GENERAL PROVISIONS
The personal data processing policy (hereinafter referred to as the Policy) was developed in accordance with the Federal Law of 27.07.2006. No. 152-FZ “On Personal Data” (hereinafter – FZ-152).
This Policy defines the procedure for processing personal data and measures to ensure the security of personal data at 7club LLC (hereinafter – Operator) to protect the rights and freedoms of individuals in the processing of their personal data, including the protection of privacy rights, personal and family secrets.
The following key concepts are used in the Policy:
Automated processing of personal data – processing of personal data using computer technology;
Blocking of personal data – temporary suspension of the processing of personal data (except in cases where processing is necessary to clarify personal data);
Personal data information system – a set of personal data contained in databases and information technologies and technical means that ensure their processing;
Anonymization of personal data – actions that make it impossible to determine the ownership of personal data to a specific personal data subject without the use of additional information;
Processing of personal data – any action (operation) or set of actions (operations) performed using automation tools or without the use of such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, destruction of personal data;
Operator – a state body, municipal body, legal or physical person, organizing and (or) carrying out the processing of personal data independently or together with other persons, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
Personal data – any information related directly or indirectly to an identified or identifiable individual (personal data subject);
Provision of personal data – actions aimed at disclosing personal data to a specific person or a specific group of persons;
Dissemination of personal data – actions aimed at disclosing personal data to an indefinite circle of persons (transfer of personal data) or to make personal data available to an unlimited number of persons, including publishing personal data in the media, posting in information and telecommunication networks, or providing access to personal data in any other way;
Cross-border transfer of personal data – transfer of personal data to the territory of a foreign state to a foreign state authority, a foreign individual, or a foreign legal entity;
Destruction of personal data – actions that make it impossible to restore the content of personal data in the personal data information system and (or) as a result of which the physical carriers of personal data are destroyed;
The company is obliged to publish or otherwise ensure unlimited access to this Policy for the processing of personal data in accordance with part 2 of article 18.1 of FZ-152.
2. PRINCIPLES AND CONDITIONS OF PERSONAL DATA PROCESSING
2.1 Principles of personal data processing
The processing of personal data by the Operator is carried out based on the following principles:
Legality and fair basis;
Limitation of personal data processing to achieve specific, predefined, and legal objectives;
Prevention of processing personal data incompatible with the purposes of data collection;
Prevention of combining databases containing personal data, the processing of which is carried out for purposes incompatible with each other;
Processing only the personal data that corresponds to the purposes of their processing;
Correspondence of the content and volume of the personal data processed to the stated purposes of processing;
Prevention of the processing of personal data that is excessive in relation to the stated purposes of their processing;
Ensuring the accuracy, sufficiency, and relevance of personal data in relation to the purposes of their processing;
Destruction or anonymization of personal data after achieving their purposes or when it is no longer necessary to achieve these purposes, unless the Operator is legally obliged to keep the personal data longer.
2.2 Conditions of personal data processing
The Operator processes personal data when at least one of the following conditions is met:
The processing of personal data is carried out with the consent of the personal data subject to the processing of their personal data;
The processing of personal data is necessary to achieve the objectives stipulated by an international treaty of the Federation or by law, to carry out and fulfill the functions, powers, and duties imposed on the Operator by the legislation of the Federation;
The processing of personal data is necessary for the administration of justice, the execution of a judicial act, an act of another body or official to be executed in accordance with the legislation of the Federation on enforcement proceedings;
The processing of personal data is necessary for the execution of a contract to which the personal data subject is a party, beneficiary, or guarantor, or to conclude a contract at the request of the personal data subject or a contract under which the personal data subject will be a beneficiary or guarantor;
The processing of personal data is necessary to exercise the rights and legitimate interests of the Operator or third parties, or to achieve socially significant purposes, provided that this does not violate the rights and freedoms of the personal data subject;
Processing of personal data that has been made publicly available by the personal data subject or at their request (publicly available personal data);
Processing of personal data that must be published or disclosed in accordance with federal law.
2.3 Confidentiality of personal data
The Operator and other persons who have access to personal data must not disclose or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by federal law.
2.4 Public sources of personal data
For information purposes, the Operator may create public sources of personal data of the subjects, including directories and address books. With the written consent of the subject, their last name, first name, patronymic, date and place of birth, position, contact phone numbers, email address, and other personal data provided by the personal data subject may be included in public sources of personal data.
Information about the subject must be excluded from public sources of personal data at any time at the request of the subject or by decision of the court or other authorized state bodies.
2.5 Special categories of personal data
The Operator may process special categories of personal data related to race, nationality, political opinions, religious or philosophical beliefs, health, intimate life, in the following cases:
The personal data subject has given written consent to the processing of their personal data;
The personal data has been made public by the personal data subject;
The processing of personal data is carried out in accordance with the legislation on state social assistance, labor legislation, the legislation of the Federation on state pensions, on labor pensions;
The processing of personal data is necessary to protect the life, health, or other vital interests of the personal data subject or other persons, and it is impossible to obtain the consent of the personal data subject;
The processing of personal data is carried out for medical prevention, medical diagnosis, provision of medical and social services, provided that the processing is carried out by a person professionally engaged in medical activities and obliged to maintain medical secrecy in accordance with the legislation of the Federation;
The processing of personal data is necessary to establish or exercise the rights of the personal data subject or third parties, or in connection with the administration of justice;
The processing of personal data is carried out in accordance with the legislation on mandatory types of insurance, with the insurance legislation.
The processing of special categories of personal data must be immediately stopped if the reasons for their processing are eliminated, unless otherwise provided by federal law.
The processing of personal data on criminal records may be carried out by the Operator only in cases and in the manner determined in accordance with federal laws.
2.6 Biometric personal data
Information that characterizes the physiological and biological characteristics of a person, based on which their identity can be established – biometric personal data – may be processed by the Operator only with the written consent of the subject.
2.7 Delegation of personal data processing to another person
The Operator has the right to delegate the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, based on a contract concluded with this person. The person processing personal data on behalf of the Operator must comply with the principles and rules of personal data processing established by FZ-152.
2.8 Cross-border transfer of personal data
The Operator must ensure that the foreign state to which it is intended to transfer personal data provides adequate protection of the rights of personal data subjects before starting such transfer.
The cross-border transfer of personal data to the territory of foreign states that do not provide adequate protection of the rights of personal data subjects may be carried out in the following cases:
Existence of written consent of the personal data subject for the cross-border transfer of their personal data;
Execution of a contract to which the personal data subject is a party.
3. RIGHTS OF THE PERSONAL DATA SUBJECT
3.1 Consent of the personal data subject to the processing of their personal data
The personal data subject decides to provide their personal data and gives consent to their processing freely, by their will, and in their interest. The consent to the processing of personal data may be given by the personal data subject or their representative in any form that allows confirming the fact of its receipt, unless otherwise provided by federal law.
The obligation to provide proof of obtaining the consent of the personal data subject to the processing of their personal data or proof of the existence of the grounds mentioned in FZ-152 lies with the Operator.
3.2 Rights of the personal data subject
The personal data subject has the right to obtain information from the Operator regarding the processing of their personal data, unless this right is limited in accordance with federal laws. The personal data subject has the right to demand from the Operator the correction of their personal data, its blocking or destruction if the personal data is incomplete, outdated, inaccurate, obtained illegally, or is not necessary for the stated purpose of processing, as well as to take measures provided by law to protect their rights.
The processing of personal data for the promotion of goods, works, and services in the market through direct contacts with a potential consumer using communication means, as well as for political agitation, is allowed only with the prior consent of the personal data subject. Such processing of personal data is considered to be carried out without the prior consent of the personal data subject unless the company proves that such consent was obtained.
The Operator must immediately cease the processing of personal data of the subject for the above purposes at the request of the personal data subject.
It is prohibited to make decisions based solely on automated processing of personal data that generate legal consequences for the personal data subject or otherwise affect their rights and legitimate interests, except in cases provided by federal laws or with the written consent of the personal data subject.
If the personal data subject believes that the Operator is processing their personal data in violation of the requirements of FZ-152 or otherwise violating their rights and freedoms, the personal data subject has the right to challenge the actions or inaction of the Operator to the Competent Authority for the Protection of the Rights of Personal Data Subjects or in court.
The personal data subject has the right to protect their rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.
4. ENSURING THE SECURITY OF PERSONAL DATA
The security of personal data processed by the Operator is ensured by the implementation of necessary legal, organizational, and technical measures to comply with the requirements of federal legislation on the protection of personal data.
To prevent unauthorized access to personal data by the Operator, the following organizational and technical measures are applied:
Appointment of officials responsible for the organization of processing and protection of personal data;
Limitation of the number of persons with access to personal data;
Familiarization of subjects with the requirements of federal legislation and regulatory documents of the Operator on the processing and protection of personal data;
Organization of accounting, storage, and handling of information media;
Identification of threats to the security of personal data during its processing and formation of threat models based on them;
Development of a personal data protection system based on the threat model;
Verification of readiness and effectiveness of the use of personal data protection means;
Differentiation of user access to information resources and software and hardware tools for information processing;
Registration and accounting of user actions in personal data information systems;
Use of antivirus tools and recovery of personal data protection system tools;
Application of firewalls, intrusion detection, security analysis, and cryptographic information protection tools, as necessary;
Organization of access control to the Operator’s premises and protection of premises with technical means for personal data processing.
5. FINAL PROVISIONS
Other rights and obligations of the Operator, as a personal data operator, are determined by the legislation of the Federation in the field of personal data.
Employees of the Operator who violate the rules regulating the processing and protection of personal data are liable for material, disciplinary, administrative, civil, or criminal liability, as established by federal laws.