What can we build together?
Personal data processing and protection policy
dzer (LLC)
dzer (LLC)
1 Scope of application
1.1 The objectives of the Personal data Processing and Protection Policy (hereinafter referred to as the Policy) are:
− determining the procedure for processing and protection of personal data of employees of dzer (LLC) (hereinafter referred to as the company, operator) and other subjects of personal data, whose personal data are subject to processing, based on the authority of dzer;
− Ensuring the protection of human and civil rights and freedoms;
− protection of the rights to privacy, personal and family secrets, as well as establishing the responsibility of officials who have access to personal data for failure to comply with the requirements of the rules governing the processing and protection of personal data in dzer.
1.2 The Policy applies to all Personal Data processed by dzer.
1.3 General control over compliance with the requirements of the legislation in the field of personal data in dzer is carried out by the person responsible for organizing the processing of personal data in dzer.
1.4 In case of violation of the requirements of the legislation in the field of personal data, the guilty persons may be held liable as prescribed by the legislation.
2 DESIGNATIONS AND ABBREVIATIONS
PDIS – Personal Data Information System;
dzer – dzer (LLC);
UAA – unauthorized access;
PD – personal data.
3 PRINCIPLES OF PERSONAL DATA PROCESSING AND PROTECTION
3.1. In dzer the processing of personal data is carried out on the basis of the following principles:
− personal data processing is carried out on a legal and fair basis;
− the processing of personal data is limited to achieving specific, predefined and legitimate goals;
− processing of personal data that is incompatible with the purposes of collecting personal data is not permitted;
− it is not allowed to combine databases containing personal data, the processing of which is carried out for purposes incompatible with each other;
− only Personal Data that meet the purpose of their processing shall be processed;
− the content and scope of processed Personal Data correspond to the stated purposes of processing;
− Personal Data is stored in a form that allows to identify the subject of the Personal Data for no longer than required for the purposes of processing;
− Processed Personal Data shall be destroyed in the event of withdrawal of consent to processing, when the purposes of processing have been achieved or when it is no longer necessary to achieve these purposes, unless otherwise provided for by law;
− Processing of Personal Data is not used for the purpose of causing property and/or moral damage to the subjects of Personal Data or impeding the realization of their rights and freedoms.
4 LEGAL BASIS OF PERSONAL DATA PROCESSING
4.1. The legal basis for the processing of personal data for dzer is as follows:
− the PD subject's consent to the processing of his personal data;
− dzer charter;
− contracts;
− regulatory legal acts regulating relations related to the activities of dzer and the organization of the process of processing and protecting personal data.
5 SCOPE AND CATEGORIES OF PROCESSED PERSONAL DATA, CATEGORIES OF PERSONAL DATA SUBJECTS
5.1. The content and scope of the processed Personal Data must comply with the stated purposes of processing as stipulated in Section 7 of the Policy.
5.2. Personal data may be processed in dzer solely for the purposes for which they were collected or obtained.
5.3. Processed personal data shall not be redundant in relation to the stated purposes of their processing. In the case of providing redundant data by the PD subject himself, dzer has the right:
− refuse to accept them;
− destroy in the presence of the personal data subject.
5.4. dzer processes the personal data of the subjects of personal data specified in the register of personal data operators: https://pd.rkn.gov.ru/operators-registry/operators-list/?id=52-23-195044.
5.5. dzer does not process biometric personal data.
5.6. dzer processes special categories of personal data related to the health status of personal data subjects in accordance with the legislation.
6 PURPOSES OF PERSONAL DATA PROCESSING
6.1. Personal Data shall be processed by the operator for the purposes specified in the register of Personal Data operators: https://pd.rkn.gov.ru/operators-registry/operators-list/?id=52-23-195044.
6.2. The processing of Personal Data shall be strictly limited to achieving the purposes of Personal Data processing. Processing of Personal Data for purposes other than those specified in clause 6.1 is not permitted.
6.3. The list of processed personal data is established for each of the purposes defined in clause 6.1, and is also indicated in the register of personal data operators.
7 PROCEDURE AND CONDITIONS OF PERSONAL DATA PROCESSING
7.1. The retention period for Personal Data processed in Personal Data Information System corresponds to the retention period for Personal Data in hard copy.
7.2. dzer stops processing personal data if:
− the fact of their unauthorized processing was revealed;
− the purpose of their processing has been achieved or the need to achieve that purpose has been lost;
− the PD subject's consent to the processing of the specified data has expired or been revoked, when processing is allowed only with consent.
7.3. When the purposes of processing of Personal Data have been achieved or in the case of loss of necessity to achieve this purpose, as well as in the case of revocation of consent to their processing by the subject of Personal Data, dzer shall stop processing the data if:
− the legislation does not provide for cases allowing the processing of personal data without the consent of the subject;
− unless otherwise provided by an agreement to which the personal data subject is a party, beneficiary or guarantor;
− unless otherwise provided for in another agreement between dzer and the subject of personal data.
7.4. Access to processed personal data is granted only to those employees who need it in connection with the performance of their job duties and in compliance with the principles of personal responsibility.
7.5. dzer has the right to engage third parties in processing Personal Data, as well as to receive Personal Data from them for the purposes specified in clause 6.1.
7.6. dzer takes the necessary legal, organizational and technical measures or ensures their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to personal data.
7.7. dzer does not perform cross-border transfer of personal data.
8 UPDATING, CORRECTION, DELETION, DESTRUCTION, BLOCKING OF PERSONAL DATA, RESPONSES TO REQUESTS OF SUBJECTS FOR ACCESS TO PERSONAL DATA
8.1. Confirmation of the fact of processing of personal data in dzer, the legal grounds and purposes of processing of personal data, as well as other information, are provided by dzer to the subject of personal data or his representative within 10 working days from the date of the request or receipt of the request of the subject of personal data or his representative.
8.2. If the personal data subject application (request) does not contain all the necessary information or the subject does not have access rights to the requested information, a motivated refusal is sent to the subject.
8.3. In the event that inaccurate personal data is detected when applying by a personal data subject or his/her representative or at their request, dzer shall block the personal data related to this personal data subject or ensure their blocking from the moment of such apply or receipt of the specified request for the verification period.
8.4. In case of confirmation of the fact of inaccuracy of the personal data, dzer, based on the information provided by the personal data subject or his representative, or other necessary documents, clarifies the personal data or ensures their clarification within 7 working days from the date of submission of such information and removes the blocking of personal data.
8.5. In case of detection of illegal processing of personal data carried out by dzer, dzer, within a period not exceeding 3 working days from the date of this detection, is obliged to stop the illegal processing of personal data or ensure termination.
8.6. If the subject of the Personal Data requests dzer to stop processing the Personal Data within a period not exceeding 10 business days from the date of receipt of the request, dzer stops processing the Personal Data or ensures its termination, except for cases stipulated by the legislation.
8.7. Conditions and deadlines for destruction of personal data in dzer:
− achievement of the purpose of processing Personal Data or loss of the need to achieve this purpose - within 30 days;
− provision by the subject of personal data (his representative) of confirmation that the personal data were obtained illegally or are not necessary for the stated purpose of processing - within 7 working days;
− revocation by the subject of Personal Data of consent to the processing of his/her Personal Data, if their retention for the purpose of their processing is no longer required - within 30 days.
8.8. Upon achieving the purpose of PD processing, as well as in the event that the PD subject withdraws consent to their processing, PD must be destroyed, in accordance with local regulatory documents, if:
− unless otherwise provided by an agreement to which the personal data subject is a party, beneficiary or guarantor;
− dzer does not have the right to carry out processing without the consent of the subject of personal data on the grounds provided by law;
− unless otherwise provided by another agreement between the user and the subject of personal data.
9 PROCESSING OF ELECTRONIC USER DATA, INCLUDING COOKIES
9.1. for the purposes of processing of Personal Data as set forth in the Policy, dzer may automatically collect electronic user data, including cookies, on its websites without the need for participation of website visitors and their performance of any actions to send data. The processing of such data is necessary to promote the goods and services of dzer, including the adaptation of the website.
9.2. The basis for processing (including transfer) of electronic user data, including cookies, is consent to the processing of PD, provided by website visitors by performing implicative actions:
− pressing a button, e.g. “Accept”;
− closing notification of the collection and processing of such data;
− continuing use of sites.
9.3. Information about website visits and visitors' actions on websites may be recorded and transferred to specialized analytical services for the purposes specified in clause 6.1. Such services may include, for example, Yandex.Metrica, Yandex SmartCaptcha, Tilda statistics tools and others. Data collected by such services may also be received and processed by third parties, for example, Yandex LLC (privacy policy: https://yandex.ru/legal/confidential/), Tilda Publishing, LLC (privacy policy: https://tilda.cc/ru/privacy/).
10 RIGHTS OF PERSONAL DATA SUBJECTS
10.1. The PD subject has the right to:
− receive information regarding the processing of his personal data, except in cases provided by law;
− appeal in court against illegal actions or inaction of the user when processing his/her personal data;
− to protect their rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court order;
− other rights stipulated by the legislation.
1.1 The objectives of the Personal data Processing and Protection Policy (hereinafter referred to as the Policy) are:
− determining the procedure for processing and protection of personal data of employees of dzer (LLC) (hereinafter referred to as the company, operator) and other subjects of personal data, whose personal data are subject to processing, based on the authority of dzer;
− Ensuring the protection of human and civil rights and freedoms;
− protection of the rights to privacy, personal and family secrets, as well as establishing the responsibility of officials who have access to personal data for failure to comply with the requirements of the rules governing the processing and protection of personal data in dzer.
1.2 The Policy applies to all Personal Data processed by dzer.
1.3 General control over compliance with the requirements of the legislation in the field of personal data in dzer is carried out by the person responsible for organizing the processing of personal data in dzer.
1.4 In case of violation of the requirements of the legislation in the field of personal data, the guilty persons may be held liable as prescribed by the legislation.
2 DESIGNATIONS AND ABBREVIATIONS
PDIS – Personal Data Information System;
dzer – dzer (LLC);
UAA – unauthorized access;
PD – personal data.
3 PRINCIPLES OF PERSONAL DATA PROCESSING AND PROTECTION
3.1. In dzer the processing of personal data is carried out on the basis of the following principles:
− personal data processing is carried out on a legal and fair basis;
− the processing of personal data is limited to achieving specific, predefined and legitimate goals;
− processing of personal data that is incompatible with the purposes of collecting personal data is not permitted;
− it is not allowed to combine databases containing personal data, the processing of which is carried out for purposes incompatible with each other;
− only Personal Data that meet the purpose of their processing shall be processed;
− the content and scope of processed Personal Data correspond to the stated purposes of processing;
− Personal Data is stored in a form that allows to identify the subject of the Personal Data for no longer than required for the purposes of processing;
− Processed Personal Data shall be destroyed in the event of withdrawal of consent to processing, when the purposes of processing have been achieved or when it is no longer necessary to achieve these purposes, unless otherwise provided for by law;
− Processing of Personal Data is not used for the purpose of causing property and/or moral damage to the subjects of Personal Data or impeding the realization of their rights and freedoms.
4 LEGAL BASIS OF PERSONAL DATA PROCESSING
4.1. The legal basis for the processing of personal data for dzer is as follows:
− the PD subject's consent to the processing of his personal data;
− dzer charter;
− contracts;
− regulatory legal acts regulating relations related to the activities of dzer and the organization of the process of processing and protecting personal data.
5 SCOPE AND CATEGORIES OF PROCESSED PERSONAL DATA, CATEGORIES OF PERSONAL DATA SUBJECTS
5.1. The content and scope of the processed Personal Data must comply with the stated purposes of processing as stipulated in Section 7 of the Policy.
5.2. Personal data may be processed in dzer solely for the purposes for which they were collected or obtained.
5.3. Processed personal data shall not be redundant in relation to the stated purposes of their processing. In the case of providing redundant data by the PD subject himself, dzer has the right:
− refuse to accept them;
− destroy in the presence of the personal data subject.
5.4. dzer processes the personal data of the subjects of personal data specified in the register of personal data operators: https://pd.rkn.gov.ru/operators-registry/operators-list/?id=52-23-195044.
5.5. dzer does not process biometric personal data.
5.6. dzer processes special categories of personal data related to the health status of personal data subjects in accordance with the legislation.
6 PURPOSES OF PERSONAL DATA PROCESSING
6.1. Personal Data shall be processed by the operator for the purposes specified in the register of Personal Data operators: https://pd.rkn.gov.ru/operators-registry/operators-list/?id=52-23-195044.
6.2. The processing of Personal Data shall be strictly limited to achieving the purposes of Personal Data processing. Processing of Personal Data for purposes other than those specified in clause 6.1 is not permitted.
6.3. The list of processed personal data is established for each of the purposes defined in clause 6.1, and is also indicated in the register of personal data operators.
7 PROCEDURE AND CONDITIONS OF PERSONAL DATA PROCESSING
7.1. The retention period for Personal Data processed in Personal Data Information System corresponds to the retention period for Personal Data in hard copy.
7.2. dzer stops processing personal data if:
− the fact of their unauthorized processing was revealed;
− the purpose of their processing has been achieved or the need to achieve that purpose has been lost;
− the PD subject's consent to the processing of the specified data has expired or been revoked, when processing is allowed only with consent.
7.3. When the purposes of processing of Personal Data have been achieved or in the case of loss of necessity to achieve this purpose, as well as in the case of revocation of consent to their processing by the subject of Personal Data, dzer shall stop processing the data if:
− the legislation does not provide for cases allowing the processing of personal data without the consent of the subject;
− unless otherwise provided by an agreement to which the personal data subject is a party, beneficiary or guarantor;
− unless otherwise provided for in another agreement between dzer and the subject of personal data.
7.4. Access to processed personal data is granted only to those employees who need it in connection with the performance of their job duties and in compliance with the principles of personal responsibility.
7.5. dzer has the right to engage third parties in processing Personal Data, as well as to receive Personal Data from them for the purposes specified in clause 6.1.
7.6. dzer takes the necessary legal, organizational and technical measures or ensures their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to personal data.
7.7. dzer does not perform cross-border transfer of personal data.
8 UPDATING, CORRECTION, DELETION, DESTRUCTION, BLOCKING OF PERSONAL DATA, RESPONSES TO REQUESTS OF SUBJECTS FOR ACCESS TO PERSONAL DATA
8.1. Confirmation of the fact of processing of personal data in dzer, the legal grounds and purposes of processing of personal data, as well as other information, are provided by dzer to the subject of personal data or his representative within 10 working days from the date of the request or receipt of the request of the subject of personal data or his representative.
8.2. If the personal data subject application (request) does not contain all the necessary information or the subject does not have access rights to the requested information, a motivated refusal is sent to the subject.
8.3. In the event that inaccurate personal data is detected when applying by a personal data subject or his/her representative or at their request, dzer shall block the personal data related to this personal data subject or ensure their blocking from the moment of such apply or receipt of the specified request for the verification period.
8.4. In case of confirmation of the fact of inaccuracy of the personal data, dzer, based on the information provided by the personal data subject or his representative, or other necessary documents, clarifies the personal data or ensures their clarification within 7 working days from the date of submission of such information and removes the blocking of personal data.
8.5. In case of detection of illegal processing of personal data carried out by dzer, dzer, within a period not exceeding 3 working days from the date of this detection, is obliged to stop the illegal processing of personal data or ensure termination.
8.6. If the subject of the Personal Data requests dzer to stop processing the Personal Data within a period not exceeding 10 business days from the date of receipt of the request, dzer stops processing the Personal Data or ensures its termination, except for cases stipulated by the legislation.
8.7. Conditions and deadlines for destruction of personal data in dzer:
− achievement of the purpose of processing Personal Data or loss of the need to achieve this purpose - within 30 days;
− provision by the subject of personal data (his representative) of confirmation that the personal data were obtained illegally or are not necessary for the stated purpose of processing - within 7 working days;
− revocation by the subject of Personal Data of consent to the processing of his/her Personal Data, if their retention for the purpose of their processing is no longer required - within 30 days.
8.8. Upon achieving the purpose of PD processing, as well as in the event that the PD subject withdraws consent to their processing, PD must be destroyed, in accordance with local regulatory documents, if:
− unless otherwise provided by an agreement to which the personal data subject is a party, beneficiary or guarantor;
− dzer does not have the right to carry out processing without the consent of the subject of personal data on the grounds provided by law;
− unless otherwise provided by another agreement between the user and the subject of personal data.
9 PROCESSING OF ELECTRONIC USER DATA, INCLUDING COOKIES
9.1. for the purposes of processing of Personal Data as set forth in the Policy, dzer may automatically collect electronic user data, including cookies, on its websites without the need for participation of website visitors and their performance of any actions to send data. The processing of such data is necessary to promote the goods and services of dzer, including the adaptation of the website.
9.2. The basis for processing (including transfer) of electronic user data, including cookies, is consent to the processing of PD, provided by website visitors by performing implicative actions:
− pressing a button, e.g. “Accept”;
− closing notification of the collection and processing of such data;
− continuing use of sites.
9.3. Information about website visits and visitors' actions on websites may be recorded and transferred to specialized analytical services for the purposes specified in clause 6.1. Such services may include, for example, Yandex.Metrica, Yandex SmartCaptcha, Tilda statistics tools and others. Data collected by such services may also be received and processed by third parties, for example, Yandex LLC (privacy policy: https://yandex.ru/legal/confidential/), Tilda Publishing, LLC (privacy policy: https://tilda.cc/ru/privacy/).
10 RIGHTS OF PERSONAL DATA SUBJECTS
10.1. The PD subject has the right to:
− receive information regarding the processing of his personal data, except in cases provided by law;
− appeal in court against illegal actions or inaction of the user when processing his/her personal data;
− to protect their rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court order;
− other rights stipulated by the legislation.
