- This document (hereinafter referred to as the Policy) defines the purposes and general principles for the processing of personal data, as well as the implemented measures for the protection of personal data in STAUFF LLC (hereinafter referred to as the Operator). The Policy is a public document of the Operator and provides for the possibility of familiarization with it by any person.
- Basic concepts used in the Policy
- Automated processing of personal data - processing of personal data using computer technology;
- Blocking of personal data - temporary suspension of the processing of personal data (except for cases when processing is necessary to clarify personal data);
- Personal data information system - a set of available personal data and information technologies and technical means that ensure their processing;
- Depersonalization of personal data - actions as a result of which it is impossible to determine, without the use of additional information, the belonging of personal data to a specific subject of personal data;
- Processing of personal data - any action (operation) or a set of actions (operations) with personal data performed using automation tools or without their use, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use transfer (distribution, provision, access), depersonalization, blocking, removal, destruction of personal data;
- Operator - a state agency, municipal agency, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, the actions (operations) performed with personal data;
- Personal data - any information relating directly or indirectly to a specific or identifiable subject of personal data (Operator's employees, Operator's clients and contractors, representatives/employees of the Operator's clients and contractors and other persons);
- Provision of personal data - actions aimed at disclosing personal data to a specific person or a specific circle of persons;
- User - any visitor to the information portal of the Operator.
- Dissemination of personal data - actions aimed at disclosing personal data to an indefinite circle of persons.
- Cross-border transfer of personal data - transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or foreign legal entity;
- Destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed.
- Principles of personal data processing
- Processing of Personal data by the Operator is carried out in accordance with the following principles:
- Lawfulness and fair basis for the processing of Personal Data. The Operator takes all necessary measures to comply with the requirements of the Legislation, does not process Personal Data in cases where this is not allowed by the Legislation, does not use Personal Data to the detriment of the User.
- Processing only those Personal Data that meet the pre-declared purposes of their processing. Compliance of the content and volume of the processed Personal data with the stated purposes of processing. Prevention of the processing of Personal Data that is incompatible with the purposes of collecting Personal Data, as well as excessive in relation to the stated purposes of their processing.
- Ensuring the accuracy, sufficiency and relevance of Personal Data in relation to the purposes of processing Personal Data. The Operator takes all reasonable measures to maintain the relevance of the processed Personal Data, including, but not limited to, the exercise of the right of each Subject to receive their Personal Data for review and require the Operator to clarify, block or destroy them if the Personal Data is incomplete, outdated, inaccurate, unlawfully obtained or not necessary for the processing purposes stated above.
- Processing of Personal data by the Operator is carried out in accordance with the following principles:
- Purpose and area of action
- The current version of the Policy is freely available on the Operator's information portal (STAUFF.RU), and is also sent electronically upon request.
- The policy is valid indefinitely after approval until it is replaced by a new version.
- The Policy uses terms and definitions in accordance with their meanings, as they are defined in Federal Law-152 "On Personal Data", as well as terms and definitions in accordance with Section 2.
- The Policy applies to all employees of the Operator (including employees under employment contracts and employees working under contract agreements) and all structural divisions of the Company, including separate divisions. The requirements of the Policy are also taken into account and presented to other persons if they need to participate in the processing of personal data by the Operator, as well as in cases where personal data is transferred to them in accordance with the established procedure on the basis of agreements, contracts, instructions for processing.
- The Policy applies to all information that the Operator can receive about the subjects of personal data.
- The operator sets as its most important goal and condition for the implementation of its activities the observance of the rights and freedoms of a person and a citizen in the processing of his personal data, including the protection of the rights to privacy, personal and family secrets.
- Legal grounds for the processing of personal data
- The processing of personal data by the Operator is carried out in a mixed way: with and without the use of automation tools.
- Actions with personal data include collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
- The processing of personal data is carried out by the Operator on a legal basis, the legal grounds for processing are:
- Constitution of the Russian Federation;
- Labor Code of the Russian Federation;
- Civil Code of the Russian Federation;
- Federal Law of July 27, 2006 No. 152 FZ “On Personal Data”;
- Federal Law of December 29, 2012 No. 273 FZ “On Education in the Russian Federation”;
- Federal Law No. 149-FZ of July 27, 2006 "On Information, Information Technologies and Information Protection";
- Charter of STAUFF LLC.
- The content and scope of the processed personal data are determined based on the purposes of processing.
- The Operator processes Personal Data for the following purposes:
- carrying out activities provided for by the Charter of the Company, the current legislation of the Russian Federation;
- fulfillment of the Operator's obligations to the User for the sale of goods, including payment processing, delivery of goods;
- to communicate with the Users, if necessary, including for sending notifications, information and requests related to the provision of services, as well as processing applications, requests and applications;
- to improve the quality of services provided by the Operator;
- to promote services on the market through direct contact with Users;
- for statistical and other research based on anonymized personal data.
- Depersonalized data of Users collected using the services Internet statistics (Yandex Metrika, Google Analytics, etc.) serve to collect information about the actions of Users on the information portal, improve the quality of the information portal and its content.
- The main categories of personal data subjects whose data are processed by the Operator include: contractors - individuals associated with the Operator by civil law relations; employees of the contractor - individuals associated with the contractor by labor or civil law relations; users of the information portal of the Operator, incl. representatives of dealers, companies, customers, casual visitors and third parties; other entities in connection with the existence of legal relations with the Operator that do not contradict the legislation of the Russian Federation.
- For the specified categories of subjects can be processed:
- Surname, first name, patronymic;
- E-mail address;
- Phone numbers;
- Year and date of birth;
- Family status;
- Profession;
- User IP address;
- User Browser Type;
- Address.
- The information portal also collects and processes impersonal data about visitors (including cookies) using Internet statistics services.
- The processing ensures the accuracy of personal data, their sufficiency and relevance in relation to the purposes of processing personal data. If inaccurate or incomplete personal data is found, they are clarified and updated.
- The processing and storage of personal data is carried out no longer than required by the purposes of processing personal data, if there are no legal grounds for further processing, for example, if the federal law or the agreement with the subject of personal data does not establish an appropriate storage period. The processed personal data is subject to destruction or depersonalization upon the occurrence of the following conditions:
- achieving the goals of processing personal data - within 30 days;
- loss of the need to achieve the purposes of processing personal data - within 30 days;
- provision by the subject of personal data or his legal representative of confirmation that the personal data are illegally obtained or not necessary for the stated purpose of processing - within 7 days;
- the impossibility of ensuring the legality of the processing of personal data - within 10 days;
- withdrawal by the subject of personal data of consent to the processing of personal data, if the storage of personal data is no longer required for the purposes of processing personal data - within 30 days;
- liquidation (reorganization) of the Operator.
The procedure for ensuring the confidentiality of personal data of Users and other subjects of personal data is determined in the Privacy Policy of STAUFF LLC, which is an integral part of this Policy regarding the processing and protection of personal data of the Operator.
- The User's personal data is not transferred to third parties, except as provided by the legislation of the Russian Federation.
- In case of detection of inaccuracies in personal data, the User can update them independently by sending a notification to the Operator at the Operator’s e-mail address stauffrussia@ya.ru marked “Updating personal data”.
- The term of personal data processing is unlimited.
Rights of the subject of personal data
- The subject of personal data may at any time withdraw his consent to the processing of personal data by sending the Operator a notification by e-mail to the Operator's email address stauffrussia@ya.ru marked "Withdrawal of consent to the processing of personal data".
- The subject of personal data has the right to receive information regarding the processing of his personal data by contacting the Operator via e-mail stauffrussia@ya.ru
- Information that can be obtained by the subject of personal data may include, among other things:
- confirmation of the fact of personal data processing by the Operator;
- legal grounds and purposes of personal data processing;
- purposes and methods used by the Operator for processing personal data;
- the name and location of the Operator, information about persons (excluding employees / employees of the Operator) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Operator or on the basis of federal law;
- processed personal data relating to the relevant subject of personal data, the source of their receipt, unless a different procedure for the provision of such data is provided by federal law;
- terms of processing personal data, including the terms of their storage;
- the procedure for exercising by the subject of personal data the rights provided for by the Federal Law "On Personal Data";
- name or surname, first name, patronymic and address of the person who processes personal data on behalf of the Operator, if the processing is or will be entrusted to such a person;
- other information provided for by the Federal Law "On Personal Data" or other federal laws.
- The subject of personal data has the right to demand from the Operator the clarification of his personal data, their blocking or destruction if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as take measures provided by law to protect their rights.
- If the subject of personal data believes that the Operator is processing his personal data in violation of the requirements of the Federal Law "On Personal Data" or otherwise violates his rights and freedoms, the subject of personal data has the right to appeal against the actions or inaction of the Operator to the authorized state for the protection of the rights of subjects of personal data (Federal Service for Supervision of Communications, Information Technology and Mass Communications - Roskomnadzor) or in court.
- The subject of personal data has the right to protect his rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.
Responsibility
- The rights and obligations of the Operator are determined by the current legislation and agreements of the Operator.
- Control over the fulfillment of the requirements of this Policy is carried out by the person responsible for organizing the processing of personal data within his authority.
- Persons guilty of violating the rules governing the processing and protection of personal data bear material, disciplinary, administrative, civil or criminal liability in the manner prescribed by federal laws, local acts, agreements of the Operator.
- The policy is developed by the person responsible for organizing the processing of personal data and put into effect after approval by the head of the Operator. Suggestions and comments for amendments to the Policy should be sent to stauffrussia@ya.ru. The policy is reviewed annually to keep it up to date and updated as necessary.
The procedure for collecting, storing, transferring and other types of processing of personal data
- The Operator takes the necessary legal, organizational and technical measures to ensure the security of personal data to protect it from unauthorized (including accidental) access, destruction, modification, blocking, access and other unauthorized actions. These measures include, in particular:
- appointment of employees responsible for organizing the processing and ensuring the security of personal data;
- publication of local acts on the processing of personal data, familiarization of employees with them;
- ensuring the physical security of premises and processing facilities, access control, security, video surveillance;
- restriction and delimitation of access of employees and other persons to personal data and processing facilities, monitoring of actions with personal data;
- identification of threats to the security of personal data during their processing, the formation of threat models on their basis;
- the use of security tools (anti-virus tools, firewalls, means of protection against unauthorized access, means of cryptographic information protection), including those that have passed the conformity assessment procedure in the prescribed manner;
- accounting and storage of information carriers, excluding their theft, substitution, unauthorized copying and destruction;
- backing up information for recovery;
- internal control over compliance with the established procedure, verification of the effectiveness of the measures taken, incident response.
- The Operator ensures the safety of personal data and takes all possible measures to exclude access to personal data of unauthorized persons.
- When processing personal data, the Operator is obliged to observe the security and confidentiality of the processed personal data, as well as to comply with other requirements provided for by the legislation of the Russian Federation in the field of personal data.
- Operator employees who have access to personal data must ensure the confidentiality of such data. Ensuring confidentiality is not required in relation to: - personal data after their depersonalization; - publicly available personal data.