COMPANY POLICY ON THE PROCESSING OF PERSONAL DATA
GENERAL PROVISIONS
The policy for the processing of personal data (hereinafter referred to as the Policy) has been developed in accordance with the Federal Law of 27.07.2006. No. 152-FZ “On Personal Data” (hereinafter – FZ-152).
This Policy defines the procedure for processing personal data and measures to ensure the security of personal data at 7club LLC (hereinafter referred to as the Operator) in order to protect the rights and freedoms of individuals when processing their personal data, including the rights to privacy, personal and family secrets.
The following main concepts are used in the Policy:
automated processing of personal data – processing of personal data using computer technology;
blocking of personal data – temporary suspension of processing personal data (except in cases where processing is necessary for the clarification of personal data);
personal data information system – a set of personal data contained in databases, and information technologies and technical means that ensure their processing;
anonymization of personal data – actions that make it impossible to determine without additional information the belonging of personal data to a specific personal data subject;
processing of personal data – any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data;
operator – a state body, municipal body, legal or physical person, independently or together with other persons organizing and (or) performing the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
personal data – any information relating directly or indirectly to an identified or identifiable individual (personal data subject);
provision of personal data – actions aimed at disclosing personal data to a specific person or a specific group of persons;
distribution of personal data – actions aimed at disclosing personal data to an indefinite circle of persons (transfer of personal data) or familiarizing an unlimited number of persons with personal data, including the publication of personal data in mass media, placement in information and telecommunication networks, or providing access to personal data in any other way;
cross-border transfer of personal data – transfer of personal data to the territory of a foreign state to a foreign state authority, foreign physical or foreign legal entity.
destruction of personal data – actions that make it impossible to restore the content of personal data in the personal data information system and (or) as a result of which the physical carriers of personal data are destroyed;
The Company is obliged to publish or otherwise provide unrestricted access to this Policy for processing personal data in accordance with part 2 of Art. 18.1 of the FZ-152.
2. PRINCIPLES AND CONDITIONS OF PERSONAL DATA PROCESSIN
2.1 Principles of personal data processing
The processing of personal data by the Operator is based on the following principles:
legality and fair basis;
limitation of processing personal data to achieving specific, predefined, and lawful objectives;
preventing the processing of personal data that is incompatible with the purposes of collecting personal data;
preventing the merging of databases containing personal data, the processing of which is carried out for incompatible purposes;
processing only those personal data that meet the objectives of their processing;
ensuring the content and volume of the processed personal data correspond to the declared processing objectives;
preventing the processing of personal data that is excessive in relation to the declared objectives of their processing;
ensuring the accuracy, sufficiency, and relevance of personal data in relation to the purposes of processing personal data;
destruction or anonymization of personal data upon achieving the objectives of their processing or in case of the loss of the need to achieve these objectives, if the Operator cannot eliminate violations of personal data, unless otherwise provided by federal law.
2.2 Conditions for processing personal data
The Operator processes personal data when at least one of the following conditions is met:
processing of personal data is carried out with the consent of the personal data subject for processing his or her personal data;
processing of personal data is necessary for achieving the purposes stipulated by an international treaty of the Federation or by law, for the performance and fulfillment of functions, powers, and duties imposed on the operator by the legislation of the Federation;
processing of personal data is necessary for the administration of justice, execution of a judicial act, an act of another body or official, subject to execution in accordance with the legislation of the Federation on enforcement proceedings;
processing of personal data is necessary for the execution of a contract, of which the personal data subject is a party, beneficiary, or guarantor, as well as for concluding a contract at the initiative of the personal data subject or a contract under which the personal data subject will be the beneficiary or guarantor;
processing of personal data is necessary for the exercise of the rights and legitimate interests of the operator or third parties, or for achieving socially significant objectives, provided that the rights and freedoms of the personal data subject are not violated;
processing of personal data is carried out, access to which is provided to an unlimited number of persons by the personal data subject or at his or her request (hereinafter – publicly available personal data);
processing of personal data that must be published or disclosed in accordance with federal law.
2.3 Confidentiality of personal data
The Operator and other persons who have gained access to personal data must not disclose personal data to third parties and not distribute personal data without the consent of the personal data subject, unless otherwise provided by federal law.
2.4 Public sources of personal data
For informational purposes, the Operator may create public sources of personal data subjects, including directories and address books. With the written consent of the subject, his or her surname, first name, patronymic, date and place of birth, position, contact phone numbers, email address, and other personal data reported by the personal data subject may be included in public sources of personal data.
Information about the subject must be excluded from public sources of personal data at any time at the request of the subject or by the decision of a court or other authorized state bodies.
2.5 Special categories of personal data
The Operator may process special categories of personal data concerning racial, national origin, political opinions, religious or philosophical beliefs, health status, intimate life in cases if:
the personal data subject has given written consent to the processing of his or her personal data;
personal data have been made public by the personal data subject;
processing of personal data is carried out in accordance with legislation on state social assistance, labor legislation, legislation of the Federation on pensions for state pension provision, on labor pensions;
processing of personal data is necessary for the protection of life, health, or other vital interests of the personal data subject or the life, health, or other vital interests of other persons, and obtaining consent of the personal data subject is impossible;
processing of personal data is carried out for medical-preventive purposes, for establishing a medical diagnosis, providing medical and medical-social services, provided that the processing of personal data is carried out by a person professionally engaged in medical activities and obligated to maintain medical secrecy in accordance with the legislation of the Federation;
processing of personal data is necessary for establishing or exercising the rights of the personal data subject or third parties, as well as in connection with the administration of justice;
processing of personal data is carried out in accordance with legislation on mandatory types of insurance, with insurance legislation.
Processing of special categories of personal data must be immediately terminated if the reasons for their processing are eliminated unless otherwise established by federal law.
Processing of personal data on criminal convictions may be carried out by the Operator exclusively in cases and in the manner determined in accordance with federal laws.
2.6 Biometric personal data
Information characterizing physiological and biological features of a person, based on which his or her identity can be established – biometric personal data – may be processed by the Operator only with the written consent of the subject.
2.7 Entrusting the processing of personal data to another person
The Operator is entitled to entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, based on a contract concluded with this person. The person processing personal data on behalf of the Operator is obliged to comply with the principles and rules of processing personal data provided by FZ-152.
2.8 Cross-border transfer of personal data
The Operator must ensure that the foreign state, to the territory of which it is intended to transfer personal data, provides adequate protection of the rights of personal data subjects before starting such a transfer.
Cross-border transfer of personal data to the territory of foreign states that do not provide adequate protection of the rights of personal data subjects may be carried out in cases:
of the existence of written consent of the personal data subject for the cross-border transfer of his or her personal data;
execution of a contract, of which the personal data subject is a party.
3. RIGHTS OF THE PERSONAL DATA SUBJECT
3.1 Consent of the personal data subject to the processing of his or her personal data
The personal data subject decides to provide his or her personal data and gives consent to their processing freely, by his or her own will and in his or her interest. Consent to the processing of personal data can be given by the personal data subject or his or her representative in any form that allows confirming the fact of its receipt, unless otherwise established by federal law.
The obligation to provide proof of obtaining consent from the personal data subject for the processing of his or her personal data or proof of the existence of grounds specified in FZ-152 rests with the Operator.
3.2 Rights of the personal data subject
The personal data subject has the right to receive information from the Operator concerning the processing of his or her personal data, unless such a right is limited in accordance with federal laws. The personal data subject has the right to demand from the Operator the clarification of his or her personal data, their blocking or destruction in the case that the personal data are incomplete, outdated, inaccurate, unlawfully obtained, or are not necessary for the declared purpose of processing, as well as to take legally provided measures to protect his or her rights.
The processing of personal data for the purposes of promoting goods, works, services in the market by making direct contacts with a potential consumer using communication means, as well as for political agitation, is allowed only with the prior consent of the personal data subject. Such processing of personal data is considered to be carried out without the prior consent of the personal data subject, if the Company cannot prove that such consent was obtained.
The Operator is obliged to immediately stop processing the personal data of the subject for the above-mentioned purposes at the request of the personal data subject.
It is prohibited to make decisions based solely on the automated processing of personal data that produce legal consequences for the personal data subject or otherwise affect his or her rights and legitimate interests, except in cases provided by federal laws, or with the written consent of the personal data subject.
If the personal data subject believes that the Operator processes his or her personal data in violation of the requirements of FZ-152 or otherwise violates his or her rights and freedoms, the personal data subject is entitled to appeal the actions or inaction of the Operator to the Authorized Body for the Protection of the Rights of Personal Data Subjects or in court.
The personal data subject has the right to protect his or her rights and legitimate interests, including compensation for losses and (or) compensation for moral harm in court.
4. ENSURING THE SECURITY OF PERSONAL DATA
The security of personal data processed by the Operator is ensured by implementing legal, organizational, and technical measures necessary to meet the requirements of federal legislation in the field of personal data protection.
To prevent unauthorized access to personal data, the Operator applies the following organizational and technical measures:
appointment of officials responsible for organizing the processing and protection of personal data;
limiting the number of people who have access to personal data;
familiarizing subjects with the requirements of federal legislation and regulatory documents of the Operator for processing and protecting personal data;
organizing the accounting, storage, and handling of information carriers;
identifying threats to the security of personal data during their processing and forming threat models based on them;
developing a personal data protection system based on the threat model;
checking the readiness and effectiveness of using information protection means;
differentiating user access to information resources and software-hardware means of information processing;
registering and accounting for the actions of users of personal data information systems;
using antivirus tools and means of restoring the personal data protection system;
applying, when necessary, means of network screening, intrusion detection, security analysis, and cryptographic information protection;
organizing access control to the Operator’s territory, protecting premises with technical means of processing personal data.
5. FINAL PROVISIONS
Other rights and obligations of the Operator, as an operator of personal data, are determined by the legislation of the Federation in the field of personal data.
Officials of the Operator, guilty of violating the norms regulating the processing and protection of personal data, bear material, disciplinary, administrative, civil-legal, or criminal liability in the manner established by federal laws.