCESSED BY THE COMPANY. CATEGORIES of PERSONAL DATA
SUBJECTS 7.1 If there are appropriate legal grounds and within the framework of achieving the goals specified in clause 5 of the Policy, the Company Processes the following personal data of Subjects:
(a) surname, first name, patronymic; (b) gender;
(C) postal address;
(d) phone number;
(e) email address;
(f) other Personal data provided by Personal data Subjects.
5.1 the Subject’s Personal data also includes the IP address, type of operating system, type of device (personal computer, mobile phone, tablet), browser type, geographical location, format of filling out a web form, provider – Internet service provider, if the Company can relate this information to a specific Subject.
Yandex. Metrica and other similar services for Analytics and improving the Site’s performance.
5.3 the Company does not process Special categories of personal data of Subjects, as well as Biometric Personal data.
5.4 the Company does not verify the accuracy of the Personal data received.
5.5 In accordance with this How the Company processes Personal data
User subjects Site, according to the list given in clause 7.1 above.
6. PROCEDURE AND CONDITIONS FOR PROCESSING PERSONAL DATA
6.1 Personal data is Processed by the Company in the following ways: (a) non-automated processing of Personal data;
(b) Automated processing of Personal data with or without transmission of the received information via information and telecommunication networks;
(C) mixed Processing of Personal data.
6.2 to achieve the goals Processing and on the basis of the consent of the Personal data Subject, the Company may entrust the Processing of Personal data to third parties. When entering into a contract with a person who Processes Personal data on behalf of the Company, the Company determines the list of actions with Personal data that will be performed by the Processing person, the purposes Of processing Personal data, the obligation of such person to respect the confidentiality of Personal data and ensure the security of Personal data during Processing, as well as requirements for the protection of processed Personal data in accordance with the legislation.
6.3 the Transfer of Personal data to third parties (with the exception of publicly Available Personal data and Depersonalized data) is allowed with the consent Of the subjects of Personal data, except in cases stipulated by the legislation.
6.4 When transferring Personal data to third parties, the Company informs the receiving party in a cover letter or message that the transmitted information contains Personal data that must comply with confidentiality requirements.
6.5 the Company does not perform cross-Border transfer of Personal data on the territory of foreign States that do not provide adequate protection of the rights of personal data subjects.
6.6 the Company takes legal, organizational and technical measures to protect Personal data from unauthorized or accidental Access to it, Destruction, modification, Blocking, copying, Provision, Distribution, as well as from other illegal actions in relation to Personal data. In particular, the Company:
(a) appoint a person Responsible for organizing Processing;
(b) adopt this Policy, as well as local acts on Personal data Processing that establish procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, and eliminating the consequences of such violations;
(C) performs internal control and / or audit of compliance of Personal data Processing with the current legislation of the Russian Federation and local acts of the Company;
(d) organize accounting of Material carriers containing Personal data;
(e) stores Material carriers of Personal data in compliance with the conditions that ensure the safety of Personal data and exclude unauthorized access Access to them;
(e) excludes the transfer of Personal data to third parties in the absence of the consent of the Personal data Subject, except in cases provided for by the legislation of the Russian Federation;
6.7 the Company applies measures to ensure the security of Personal data when Processing Personal data in information systems. These measures include, in particular::
(a) determining the type of Current threats to the security of Personal data applicable to the Company’s Personal data information systems;
(b) application of organizational and technical measures to ensure the security of Personal data when Processing them in Personal data information systems;
(C) if necessary, the use of information security tools that have passed the conformity assessment procedure in accordance with the established procedure;
(d) evaluating the effectiveness of measures taken to ensure the security of Personal data prior to the commissioning of the Personal data information system;
(e) detection of unauthorized Access to Personal data and taking necessary measures;
(e) recovery of Personal data modified or destroyed as a result of unauthorized Access to it;
(g) establishing rules for Access to Personal data processed in the Personal data information system, as well as ensuring registration and accounting of all actions performed with Personal data in the Personal data information system;
(h) monitoring the measures taken to ensure the security of Personal data and the level of security of Personal data information systems;
(I) determining the type (s) of the Company’s Personal data information system;
(K) the definition of categories Personal data processed in the relevant Personal data information system;
(K) determining the categories of Subjects whose Personal data is processed in the Personal data information system;
(m) determining the number of Subjects whose Personal data is processed in the Personal data information system;
(h) implementation of other measures aimed at compliance with the security requirements of the Personal data information system based on the security level requirements applicable to the relevant information system.
7. UPDATING, CORRECTING, DELETING AND DESTROYING PERSONAL DATA
7.1 within a period not exceeding 7 (seven) business days from the date of receipt from the Personal data Subject or his representative of information confirming that the Personal data is incomplete, inaccurate or irrelevant, the Company is obliged to make the necessary changes to them.
7.2 within a period not exceeding 7 (seven) business days from the date of receipt from the Personal data Subject or his representative of information confirming that his Personal data is illegally obtained or is not necessary for the stated purpose of Processing, the Company is obliged to destroy such Personal data.
7.3 the Information specified in clauses 9.1 and 9.2 is considered to be received from the Personal data Subject or his representative if it is provided in the form of a hard copy letter signed by the Personal data Subject or his representative, or sent from the email address specified by the Personal data Subject or his representative when registering on the Site.
7.4 the Company is obliged to notify the Personal data Subject or its representative of the changes made and measures taken in accordance with clauses 9.1 and 9.2 above, and to take reasonable measures to notify third parties to whom the Personal data of this Personal data Subject has been transferred.
7.5 when goals are achieved Processing of Personal data, as well as if the Subject of Personal data withdraws consent to their Processing within a period not exceeding 30 days, the Company destroys Personal data, except in cases where:
(a) otherwise provided for in the agreement to which the Personal data Subject is a party, beneficiary or guarantor;
(b) the Company has the right to Process personal data without the consent of The Subject on the grounds provided for by the Federal law “on personal data” or other Federal laws;
(C) otherwise provided by another agreement between the Company and the Personal data Subject.
7.6 the Company is obliged to inform the Personal data Subject or his representative upon his Request about the availability of Personal data related to this Subject and about the Processing of Personal data of the Personal data Subject carried out by the Company.
7.7 the Company stops Processing personal data or ensures the termination of Such Processing (if the Processing is carried out by another person acting on behalf of the Company) and destroys Personal data or ensures their Destruction (if the Processing is carried out by another person acting on behalf of the Company) in the cases and within the time limits established by the legislation of the Russian Federation.
8. CONSIDERATION OF REQUESTS AND REQUESTS FROM PERSONAL DATA SUBJECTS OR THEIR REPRESENTATIVES
8.1 the Company shall provide a Response to the Request or request upon receipt of the relevant Request or request or within 30 days from the date of receipt.
8.2 In case the mentioned information, as well as processed Personal data were provided for review to the Personal data Subject on his request, the data Subject shall have the right to re-apply to the Society or to send a second request to obtain the information and acquaintance with such Personal data not earlier than 30 days after the initial Treatment or the initial request, unless a shorter period is not set by a Federal law adopted in accordance with it normative legal act or contract, a party to which the Personal data Subject is a beneficiary or guarantor.
8.3 the Personal data Subject has the right to re-apply to the Company or send a repeated request in order to obtain the specified information, as well as to get acquainted with the processed Personal data before the expiration of the 30-day period, if such information and (or) the processed Personal data were not provided to him for review in full as a result of consideration of the initial Request. The repeated request must contain a justification for sending the repeated request.
8.4 the Company has the right to refuse the personal data Subject to fulfill a repeated request that does not meet the above conditions. Such refusal must be motivated.
8.5 Employees of the Company who are guilty of violating the procedure for processing and protecting Personal data are liable under the legislation of the Russian Federation and local acts of the Company.