Data protection and processing policy
- GENERAL PROVISIONS.
1.1. This Privacy Policy of Ayubooking Limited Liability Company (hereinafter referred to as the «Policy») has been developed in accordance with the requirements of clause 2, part 1, article 18.1 of Federal Law No. 152-FZ of 27.07.2006 «On Personal Data» (hereinafter referred to as the «Personal Data Law») in order to ensure the protection of human and civil rights and freedoms when processing their personal data, including protection of the right to privacy and secrecy of private and family life.
1.2. This policy applies to all personal data processed by Ayubooking Limited Liability Company (hereinafter referred to as the «Operator»), which the Operator may receive from the data subject (participant or other customer) who is a party to contractual relations related to the sale of a product and the provision of services included in the product, as well as from the data subject who is employed by the Operator under employment contracts (hereinafter referred to as the «Employee»).
1.3. The policy applies to personal data processing relationships that have arisen for the Operator both before and after the approval of this Policy.
1.4. In fulfilment of the requirements of Part 2 of Article 18.1 of the Personal Data Act, this Policy is published in the public domain on the Internet information and telecommunications network on the website: https://panchakarma.club/ (hereinafter referred to as the «Site») at the following link: https://panchakarma.club/politika-v-otnoshenii-obrabotki-personalnyh-dannyh-klientov-i-polzovatelej-sajta/.
1.5. The Operator does not verify the accuracy of Personal Data received from the Data Subject.
1.6. The Operator shall ensure the protection of personal data being processed against unauthorised access and disclosure, unlawful use, or loss, in accordance with the requirements of Federal Law No. 152-FZ «On Personal Data» of 27 July 2006.
1.7. The user agrees to this Policy by providing consent for the processing of personal data:
1.7.1. by pressing the «Go to chat» button when switching to a chat in WhatsApp with +7 958 111-08-33;
OR
by clicking the «Submit» or «Book» button in special widgets.
- TERMS AND ACCEPTED ABBREVIATIONS.
2.1. For the purposes of applying and interpreting this Policy, the main terms defined below shall be used (unless otherwise expressly stated in the Policy). In the text of the Policy, these terms may be written with a capital or lowercase letter, in the singular or plural, or in abbreviated form.
2.1.1. Personal data – any information relating directly or indirectly to an identified or identifiable natural person (Data Subject);
2.1.2. The Personal Data Operator – Ayubooking LLC (address: 121352, Russian Federation, Moscow, Slavyansky Boulevard 9/6 – 44, TIN/KPP 9731005392 / 773101001, OGRN 1187746639453) is the owner of the Site and, independently or jointly with other persons, organises and/or carries out the processing of Personal Data, and also determines the purposes of processing Personal Data, the composition of Personal Data subject to processing, and the actions (operations) performed with Personal Data;
2.1.3. Data Subject – an individual whose Personal Data is processed by the Operator or a third party on behalf of the Operator;
2.1.4. Processing of personal data – any act (operation) or set of acts (operations) performed with personal data, with or without the use of automation. Processing of personal data includes, but is not limited to:
2.1.4.1. collection;
2.1.4.2. record;
systematisation;
2.1.4.4. accumulation;
2.1.4.5. Storage;
2.1.4.6. clarification (update, amendment);
2.1.4.7. extraction;
2.1.4.8. Use;
2.1.4.9. transfer (provision to a limited group of persons; access by a limited group of persons);
2.1.4.10. anonymisation;
2.1.4.11. Blocking;
2.1.4.12. deletion;
Destruction.
2.1.5. Storage of personal data – a process involving the retention of Personal Data in a systematised form at the Operator's disposal.
2.1.6. Personal Data Collection - a directed process of obtaining Personal Data by the Operator directly from the Subjects.
2.1.7. Automated processing of personal data - the processing of personal data using computer facilities;
2.1.8. Non-automated processing of personal data – personal data contained in a personal data information system, or extracted from such a system, is considered to be carried out without the use of automation tools (non-automated) if actions with personal data, such as the use, clarification, distribution, and destruction of personal data in relation to each Data Subject, are carried out with the direct participation of a person;
2.1.9. Mixed processing of personal data — processing by a human with the involvement of computing facilities;
2.1.10. Personal data disclosure means actions aimed at disclosing personal data to a specific person or a specific group of persons;
2.1.11. Blocking of personal data – temporary suspension of the processing of personal data (except in cases where processing is necessary for the clarification of personal data);
2.1.12. Destruction of personal data - actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and/or as a result of which the material carriers of personal data are destroyed;
2.1.13. Depersonalisation of personal data – actions as a result of which it becomes impossible, without the use of additional information, to determine that personal data relates to a specific Data Subject;
2.1.14. Personal Data Information System (hereinafter referred to as «PDIS») - a set of personal data contained in databases and ensuring their processing using information technologies and technical means.
2.1.15. Cross-border transfer of personal data – the transfer of personal data to the territory of a foreign state to a foreign government authority, a foreign individual or a foreign legal entity.
2.1.16. Customer (including participant) - an individual who is legally capable and has reached the age of 18, a legal entity that has approached LLC «Ayubooking» with the aim of acquiring a product and/or additional service, for themselves and participants, acting on behalf of the latter. Participant - the customer and/or persons in respect of whom the contract is concluded, who are using or intend to use the services.
2.1.17. Service, Product – a service, a collection of services for organising a health and wellness programme, Ayurvedic procedures, provided by Ayubooking LLC«
- TERMS OF PERSONAL DATA PROCESSING
3.1. The Operator processes the Subject's Personal Data using automated means or otherwise for the periods necessary to achieve the processing purposes. The condition for the Operator to cease processing Subjects' Personal Data may be the achievement of their processing purposes, the withdrawal of the Subject's consent to the processing of their Personal Data, the cessation of the Operator's activities (reorganisation or liquidation), the closure of the Website, the termination of the agreement between the Operator and the Subject, the dismissal of an Employee, or the identification of unlawful processing.
3.2. The Operator's policy regarding the processing of Data Subjects' Personal Data is that Personal Data shall only be processed in cases established by law, based on the Operator's main areas of activity, and taking into account the balance of interests between the Operator and the Data Subject. The Operator's processing of Personal Data is carried out taking into account the need to ensure the protection of the Data Subject's rights and freedoms, including the right to privacy and personal and family secrets, based on the following principles:
3.2.1. Processing of Personal Data is carried out by the Operator on a lawful and fair basis;
3.2.2. The processing of Personal Data shall be limited to achieving specific, predetermined and legitimate purposes;
3.2.3. Processing of Personal Data that is incompatible with the purposes for which the Personal Data was collected is not permitted;
3.2.4. Personal data shall only be processed for the purposes for which it is processed;
3.2.5. the content and volume of Personal Data processed correspond to the stated purposes of processing; excess Personal Data processed in relation to the stated purposes of their processing is not permitted;
3.2.6. Personal data shall be stored in a form that permits identification of the Data Subject for no longer than is necessary for the purposes for which the personal data are processed. Processed personal data shall be erased when the purposes for processing have been achieved or when the need to achieve these purposes has been lost, unless otherwise provided by law.
3.3. Personal data shall be processed by the Operator in compliance with the principles and rules set forth in Federal Law 152 «On Personal Data» of 27 July 2006, in the following cases:
3.3.1. with the consent of the data subject to the processing of their personal data;
3.3.2. processing of personal data is necessary for the performance of a contract for the sale of a product, to which the data subject is a party, or for which the data subject is a beneficiary or guarantor;
3.3.3. in cases where the processing of personal data is necessary for the Operator to perform and fulfil the functions, powers and duties assigned by the legislation of the Russian Federation;
3.3.4. processing of personal data is necessary to protect the life, health, or other vital interests of the data subject, where it is impossible to obtain the consent of the data subject.
3.4. The Operator is not entitled to obtain and process the Subject's Personal Data containing information on racial, national origin, political views, religious and philosophical beliefs, or health status, except with the Subject's consent.
3.5. The Operator does not process special categories of Personal Data and biometric data.
3.6. By providing data through the Site, the Site User confirms that they have read this Policy and have given consent to the processing of Personal Data.
3.7. Other categories of Subjects shall familiarise themselves with the Policy when concluding an agreement and providing the Customer's consent.
3.8. The provision of Personal Data of the Subject upon request by state authorities (local self-government bodies) is carried out in the manner prescribed by the legislation of the Russian Federation.
3.9. Control over the implementation of the requirements of this Policy is carried out by an authorised person responsible for the organisation of personal data processing by the Operator.
3.10. Liability for violation of the requirements of the legislation of the Russian Federation by the personal data operator in the sphere of processing and protection shall be determined in accordance with the legislation of the Russian Federation.
3.11. Processing of personal data is only permitted for employees of the Operator whose job duties include the processing of personal data, and for third parties engaged by the Operator.
3.12. Procedure for obtaining personal data:
3.13. Processing of personal data, with the exception of publicly available personal data, shall be carried out by the Operator directly from the Personal Data Subjects, or from persons duly authorised to represent the interests of the Personal Data Subjects when transferring personal data to the Operator. If personal data of a subject can only be obtained from a third party, the subject must be notified of this or consent must be obtained from them.
3.14. The collection of personal data of the Site users is carried out by the Operator when it is entered by the Subject on their own initiative.
3.15. Upon receipt of personal data, the Operator must inform the personal data subject:
3.15.1. regarding the purposes for which the Operator obtains personal data;
3.15.2. concerning the list of personal data requested by the Operator;
3.15.3. concerning the list of actions the Operator intends to perform with personal data;
3.15.4. on the period for which the data subject's consent to the processing of personal data is valid;
3.15.5. on the procedure for withdrawing consent to the processing of personal data;
3.15.6. on the consequences of the personal data subject refusing to provide consent to the Operator to receive and process personal data.
3.16. Documents containing personal data are created by:
3.16.1. making copies of original documents;
3.16.2. entering information into accounting forms;
3.16.3. Obtaining the originals of the necessary documents.
3.17. Personal data processing for each processing purpose specified in sections 5.3 – 5.5 of the Policy is carried out by:
3.17.1. Obtaining personal data in oral, written and electronic form directly from the Data Subjects.;
3.17.2. Entry of personal data into the Operator's journals, registers, and information systems;
3.17.3. Use of other methods for processing personal data depending on the personal data processing activity.
- Rights and Responsibilities
1. Operator Responsibilities:
4.1.1. Organise the processing of personal data in accordance with the requirements of the Personal Data Protection Law;
4.1.2. To respond to inquiries and requests from data subjects and their legal representatives in accordance with the requirements of the Personal Data Law;
To report to the authorised body for the protection of personal data subjects (the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor)) upon the request of this body with the necessary information within 10 working days from the date of receipt of such a request. This period may be extended, but not for more than five working days. To do this, the Operator must send a reasoned notification to Roskomnadzor indicating the reasons for extending the period for providing the requested information;
4.1.4. In the manner determined by the federal executive authority authorised in the field of security, to ensure interaction with the state system for detection, warning and response to attacks on information resources of the Russian Federation, including informing it about computer incidents that have led to the unlawful transfer (provision, distribution, access) of personal data.
4.1.5. In cases where personal data has not been obtained from the data subject, the data subject shall be informed by the Operator of the fact that personal data has been obtained.
4.1.6. In the event of refusal to provide personal data, explain to the subject of personal data the consequences of such refusal.
4.1.7. Publish or otherwise ensure unrestricted access to the document defining the Operator's policy on personal data processing.
4.1.8. Take or ensure the taking of necessary legal, organisational and technical measures to protect personal data against unlawful or accidental access, destruction, alteration, blocking, copying, disclosure, dissemination of personal data, and also against any other unlawful actions in relation to personal data.
4.2. The Operator has the right to:
4.2.1. Independently determine the composition and list of measures that are necessary and sufficient to ensure the fulfillment of obligations provided for by the Personal Data Law and regulatory legal acts adopted in accordance with it, unless otherwise provided by the Personal Data Law or other Federal Laws;
4.2.2. Instructing another person to process Personal Data. A person processing Personal Data on behalf of the Operator must comply with the principles and rules for processing Personal Data stipulated by the Personal Data Law.
4.2.3. In the event that the Data Subject withdraws consent to the processing of personal data, the Operator shall be entitled to continue processing Personal Data without the Data Subject's consent if there are grounds for doing so as specified in the Personal Data Act.
4.3. The Subject has the right:
4.3.1. To receive information concerning the processing of his personal data, except as provided for by federal laws. The information shall be provided to the data subject by the Operator in an accessible form, and shall not contain personal data relating to other data subjects, unless there are legitimate grounds for disclosing such personal data. The list of information and the procedure for obtaining it are established by the Personal Data Law. The information may contain:
4.3.1.1. Confirmation of the fact of personal data processing by the operator;
4.3.1.2. Legal grounds and purposes for processing personal data;
4.3.1.3. The purposes and methods of processing personal data used by the operator;
4.3.1.4. Name and location of the operator, information about persons (excluding the operator's employees) who have access to personal data or to whom personal data may be disclosed under an agreement with the operator or under federal law;
4.3.1.5. Personal data processed relating to the relevant data subject, the source of their receipt, unless otherwise provided for by federal law for the submission of such data;
4.3.1.6. Periods for processing personal data, including the periods for their storage;
4.3.1.7. The procedure for the personal data subject to exercise the rights provided for by this Federal Law;
4.3.1.8. Information about any cross-border data transfer that has occurred or is envisaged;
4.3.1.9. The name or surname, given name, patronymic, and address of the person processing personal data on behalf of the controller, if the processing is entrusted or will be entrusted to such person;
4.3.1.10. Other information provided for by the Personal Data Act or other federal laws.
4.3.2. To demand from the operator clarification of their personal data, blocking or deletion thereof if the personal data is incomplete, outdated, inaccurate, unlawfully obtained or not necessary for the stated purpose of processing, as well as to take legally provided measures to protect their rights.
4.3.3. To give preliminary consent to the processing of personal data for the purpose of marketing goods, works, and services.
4.3.4. To appeal to Roskomnadzor or to court the unlawful actions or inaction of the Operator in the processing of their personal data.
4.4. Duties of the Subject (participant or customer of the product):
4.4.1. The Customer (participant) is obliged to provide the Company with sufficient, reliable, and documented personal data, the full scope of which is established in the product sales agreements.
Should the Customer (participant) amend their personal details, they are obliged to inform the Agent without undue delay.
- PURPOSES OF PERSONAL DATA PROCESSING, CATEGORIES OF DATA SUBJECTS, CATEGORIES OF PROCESSED PERSONAL DATA AND METHODS OF THEIR PROCESSING.
5.1. The processing of personal data shall be limited to the achievement of specific, predetermined, and lawful purposes. The processing of personal data which is incompatible with the purposes for which personal data is collected shall not be permitted.
5.2. Personal data shall only be processed for the purposes for which they were collected.
5.3. Purpose of personal data processing: Preparation, conclusion and execution of civil law contracts:
Categories of Personal Data Processed
Surname, first name, patronymic;
∙ floor;
∙ year of birth;
Month of birth;
date of birth;
Place of birth;
∙ email address;
∙ residential address;
∙ registered address;
∙ phone number;
∙ TIN;
Primary State Registration Number of the Individual Entrepreneur;
∙ identity document details;
∙ current account number;
∙ post;
∙ Information collected through recommender technologies.
Subject Categories: Counterparties; Counterparty Representatives.
Legal basis for the processing of personal data:
∙ personal data shall be processed with the consent of the data subject to the processing of their personal data;
∙ the processing of personal data is necessary for the performance of a contract, in which the data subject is either a party, a beneficiary or a guarantor, as well as for the conclusion of a contract at the initiative of the data subject or a contract under which the data subject will be a beneficiary or a guarantor. A contract concluded with the data subject must not contain any provisions restricting the rights and freedoms of the data subject.
List of actions for processing Personal Data:
∙ collection;
recording;
Systematisation;
∙ accumulation; storage;
clarification (update, amendment);
Extraction;
usage;
de-identification;
∙ blocking;
removal;
annihilation;
transmission.
Processing methods: mixed; via intranet of a legal entity; via the Internet.
Personal data processing and retention period:
∙ Consent validity period;
∙ Contract duration.
5.4. Purpose of personal data processing: carrying out civil and legal relations related to the fulfilment of obligations under product and service implementation agreements, and ensuring the provision of services that are part of the product being sold.
Categories of Personal Data Processed
Surname, forename, patronymic in Russian;
• Surname, first name in Latin transcription, as they appear in the international passport;
• Year, month and date of birth;
• Place of birth;
• current nationality (if applicable, nationality at birth);
• gender;
• details of the Russian Federation’s standard passport (series and number of the standard Russian passport, date of issue, name of the issuing authority, and expiry date of the standard Russian passport or birth certificate);
• details of the Russian Federation’s international passport (series and number of the international passport, date of issue, name of the issuing authority, period of validity);
• details from the birth certificate (for minors);
• registered address;
• actual residential address;
• email address;
• home and mobile telephone numbers;
• data from recommendation technologies.
• additional information provided voluntarily by the data subject, and other personal data required by Ayubooking LLC in accordance with the applicable legislation of the Russian Federation on personal data.
• Additional information requested by the consular services of the embassy of the country you intend to visit, where necessary to obtain a visa on your behalf from the embassy of the country of your intended stay:
Father's surname and given name; Mother's surname and given name;
details of the employer and the job (the employer’s name, address and telephone number; current position; salary);
information about the educational institution – for school pupils and students (name, address and telephone number of the educational institution);
a picture (photograph) of the customer;
dates of previous visits to the country you plan to visit or to a group of specific countries;
information regarding previous deportations from the country to be visited or other breaches of the laws of foreign states;
other required information, as specified by the consular services of the embassy of the country you intend to visit.
Categories of Data Subjects: Website Users (Product Customers – a participant or any other person ordering a product on behalf of a participant, including the legal representative of a minor participant;).
Legal basis for the processing of personal data:
∙ personal data shall be processed with the consent of the data subject to the processing of their personal data;
∙ the processing of personal data is necessary for the performance of a contract, in which the data subject is either a party, a beneficiary or a guarantor, as well as for the conclusion of a contract at the initiative of the data subject or a contract under which the data subject will be a beneficiary or a guarantor. A contract concluded with the data subject must not contain any provisions restricting the rights and freedoms of the data subject.
List of actions for processing Personal Data:
∙ collection;
recording;
Systematisation;
∙ accumulation; storage;
clarification (update, amendment);
Extraction;
usage;
de-identification;
∙ blocking;
removal;
annihilation;
∙ transfer (provision, access).
Processing methods: mixed; without transmission via the legal entity’s internal network; with transmission via the Internet.
Personal data processing and retention period:
∙ Consent validity period;
∙ Contract duration.
5.5. Purpose of processing personal data: to send out promotional and informational messages.
Categories of Personal Data Processed
· surname, first name, patronymic;
· telephone number;
· email.
Subject Categories: Website Users. Legal Basis for Personal Data Processing:
· The processing of personal data is carried out with the consent of the data subject to the processing of their personal data. List of personal data processing activities:
· collection;
· entry;
· systematisation;
· accumulation; storage;
· clarification (update, amendment);
· extraction;
usage;
· depersonalisation;
· blocking;
removal;
destruction;
grant (provision, access).Handling methods
— mixed;
— via the InternetPersonal data processing and retention period:
— Validity period of consent
- Transfer of personal data
6.1. The Operator shall transfer personal data to third parties in the following cases:
6.1.1. consent to such actions has been obtained from the data subject;
6.1.2. the transfer is provided for under Russian or other applicable legislation, in accordance with the procedure laid down by law.
6.2. List of persons to whom personal data is disclosed:
6.2.1. Third parties to whom personal data is disclosed in the course of fulfilling obligations relating to the provision and performance of the services forming part of the product:
6.2.1.1. Performers who form the product;
6.2.1.2. Direct providers of services that form part of the product or provide individual services (accommodation providers, consulates and embassies of foreign states processing visas, etc.).
6.2.2. Third parties to whom personal data is disclosed in the course of fulfilling obligations arising from employment relationships:
6.2.2.1. Internal Affairs bodies of Russia in cases established by legislation;
6.2.2.2. Other state bodies in cases provided for by legislation.
6.3. The provision of a Data Subject’s Personal Data at the request of state authorities (local authorities) shall be carried out in accordance with the procedure laid down by the legislation of the Russian Federation.
6.4. When collecting personal data, including via the Internet, the Operator ensures that the personal data of citizens of the Russian Federation is processed using databases located within the territory of the Russian Federation, except in the cases specified in the Law on Personal Data.
6.5. The controller carries out cross-border transfers of personal data.
6.6. Personal data may be transferred across borders for purposes relating to the sale of the product and the provision of services forming part of the product. Cross-border transfers of personal data are carried out in accordance with the requirements set out in Article 12 of Federal Law No. 152-FZ «On Personal Data» of 27 July 2006.
6.7. By consenting to the processing of their personal data, the data subject (user of the Website) consents to the cross-border transfer of such data.
6.8. No cross-border transfer of personal data relating to other categories of data subjects takes place.
- UPDATING, CORRECTION, DELETION AND DESTRUCTION OF PERSONAL DATA; RESPONSES TO DATA SUBJECTS’ REQUESTS FOR ACCESS TO PERSONAL DATA
7.1. Procedure for Handling Subject Requests:
7.1.1. Confirmation that the Controller is processing personal data, the legal grounds and purposes of such processing, as well as other information specified in Part Article 14(7) of the Personal Data Act shall be provided by the Controller to the Data Subject or their representative within 10 working days of the Data Subject or their representative making a request or the Controller receiving such a request. This period may be extended, but by no more than five working days. To do so, the Controller must send the Data Subject a reasoned notice setting out the grounds for extending the deadline for providing the requested information.
7.1.2. The information provided does not include personal data relating to other Data Subjects, except where there are lawful grounds for disclosing such personal data.
7.1.3. The request must contain data that allows the Subject to be identified, and the Subject's signature, and if the request is signed by the Subject's representative, a document confirming their authority.
7.1.4. A request may be submitted in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.
7.1.5. The Controller shall provide the information specified in Article 14(7) of the Personal Data Act to the Data Subject or their representative in the form in which the relevant application or request was submitted, unless otherwise specified in the application or request. If the Data Subject’s application (request) does not contain all the necessary information in accordance with the requirements of the Personal Data Act, or if the Data Subject does not have the right to access the information requested, a reasoned refusal shall be sent to them.
7.1.6. The Data Subject’s right of access to their Personal Data may be restricted in accordance with Article 14(8) of the Personal Data Act, including where the Data Subject’s access to their Personal Data infringes the rights and legitimate interests of third parties.
7.2. Where inaccurate Personal Data is identified following a request from the Data Subject or their representative, or at their request, or at the request of Roskomnadzor, the Controller shall block the Personal Data relating to that Data Subject, from the time of such a request or receipt of the specified request for the duration of the verification, provided that the blocking of the personal data does not infringe upon the Data Subject’s rights and legitimate interests.
7.3. Where the inaccuracy of personal data is confirmed, the Controller shall, on the basis of information provided by the Data Subject or their representative, or by Roskomnadzor, or other necessary documents, shall correct the Personal Data within seven working days of the date on which such information is provided and shall lift the restriction on the Personal Data.
7.4. In the event that unlawful processing of Personal Data is identified following a request (request) from the Data Subject or their representative, or from Roskomnadzor, the Controller shall block the unlawfully processed Personal Data relating to that Data Subject within three working days of such a request or the receipt of the request.
7.5. Destruction of personal data:
7.5.1. Once the purpose of processing personal data has been achieved, or where the data subject withdraws their consent to the processing of their personal data, the personal data shall be destroyed if:
7.5.1.1. unless otherwise provided for in a contract to which the Entity is a party, a beneficiary or a guarantor;
7.5.1.2. The Data Controller may not process personal data without the consent of the data subject on the grounds provided for in the Personal Data Act or other federal laws;
7.5.1.3. unless otherwise provided for by the legislation of the Russian Federation.
7.6. Personal data on electronic media shall be destroyed by erasing them from computer memory or by formatting computer memory.
7.7. Documents (paper records) containing personal data shall be destroyed by burning, shredding, chemical decomposition, or by reducing them to a formless mass or powder. A shredder may be used to destroy paper documents.
7.8. Personal data shall be destroyed within 10 working days of the occurrence of any of the events set out in clause 7.5 of this Policy.
- MEASURES TAKEN BY THE CONTROLLER TO PROTECT PERSONAL DATA
8.1. In accordance with the requirements of the relevant regulatory documents, the Operator has established a personal data protection system comprising legal, organisational and technical protection subsystems.
8.2. The legal protection subsystem comprises a set of legal, organisational, administrative and regulatory documents that ensure the establishment, operation and improvement of personal data protection systems.
8.3. The organisational security subsystem comprises the organisation of the management structure for personal data protection systems, the authorisation system, and information security measures when dealing with staff, partners and third parties.
8.4. The technical security subsystem comprises a range of technical, software and hardware measures designed to ensure the protection of personal data.
8.5. The main measures for the protection of personal data used by the Controller are:
8.5.1. Appointment of a data protection officer responsible for organising the processing of personal data, providing training and guidance, and carrying out internal monitoring to ensure that the organisation and its staff comply with personal data protection requirements.
8.5.2. Identification of current personal data security threats during processing in personal data information systems and development of measures and activities for personal data protection.
8.5.3. Development of a personal data processing policy.
8.5.4. Establishing rules for access to personal data processed in personal data information systems, as well as ensuring the registration and accounting of all actions performed with personal data in personal data information systems.
8.5.5. Setting up individual employee access passwords to the information system in accordance with their job responsibilities.
8.5.6. Application of information security tools that have undergone the established conformity assessment procedure.
8.5.7. Certified antivirus software with regularly updated databases.
8.5.8. Compliance with conditions ensuring the security of personal data and preventing unauthorised access.
8.5.9. Detection of incidents of unauthorised access to personal data and the adoption of remedial measures.
8.5.10. Recovery of personal data modified or destroyed as a result of unauthorised access.
8.5.11. Training of the Operator's employees who directly process personal data on the provisions of the Russian Federation legislation on personal data, including requirements for personal data protection, documents defining the Operator's policy on personal data processing, and local acts on personal data processing.
8.5.12. Carrying out internal control and audit.
8.6. When processing personal data, the Operator shall ensure:
8.6.1. carrying out measures aimed at preventing unauthorised access to personal data and/or their transfer to persons not entitled to access such information;
8.6.2. timely detection of unauthorised access to personal data;
8.6.3. Prevention of interference with the automated processing systems for personal data, which might disrupt their functioning;
8.6.4. the ability to immediately restore personal data modified or destroyed as a result of unauthorised access to it;
8.6.5. Continuous monitoring to ensure the level of personal data protection.
8.7. The Operator uses technical equipment and software for processing and protecting personal data.
8.8. The above-mentioned technical equipment and software for the processing and protection of personal data are located at the Operator's office and premises or at the premises of other persons engaged by the Operator.
8.9. All individuals permitted to work with personal data, as well as those associated with the operation and technical support of the Personal Data Information System, have been familiarised with this Policy.
8.10. The Operator has organised training on the use of protective measures operated by the Operator. Training in this area has been provided to individuals with permanent access to personal data, individuals operating the technical and software tools of the ISPDn, the protective measures of the ISPDn, and individuals responsible for the operation of the ISPDn's information security measures.
8.11. Employees are required to immediately report to the relevant official of the Operator any loss or shortage of data storage media containing personal data, as well as the causes and circumstances of any potential personal data breach. In the event that unauthorised persons attempt to obtain from an employee personal data processed by the Operator, the employee must immediately notify the relevant official of the Operator.
8.12. When working with the automated system software of the Operator, which performs the functions of viewing and editing personal data, it is prohibited to display screen forms containing such data to persons who do not have appropriate clearance.
8.13. Personal Data Storage:
8.13.1. Data subjects’ personal data may be collected, further processed and transferred for storage, both in paper form and electronically.
8.13.2. Personal data of Subjects recorded on paper shall be stored in lockable cabinets or in lockable rooms with restricted access.
8.13.3. Personal data of Data Subjects processed using automation tools are processed and stored in compliance with the requirements established by Decree of the Government of the Russian Federation No. 1119 «On Approval of Requirements for the Protection of Personal Data during their Processing in Personal Data Information Systems» dated 01.11.2012.
8.13.4. Documents containing personal data shall not be stored or placed in open electronic catalogues (file-sharing services) within personal data information systems.
8.13.5. Personal data shall be stored in a form that identifies the Data Subject for no longer than is necessary for the purposes for which the personal data are processed, unless the retention period for personal data is established by federal law, or by an agreement to which the Data Subject is a party, beneficiary or guarantor.
- DATA ON MINORS
9.1. The Operator does not knowingly collect personal data from minors without the consent of their legal representatives. If you are the legal representative of a minor Data Subject and are aware that the minor Data Subject has provided their personal data to the Operator without your consent, please contact the Operator using the contact details set out in section 13 of this Policy.
9.2. The operator shall only receive data on minor data subjects from their legal representatives and with their consent.
- RECOMMENDATION TECHNOLOGIES
10.1. The Website uses recommendation technologies to maintain visit statistics, determine interest levels, and display content according to the Subject's (Website user's) interests.
- OPERATOR LIABILITY
11.1. The Operator’s management shall be liable for any failure to ensure the confidentiality of Personal Data and for any failure to respect the rights and freedoms of Data Subjects in relation to their Personal Data, including the rights to privacy and to personal and family privacy.
11.2. The Operator’s employees are personally liable for any failure to comply with the requirements regarding the processing and security of personal data in accordance with the legislation of the Russian Federation.
11.3. An employee of the Operator may be held liable in the following circumstances:
11.4. The intentional or negligent disclosure of personal data;
11.5. Loss of personal data storage media;
11.6. Breaches of the requirements of this Policy and other regulatory documents of the Operator concerning access to and processing of personal data.
11.7. In cases of violation of the established procedure for processing and ensuring the security of personal data, unauthorized access to personal data, disclosure of personal data, and damage to the Operator, its employees, contractors, and other Data Subjects, material or other losses, the guilty parties shall bear civil, criminal, administrative, disciplinary, and other liability provided for by the legislation of the Russian Federation.
11.8. The Operator informs the Subject that this Policy applies only to Personal Data processed by the Operator. The Operator does not control and is not responsible for the use of third-party websites, which the Subject may visit at their own discretion and risk by following links posted on the Website.
11.9. The Data Controller shall not be liable for the accuracy of the Data Subject’s Personal Data.
- FINAL PROVISIONS
12.1. The Operator does not knowingly collect personal data from minors without the consent of their legal representatives. If you are the legal representative of a minor Data Subject and are aware that the minor Data Subject has provided their personal data to the Operator without your consent, please contact the Operator using the contact details set out in section 13 of this Policy.
12.2. This Policy shall come into force upon approval, shall be brought into effect by order of the Operator, and shall remain in force indefinitely (until it is revoked or replaced by a new version of the Policy).
12.3. The requirements of this Policy apply to all employees of the Operator who have access to personal data, as well as to all Subjects.
12.4. The Operator has the right to unilaterally amend and/or supplement this Policy. The new version of the Policy shall come into force from the moment of its publication (posting) on the Website at the address https://panchakarma.club/soglasie-na-obrabotku-personalnyh-dannyh, unless otherwise provided by a new version of the Policy. In the event of changes affecting the rights of Data Subjects, the Operator has the right, but not the obligation, to send information about these changes to the Data Subjects using their contact details or to notify them of the changes in another way. If, after the amendment of this Policy, a Data Subject (Site user) continues to use the Site or does not withdraw their consent to the processing of personal data within 5 working days, then the Data Subject (Site user) agrees to the introduced changes; other categories of Data Subjects are notified of the changes made to the Policy.
- OPERATOR DETAILS
AYUBOKING LLC«
Legal address: 121352, Russian Federation, Moscow, Slavyansky Boulevard 9/6 — 44
Postal and physical address: 121352, Russian Federation, Moscow, Slavyansky Boulevard 9/6 — 44
INN / KPP 9731005392 / 773101001
OGRN 1187746639453
Contact phone: ++7 (495) 777-96-39
e-mail: info@panchakarma.club
https://panchakarma.club/