Regulation on personal data processing
1. General provisions
The Regulation on Processing of Personal Data (hereinafter referred to as «Regulation») is issued and applied by Limited Liability Company ‘LEGAL COMPANY “URVISTA”, TIN 7718683941, KPP 770101001, OGRN 1087746040140, location address: 101000, Moscow, str. POKROVKA, 3/7 (hereinafter referred to as the «Operator») in accordance with para. 2 part. 1 part 1 of Article 18.1 of the Federal Law No. 152 ‘On Personal Data’ dated 27.07.2006.
The Regulations define the policy, procedure and conditions of the Operator with regard to the processing of personal data received via the website https://en.urvista.ru/ (hereinafter referred to as «Website») or separate pages of the Website, by leaving messages in messengers, establishes procedures aimed at prevention and detection of violations of the legislation of the Russian Federation, elimination of consequences of such violations related to the processing of personal data. The current version of the Regulations is available on the Internet in the basement of the Website.
All issues related to the processing of personal data not regulated by this Regulation shall be resolved in accordance with the current legislation of the Russian Federation in the field of personal data.
The Operator ensures protection of processed personal data from unauthorised access and disclosure, misuse or loss in accordance with the requirements of the Personal Data Law.
The Operator shall have the right to make changes to these Regulations. When making changes, the date of the last update of the Regulations shall be indicated in the title of the Regulations. The new edition of the Regulations shall come into force from the moment of its posting on the Website, unless otherwise provided by the new edition of the Regulations.
2. Terms used in this provision
- Personal data
- any information relating to a directly or indirectly defined or identifiable natural person (subject of personal data).
- Personal data operator (operator)
- a state authority, municipal authority, legal or natural person, independently or jointly with other persons organising and (or) carrying out processing of personal data, as well as determining the purposes of personal data processing, composition of personal data subject to processing, actions (operations) performed with personal data.
- Processing of personal data
- any action (operation) or set of actions (operations) with personal data performed with or without the use of automation tools. Processing of personal data includes, but is not limited to: collection; recording; systematisation; accumulation; storage; clarification (updating, modification); extraction; use; transfer (distribution, provision, access); depersonalisation; blocking; deletion; destruction.
- Automated processing of personal data
- processing of personal data by means of computer equipment.
- Dissemination of personal data
- actions aimed at disclosure of personal data to an indefinite number of persons.
- Provision of personal data
- actions aimed at disclosure of personal data to a certain person or a certain circle of persons.
- Blocking of personal data
- temporary cessation of personal data processing (except for cases when processing is necessary to clarify personal data).
- Destruction of personal data
- actions as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed.
- Personal data depersonalisation
- actions, as a result of which it becomes impossible to determine the belonging of personal data to a particular subject of personal data without using additional information.
- Personal data information system
- a set of personal data contained in databases and ensuring their processing, information technologies and technical means.
- Trans-border transfer of personal data
- transfer of personal data to the territory of a foreign country to a foreign government authority, a foreign individual or a foreign legal entity.
3. Principles, conditions and procedure of personal data processing
-
Principles of personal data processing:
- Processing of personal data is carried out on a lawful and fair basis;
- processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes. Processing of personal data incompatible with the purposes of personal data collection is not allowed;
- Databases containing personal data processed for incompatible purposes may not be merged;
- Only personal data that meet the purposes of their processing shall be processed;
- The content and scope of processed personal data corresponds to the stated processing purposes. The redundancy of processed personal data in relation to the stated purposes of their processing is not allowed;
- When processing personal data, the accuracy of personal data, their sufficiency and, where necessary, relevance to the purposes of personal data processing are ensured. The operator shall take the necessary measures or ensure their adoption to delete or clarify incomplete or inaccurate data;
- Personal data shall be stored in a form that allows identification of the personal data subject for no longer than required by the purposes of personal data processing, unless the period of personal data storage is established by federal law, contract to which the personal data subject is a party, beneficiary or guarantor. Processed personal data shall be destroyed when the purposes of processing have been achieved or when it is no longer necessary to achieve these purposes, unless otherwise provided for by federal law.
-
Legal basis for processing of personal data:
Processing of personal data is carried out with the consent of the personal data subject to the processing of personal data, as well as without it in cases stipulated by the legislation of the Russian Federation, including if the processing of personal data is necessary for the fulfilment of an agreement to which the personal data subject is a party or a beneficiary or guarantor, as well as for the conclusion of an agreement at the initiative of the personal data subject or an agreement under which the personal data subject will be a beneficiary.
-
Procedure for processing personal data:
- The operator carries out automated processing of personal data of the Website users;
- Persons familiarised with the provisions of the Russian Federation legislation on personal data, including requirements to personal data protection, documents defining the Operator's policy on personal data processing, local acts on personal data processing are allowed to process personal data;
- Disclosure to third parties and dissemination of personal data without the consent of the subject of personal data is not allowed, unless otherwise provided for by federal law;
- Transfer of personal data to the bodies of enquiry and investigation, the Federal Tax Service and other authorised executive authorities and organisations is carried out in accordance with the requirements of the legislation of the Russian Federation;
- Processing of special categories of personal data concerning race, nationality, political views, religious or philosophical beliefs, intimate life is not carried out by the Operator;
- Trans-border transfer of personal data is not carried out by the Operator;
- The Operator does not process biometric personal data;
- Oral communication with counterparties (including clients, potential clients) is performed via a specially allocated telephone line of the Operator. At the same time, the workplace of the Operator's employee, who is charged with the communication, is provided with technical means, which allow for automated registration of telephone calls, as well as (with the consent of the personal data subject) for audio recording of negotiations. In this situation, the audio recording of the obtained verbal consent is appropriate;
- If the documentation of information in the form of audio recording on a digital dictaphone or audio cassette was carried out by a natural person on his/her own initiative, secretly and sometimes with the purpose of artificial creation of evidence, these evidences are considered inadmissible and have no legal force on the basis of part 2 of Article 50 of the Constitution of the Russian Federation.
4. The purposes of processing, categories of personal data subjects, categories and list of processed personal data, methods, terms of their processing and storage, procedure of personal data destruction upon achievement of the purposes or upon occurrence of other legal grounds
-
Users (visitors) of the Website.
Purpose of personal data processing: processing and execution of applications, informing about the Operator's services, sending information messages, sending advertising mailings, providing access to the Website services, including: sending messages to messengers WhatsApp, Telegram, making calls using the Website services.
Category of processed personal data: personal data.
List of processed personal data: name, phone number, username in messenger, information collected through metric programmes.
Periods of personal data processing and storage: until revocation of consent to personal data processing; until the purposes of personal data processing are achieved or the purpose of personal data processing is lost, unless otherwise provided for by federal law.
Method of processing: automated processing of personal data.
Destruction procedure: upon expiry of the terms of personal data processing or in case of withdrawal of consent to personal data processing by the responsible person of the operator, the personal data of the personal data subject are destroyed. Destruction of personal data on electronic media is carried out by mechanical violation of the integrity of the media, which does not allow reading or restoring personal data, or by deletion from electronic media by methods and means of guaranteed deletion of residual information. The fact of personal data destruction is confirmed by a documented act of media destruction.
-
Counterparties (including clients, potential clients)
Purpose of personal data processing: conclusion and execution of a contract, informing about the Operator's services, sending information messages, sending advertising mailings, providing access to the Website services, including: sending messages to WhatsApp, Telegram, E-mail, SMS-mailing, making calls using the Website services.
Category of processed personal data: personal data.
List of processed personal data: name, surname, patronymic, telephone number, messenger username, TIN, registration address, residence address, current account details, e-mail address.
Periods of personal data processing and storage: until revocation of consent to personal data processing; until the purposes of personal data processing are achieved or the purpose of personal data processing is lost, unless otherwise provided for by federal law.
Method of processing: automated, non-automated processing of personal data.
Destruction procedure: upon expiry of the terms of personal data processing or in case of withdrawal of consent to personal data processing by the responsible person of the operator, the personal data of the subject of personal data are destroyed. Destruction of personal data on electronic media is carried out by mechanical violation of the integrity of the media, which does not allow reading or restoring personal data, or by deletion from electronic media by methods and means of guaranteed deletion of residual information. The fact of personal data destruction is confirmed by a documented act of media destruction.
5. Basic rights of personal data subjects
Personal data subjects have the right to:
- full information about their personal data processed by the Operator;
- access to their personal data, including the right to receive a copy of any record containing their personal data, except for cases stipulated by the legislation of the Russian Federation;
- clarification of their personal data, their blocking or destruction if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
- withdrawal of consent to the processing of personal data;
- taking measures provided for by law to protect his/her rights;
- appeal against an action or inaction of the Operator, which is carried out in violation of the requirements of the legislation of the Russian Federation in the field of personal data, to the authorised body for the protection of the rights of personal data subjects or to the court;
- exercise other rights provided for by the legislation of the Russian Federation.
6. Withdrawal of consent to the processing of personal data
Consent to the processing (including distribution) of personal data may be withdrawn by Users or their representatives by sending a written application to the Operator to the following e-mail address: info@urvista.ru or by postal address: 101000, Moscow, str. POKROVKA, 3/7.
In case of withdrawal of consent to the processing of personal data, the operator has the right to continue the processing of personal data without the consent of the user if there are grounds specified in paragraphs 2 - 11 of Article 6, paragraph 1 of the Law on Personal Data.
7. Actions performed by the personal data controller in the course of personal data processing
- The Operator has the right to perform the following actions: collection; recording; systematisation; accumulation; storage; clarification (update, change); extraction; use; transfer (provision, access); deletion; destruction.
- The Operator has the right to entrust the processing of personal data to another person with the consent of the subject of personal data on the basis of a contract concluded with this person. The person carrying out personal data processing on behalf of the operator is obliged to comply with the principles and rules of personal data processing stipulated by the Personal Data Law, and to observe the confidentiality of personal data.
8. Storage of personal data
- Personal data of the subjects may be received, further processed and transferred for storage in electronic form.
- Personal data of subjects processed using automation tools for different purposes shall be stored in different folders.
- It is not allowed to store and place documents containing personal data in open electronic catalogues (file sharing) in the personal data information system.
9. Measures taken by the operator to ensure personal data security, assessment of harm that may be caused to personal data subjects
-
Measures necessary to ensure the security of personal data processed by the operator include:
- appointment of a person responsible for organisation of personal data processing;
- adoption of local regulatory acts and other documents in the field of personal data processing and protection;
- observance of conditions ensuring the safety of personal data and excluding unauthorised access to them;
- detection of unauthorised access to personal data;
- carrying out methodological work with persons authorised to work with personal data;
- obtaining consents of personal data subjects for processing of their personal data, except for cases stipulated by the legislation of the Russian Federation;
- ensuring separate storage of personal data and their material carriers, the processing of which is carried out for different purposes and which contain different categories of personal data;
- ensuring the security of personal data during their transmission via open communication channels;
- determination of actual threats to personal data security during their processing in the information system of personal data and development of measures and activities for personal data protection;
- application of certified anti-virus software with regularly updated databases;
- storage of material carriers of personal data in compliance with the conditions ensuring the safety of personal data and excluding unauthorised access to them;
- internal control and audit of compliance of personal data processing with the Law on Personal Data and legal acts adopted in accordance with it, personal data protection requirements, these Regulations, local regulatory acts of the Operator;
- other measures stipulated by the legislation of the Russian Federation in the field of personal data.
- The assessment of harm that may be caused to personal data subjects in case of violation by the Operator of the requirements of the Law on Personal Data is determined in accordance with the Order of the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications of 27.10.2022 No. 178.
10. Duties of the personal data controller
- In case of detection of unlawful processing or inaccuracy of personal data, at the request of the personal data subject or his/her representative, or at the request of the personal data subject or his/her representative or the authorised body for the protection of the rights of personal data subjects, the operator is obliged to block the unlawfully processed or inaccurate personal data related to this personal data subject, or to ensure their blocking (if the processing of personal data is carried out by another person acting in the capacity of an authorised body for the protection of the rights of personal data subjects).
- If the fact of inaccuracy of personal data is confirmed, the operator, based on the information submitted by the personal data subject or his/her representative or by an authorised body for the protection of the rights of personal data subjects, or other necessary documents, is obliged to clarify the personal data or ensure their clarification (if the personal data processing is carried out by another person acting on behalf of the operator) within seven working days from the date of submission of such information and remove the blocking of personal data.
- In case of detection of unlawful processing of personal data by the operator or a person acting on behalf of the operator, the operator shall, within a period not exceeding three working days from the date of such detection, cease unlawful processing of personal data or ensure the cessation of unlawful processing of personal data by a person acting on behalf of the operator. If it is impossible to ensure the lawfulness of personal data processing, the operator shall, within a period not exceeding ten working days from the date of detection of unlawful processing of personal data, destroy such personal data or ensure their destruction. The operator is obliged to notify the personal data subject or his/her representative about elimination of the committed violations or destruction of personal data, and in case the personal data subject's or his/her representative's appeal or request of the authorised body for protection of the rights of personal data subjects was sent by the authorised body for protection of the rights of personal data subjects, also the said body.
-
In case of establishing the fact of unlawful or accidental transfer (provision, dissemination, access) of personal data, resulting in the violation of the rights of personal data subjects, the operator is obliged to notify the authorised body for the protection of personal data subjects‘ rights from the moment of detection of such incident by the operator, the authorised body for the protection of personal data subjects’ rights or other interested person:
- within twenty-four hours about the incident that occurred, about the alleged reasons that caused the violation of the rights of personal data subjects and the alleged harm caused to the rights of personal data subjects, about the measures taken to eliminate the consequences of the respective incident, as well as to provide information about the person authorised by the operator to interact with the authorised authority for the protection of the rights of personal data subjects on issues related to the identified incident;
- within seventy-two hours on the results of the internal investigation of the identified incident, as well as provide information on the persons whose actions caused the identified incident (if any).
- If the purpose of personal data processing is achieved, the operator is obliged to stop processing of personal data or ensure its termination (if personal data processing is carried out by another person acting on behalf of the operator) and destroy personal data or ensure their destruction (if personal data processing is carried out by another person acting on behalf of the operator) within a period not exceeding thirty days from the date of achievement of the purpose of personal data processing, unless otherwise provided for by the contract, party to the agreement with the operator.
- If the personal data subject withdraws his/her consent to the processing of his/her personal data, the operator is obliged to cease the processing of personal data or ensure the cessation of such processing (if the processing of personal data is carried out by another person acting on behalf of the operator) and, if the preservation of personal data is no longer required for the purposes of personal data processing, to destroy the personal data or ensure their destruction (if the processing of personal data is carried out by another person acting on behalf of the operator).
- If the personal data subject requests the operator to stop processing personal data, the operator shall, within a period not exceeding ten working days from the date of receipt of the relevant request by the operator, stop processing or ensure the cessation of such processing (if such processing is carried out by the person who processes personal data), except in cases provided for by paragraphs 2 - 11 of Part 1 of Article 6, Part 2 of Article 10 and Part 2 of Article 11 of the Law on Personal Data. The mentioned term may be extended, but not more than for five working days in case the operator sends a motivated notification to the personal data subject, indicating the reasons for extending the term for providing the requested information.
- If it is not possible to destroy personal data within the aforementioned time limits, the operator shall block such personal data or ensure their blocking (if personal data processing is carried out by another person acting on behalf of the operator) and ensure the destruction of personal data within a period not exceeding six months, unless another period is established by federal laws.
- Destruction of personal data is confirmed by an act.
- The operator is obliged to inform the personal data subject or his/her representative about the availability of personal data related to the respective personal data subject, as well as to provide an opportunity to familiarise with these personal data upon the personal data subject's or his/her representative's request or within ten working days from the date of receipt of the personal data subject's or his/her representative's request. The said term may be extended, but not more than for five working days in case the operator sends a motivated notice to the personal data subject indicating the reasons for extending the term for providing the requested information.
- The operator is obliged to provide free of charge to the personal data subject or his/her representative an opportunity to familiarise with personal data related to this personal data subject. Within a period not exceeding seven working days from the date of submission by the personal data subject or his/her representative of information confirming that the personal data are incomplete, inaccurate or irrelevant, the operator is obliged to make the necessary changes to them. Within a period not exceeding seven working days from the date of submission by the personal data subject or his/her representative of information confirming that such personal data are illegally obtained or are not necessary for the stated purpose of processing, the operator shall destroy such personal data. The operator shall notify the personal data subject or his/her representative of the changes made and measures taken, and shall take reasonable measures to notify third parties to whom the personal data of this subject have been transferred.
- The operator is obliged to inform the authorised body for the protection of the rights of personal data subjects, upon the request of this authority, the necessary information within ten working days from the date of receipt of such request. This term may be extended, but not more than for five working days in case the Operator sends a motivated notification to the authorised body for the protection of the rights of personal data subjects, indicating the reasons for extending the term for providing the requested information.
- The Operator is also obliged to perform other actions stipulated by the current legislation of the Russian Federation.
11. Confidentiality
- Operators and other persons who have access to personal data are obliged not to disclose to third parties and not to distribute personal data without the consent of the subject of personal data, unless otherwise provided for by federal law.
- The Website uses identification technology based on the use of cookies.
- When the User accesses the Website, cookie files may be recorded on the computer used for access, which will be used for automatic authorisation of the User on the Website, as well as for collection of statistical data, in particular on the attendance of the Website resources.
- Cookie files are used for the purposes of the Website operation, retargeting and statistical research and surveys using the Yandex.Metrica service and other services.
- If the User does not agree to the processing of the above data, the User should change the browser settings or leave the Website.
- The Operator does not sell or otherwise disclose the obtained information about the User, except for the cases stipulated in this Regulation. The Operator may transfer the User's personal data, subject to obtaining the relevant consent: to service providers who provide services for the purpose of fulfilment of concluded contracts. These service providers are not entitled to use or disclose the obtained information, except for cases when it is necessary for fulfilment of legal requirements.