— personal data not covered by Federal Law No. 152-ФЗ on Personal Data.
1.5. The Operator shall process the following personal data:
— first name, last name, patronymic;
— telephone number;
— email address;
— employment details;
— INN (Taxpayer Identification Number);
— residential address;
— history of the Data Subject’s requests and submissions to the Operator.
1.6 The Operator also processes other data that are automatically collected in an anonymized form through the use of the Website services. Such usage information is collected by special software installed on the user’s access device. Processing of personal data means any action (operation) or a combination of actions (operations) performed in respect of personal data, including, but not limited to,:
— transfer (distribution, provision, access);
2. Collection, Use and Disclosure of Personal Data
2.2 The Operator shall collect personal data:
— that are submitted by a Data Subject electronically when filling out registration forms on the Operator’s Website;
— that are submitted by a Data Subject orally when calling the Call Center or otherwise;
— in any other manner, subject to the applicable Russian and international laws and regulations on protection of personal data.
2.3 It is understood that a Data Subject consents to processing of his/her personal data:
— by ticking the appropriate “I agree” checkbox under a Privacy Notice or by clicking the “Register”, “Submit”, “Sign Up”, “Call me back” or “Place an Order” buttons;
— by providing any personal data orally when calling the Call Center.
2.4 A Data Subject’s consent to personal data processing shall be deemed to have been duly received if provided in accordance with the established procedure and shall be valid until the Data Subject submits his/her request to terminate the processing of his/her personal data, at the Operator’s registered address.
2.5 Unless otherwise required by the applicable laws of the Russian Federation, a Data Subject may at any time revoke his/her consent to personal data processing. To revoke his/her consent to personal data processing, the Data Subject should send a written notice thereof to the Operator’s registered address. A soon as the Data Subject revokes his/her his consent to personal data processing, the Operator shall cease or instruct such third-party processor, as may be engaged by the Operator, to cease the processing of such personal data. If the Data Subject’s personal data are no longer required to be processed, the Operator shall destroy or instruct such third-party processor, as may be engaged by the Operator, to destroy such personal data within a period of up to 30 (Thirty) calendar days of receipt of such notice of revocation, unless otherwise provided for by a contract, to which the Data Subject is a beneficiary or surety, or by any other agreement between the Operator and the Data Subject, or if the Operator may not process personal data without the Data Subject’s consent to such processing under the Federal Law of 27 July 2006 No. 152-ФЗ on Personal Data or any other federal laws.
3. Terms and Procedures for Processing Personal Data
3.1 For the purposes hereof, personal data may only be processed by such employees of the Operator, who are authorized to do so in accordance with their job description. The Operator shall ensure that its employees maintain confidentiality of and protect personal data when processing the same.
3.2 For the purposes hereof, the Operator may decide to perform certain data processing operations itself or delegate all or part of the processing to a third party.
3.3 If the Operator decides to delegate all or part of the data processing operations to a third party, such data and operations shall be limited to those reasonably required by such third-party processor to fulfill its processing obligations to the Operator. A third-party processor shall maintain confidentiality of and protect personal data when processing the same.
3.4 In providing services and carrying out intra-business activities, the Operator shall apply both electronic (computer aided) and manual (paper-based) processing of personal data. The Operator shall store Data Subjects’ personal data in accordance with its bylaws.
3.5 Personal data shall be subject to confidentiality obligations, unless disclosed to the general public by the Data Subject himself/herself. By doing so, the Data Subject agrees and acknowledges that any personal data so disclosed shall be treated as public.
4. Personal Data Security Obligations
4.1 Any processing of personal data by the Operator shall be subject to confidentiality obligations.
4.2 The Operator shall ensure that any third parties, to whom access to personal data may be provided, are bound by confidentiality obligations and do not disclose such personal data without the Data Subject’s consent, unless otherwise required by the federal law.
4.3 Unless otherwise required by the applicable laws of the Russian Federation, the Operator’s employees shall maintain confidentiality of all personal data, as well as any other confidential information classified as such by the Operator.
4.4 To protect personal data during their processing, the Operator shall take all necessary and adequate legal, organizational and technical measures to prevent any unauthorized or accidental disclosure, destruction, modification, blocking, copying, transfer, distribution of such personal data, as well as any other illegal actions therewith. The Operator shall ensure that all such organizational and technical measures are carried out lawfully and in accordance with the applicable laws of the Russian Federation on processing of personal data.
4.5 The security of personal data shall be achieved:
— by identifying threats to the security of personal data while they are being processed in the personal data information systems;
— by applying such organizational and technical measures for ensuring the security of personal data while they are being processed in the personal data information systems, as are necessary to protect personal data as per requirements of the Government of the Russian Federation;
— by applying means of data protection which have duly undergone conformity assessment procedures;
— by assessing the effectiveness of measures taken to ensure the security of personal data, before commissioning personal data information systems;
— by keeping records of media containing personal data;
— by detecting unauthorized access to personal data and taking measures;
— by restoring personal data that have been modified or destroyed as a result of unauthorized access thereto;
— by taking measures to prevent unauthorized access to and/or transferring of personal data to any unauthorized persons;
— by timely detecting unauthorized access to personal data and taking appropriate measures;
— by preventing any negative impact on automated data processing means, that may affect the proper operation thereof;
— by controlling the measures taken to ensure the required level of security of personal data and related information systems.
4.5.1 The Operator shall protect personal data from the current threats, with due account of the information technologies used:
— by identifying and authenticating access subjects and access objects;
— by controlling subject access to objects;
— by limiting software environment;
— by protecting storage media, on which personal data is stored and/or processed;
— by recording security events;
— by using antivirus software;
— by detecting/preventing security breaches;
— by ensuring the integrity of the information system and personal data;
— by protecting the virtualized environment;
— by protecting the technical means;
— by protecting the information system, its means, communication and data transmission systems;
— by detecting incidents (an event or a group of events) that may lead to malfunctions or disruptions in the information system operation and/or to threats to the security of personal data, and by responding the same;
— by adjusting the configuration of the personal data information and security system.
4.6 To ensure that the level of security of personal data is consistent with the requirements of the Federal Law of 27 July 2006 No. 152-ФЗ on Personal Data and the Federal Law of 27 July 2006 No. 149- ФЗ on Information, Information Technologies and Information Protection, the Operator shall not disclose information on the specific means used and measures taken to ensure the security of personal data.
4.7 No personal data provided by a Data Subject shall be disclosed. However, it is understood that no disclosure of personal data to the Operator’s agents or contractors for the purpose of fulfilling the Operator’s obligations to the Data Subject, or as may be reasonably required by the applicable law, shall be considered a violation of this non-disclosure obligation.
5. Consent to Receiving Marketing Information
5.1 It is understood that:
— by ticking the appropriate “I agree” checkbox under a Privacy Notice;
— by providing any personal data orally when calling the Call Center,
a Data Subject consents to receiving marketing information (as specified in clause 1.7.2 hereof) or newsletters from the Operator and/or third parties engaged by the Operator, via telecommunication networks (to the mobile phone number and e-mail address provided).
5.2 By giving the consent specified in clause 5.1 hereof, the Data Subject confirms that he/she acts of his/her own free will and in his/her own interest, and that the personal data provided by the Data Subject are correct and accurate.
6. Final Provisions