Policy of Sole Proprietor on the Processing of Personal Data
General Provisions
1.1. This Policy of Sole Proprietor I.V. Parshukova on the Processing of Personal Data (hereinafter, the “Policy”) has been developed pursuant to paragraph 2, part 1, article 18.1 of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” (hereinafter, the “Personal Data Law”) for the purpose of ensuring the protection of the rights and freedoms of individuals in the processing of their personal data, including the protection of the rights to privacy, personal and family secrets.
1.2. The personal data operator is:
Sole Proprietor Irina Vitalievna Parshukova (hereinafter, the “Operator”)
TIN: 772612023442
OGRNIP: 318774600539961
Registered address: 117545, Moscow, Podolskikh Kursantov St., Bldg. 14, Bl. 1, Apt. 1
Email: info@prhotelgroup.ru
Phone: +7 (906) 795-12-32
1.3. Pursuant to part 2, article 18.1 of the Personal Data Law, this Policy is published for free access on the Internet on the Operator’s website at https://prhotelgroup.ru (hereinafter, the “Website”).
1.4. Key terms used in the Policy:
personal data — any information relating directly or indirectly to an identified or identifiable individual (personal data subject);
personal data operator (operator) — a state body, municipal body, legal entity or individual that, independently or jointly with other persons, organizes and/or carries out the processing of personal data, as well as determines the purposes of processing personal data, the composition of personal data to be processed, and the actions (operations) performed with personal data;
personal data subject — an individual who can be identified directly or indirectly using personal data;
processing of personal data — any action (operation) or set of actions (operations) performed with personal data with or without the use of automation tools. Processing of personal data includes, among other things: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction;
automated processing of personal data — processing of personal data using computer technology;
distribution of personal data — actions aimed at disclosing personal data to an indefinite number of persons;
provision of personal data — actions aimed at disclosing personal data to a specific person or a specific circle of persons;
blocking of personal data — temporary suspension of the processing of personal data (except where processing is necessary to clarify personal data);
destruction of personal data — actions as a result of which it becomes impossible to restore the content of personal data in a personal data information system and/or as a result of which the physical media containing personal data are destroyed;
depersonalization of personal data — actions as a result of which it becomes impossible, without the use of additional information, to determine whether personal data belongs to a specific personal data subject;
personal data information system — a set of personal data contained in databases and the information technologies and technical means that ensure their processing.
1.5. Basic rights and obligations of the Operator.
1.5.1. The Operator shall:
– process personal data exclusively for the purposes specified in the Policy, in the manner established by the current laws of the Russian Federation, and take the measures necessary and sufficient to ensure fulfillment of the obligations provided for by the Personal Data Law and regulatory legal acts adopted pursuant thereto;
– not distribute personal data without the consent of the personal data subject (hereinafter, the “User”), unless otherwise provided for by the current laws of the Russian Federation;
– process personal data in compliance with the principles and rules provided for by the Personal Data Law;
– organize the protection of personal data in accordance with the requirements of the laws of the Russian Federation;
– review requests from the User (or their legal representative) on issues of personal data processing and provide reasoned responses;
– provide the User (or their legal representative) with the possibility of free access to their personal data;
– take measures to clarify, block, destroy, and depersonalize the User’s personal data in cases established by the Personal Data Law.
1.5.2. The Operator has the right to:
– independently determine the scope and list of measures necessary and sufficient to ensure fulfillment of the obligations provided for by the Personal Data Law and regulatory legal acts adopted pursuant thereto, unless otherwise provided for by the Personal Data Law or other federal laws;
– entrust the processing of personal data to another person with the User’s consent, unless otherwise provided for by federal law, on the basis of an agreement concluded with such person, including a state or municipal contract, or by adoption of a relevant act by a state or municipal body;
– in the event the User withdraws consent to the processing of personal data, continue processing without the User’s consent where grounds specified in the Personal Data Law exist;
– receive from the User accurate information and/or documents containing the User’s personal data for the purposes of processing specified in the Policy;
– require the User to promptly clarify the personal data provided.
1.6. Basic rights and obligations of the personal data subject.
1.6.1. The personal data subject shall:
– ensure the accuracy of the personal data provided to the Operator and necessary for the processing purposes specified in the Policy;
– provide the Operator, when necessary, with information to clarify (update, modify) the personal data provided.
1.6.2. The personal data subject has the right to:
– receive complete information relating to the processing of their personal data by the Operator, except in cases provided for by the laws of the Russian Federation;
– have their personal data clarified, blocked, or destroyed if the personal data are incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing;
– provide the Operator with consent to the processing of personal data, executed as a separate document;
– withdraw consent to the processing of personal data;
– take measures provided for by law to protect their rights.
1.7. The Operator and Users also have other rights and bear other obligations provided for by the laws of the Russian Federation.
1.8. The Operator must maintain confidentiality and not disclose personal data to third parties without lawful grounds. To protect data, the Operator uses, among other things: antivirus software, data encryption, access rights restrictions, logging of personal data processing, separate storage of personal data processed for different purposes, and other actions provided for by the laws of the Russian Federation.
1.9. Control over compliance with the requirements of this Policy is exercised by the authorized person responsible for organizing the processing of personal data at the Operator.
1.10. Liability for violation of the requirements of the laws of the Russian Federation and regulatory acts in the field of processing and protection of personal data is determined in accordance with the laws of the Russian Federation.
Purposes of Processing Personal Data
2.1. The processing of personal data is limited to achieving specific, predetermined, and lawful purposes. Processing of personal data incompatible with the purposes of personal data collection is not permitted. The personal data processed must not be excessive in relation to the stated purposes of their processing.
2.2. The Operator processes personal data for the following purposes:
– carrying out its activities in accordance with internal local acts, including the conclusion and performance of contracts with counterparties in the form of arranging and fulfilling accommodation bookings;
– the Operator’s entrustment of powers to process personal data to third parties in accordance with part 3, article 6 of the Personal Data Law;
– informing about the operation of the Website, monitoring and improving service quality;
– establishing feedback with the User, including sending notifications and requests;
– proper provision of services, processing of requests and applications from the User;
– providing the User with effective customer and technical support in case of problems;
– maintaining internal records of guests;
– conducting web analytics, statistical and research activities;
– carrying out marketing and advertising activities, including informational mailings, for the purpose of establishing and further developing relationships (subject to the prior consent of the personal data subject);
– conducting current business activities (including, without limitation, negotiations, litigation, claims work, conclusion of business, financial and entrepreneurial contracts, sending offers and commercial proposals);
– establishing and regulating employment relations and other relations directly related thereto, ensuring compliance with the labor, tax, insurance, and pension laws of the Russian Federation;
– fulfillment of the requirements of the laws of the Russian Federation.
2.3. The Operator does not process special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, intimate life, or criminal records.
Legal Grounds for Processing Personal Data
– Constitution of the Russian Federation;
– Civil Code of the Russian Federation;
– Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data”;
– Federal Law No. 149-FZ dated July 27, 2006 “On Information, Information Technologies and Information Protection”;
– Federal Law No. 294-FZ dated December 26, 2008 “On the Protection of Rights of Legal Entities and Individual Entrepreneurs in the Exercise of State Control (Supervision) and Municipal Control”;
– Presidential Decree No. 188 dated March 6, 1997 “On Approval of the List of Confidential Information”;
– Government Resolution No. 1119 dated November 1, 2012 “On Approval of the Requirements for the Protection of Personal Data during Their Processing in Personal Data Information Systems”;
– Order of the Federal Service for Technical and Export Control (FSTEC of Russia) No. 21 dated February 18, 2013 “On Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data during Their Processing in Personal Data Information Systems”;
– consents of personal data subjects to the processing of personal data, executed separately from other consents of the personal data subject to the processing of personal data (in accordance with part 1, article 10.1 of the Personal Data Law);
– agreements concluded between the Operator and personal data subjects.
Scope and Categories of Personal Data Processed,
Categories of Personal Data Subjects
4.1. Categories of personal data subjects:
– employees of the Operator who have concluded an employment contract with the Operator, including former employees and job applicants;
– self-employed individuals (taxpayers under the professional income tax (NPD)) providing services or performing work for the Operator; representatives of counterparties — natural persons who are employees, authorized representatives, or contact persons of organizations and sole proprietors providing services to or having concluded agreements with the Operator;
– guests — individuals who have actually used the Operator’s accommodation and related services;
– clients — individuals who have concluded or intend to conclude a services agreement with the Operator, including persons who have submitted requests or made reservations but have not yet used the service; visitors (users) of the Website;
– individuals viewing pages of the Website https://prhotelgroup.ru on a computer and/or mobile device.
4.2. Personal data processed by the Operator include:
– the User’s last name, first name, patronymic (middle name);
– date and place of birth;
– gender, citizenship, age;
– address of registration and actual residence;
– mobile phone number;
– email address;
– passport details: series, number, name of issuing authority, date of issue;
– birth certificate details;
– other or similar information about identity documents;
– information about accompanying persons;
– for foreign citizens: visa and migration card details; contact phone numbers, email address, purpose of visit;
– data automatically transmitted to the Website’s services (via forms) in the course of their use through software installed on the User’s device, namely: IP address, cookie data, analytics trackers, information about the User’s browser (or other program used to access the services), behavioral data.
4.3. The Operator ensures that the content and scope of personal data processed correspond to the stated purposes of processing set forth in Section 2 of the Policy.
Procedure and Conditions for Processing and Storing Personal Data
5.1. The Operator processes personal data in accordance with the requirements of the laws of the Russian Federation using automation tools with transmission via the Internet.
5.2. The list of actions performed by the Operator with the User’s personal data for the purposes specified in Section 2 of the Policy: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction.
5.3. The Operator processes personal data provided that the User’s consent (hereinafter, the “Consent”) has been obtained in accordance with the requirements of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data,” except in cases established by the laws of the Russian Federation when processing may be carried out without such Consent.
5.4. The User decides to provide their personal data and gives Consent freely, by their own will, and in their own interest.
5.5. The period of processing personal data is determined by the achievement of the purposes for which the personal data were collected, unless another period is provided for by the agreement with the User or by applicable law. Grounds for terminating the processing of personal data may include achieving the purposes of personal data processing or the loss of necessity to achieve those purposes, expiration of the Consent or withdrawal of the Consent by the User, as well as the identification of unlawful processing of personal data.
5.6. If the Operator entrusts the processing and storage of personal data to another person on the basis of the relevant agreement/contract, the Operator is liable to the User for the actions of such person. If the Operator entrusts the processing and storage of personal data to a foreign legal entity, liability to the User is borne by both the Operator and such person.
5.7. Consent may be withdrawn as follows: by the personal data subject contacting the Operator by sending a message to e-mail: info@prhotelgroup.ru with a request to cease processing personal data. Within a period not exceeding 10 business days from the date the Operator receives the relevant request, processing of personal data shall be terminated, except in cases provided for by the Personal Data Law. This period may be extended, but by no more than five business days. To do so, the Operator must send the personal data subject a reasoned notice indicating the reasons for the extension.
5.8. The Operator carries out the distribution of personal data authorized by the User for distribution, i.e., performs actions aimed at their disclosure to an indefinite number of persons, in compliance with the requirements, prohibitions, and conditions established by part 9, article 9 and article 10.1 of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data.” Disclosure to third parties and distribution of personal data without the User’s consent is not permitted, unless otherwise provided for by federal law. Consent to the processing of personal data authorized by the User for distribution is executed separately from other consents of the User for the processing of their personal data, taking into account the requirements for the content of consent to the processing of personal data authorized by the personal data subject for distribution, as approved by Roskomnadzor.
Transfer of personal data to third parties is carried out by the Operator only on the basis of a relevant agreement with the third party, a material term of which is the obligation of the third party to ensure the confidentiality and security of personal data during processing. Transfer of personal data to third parties is carried out only to the extent necessary to achieve the purposes of processing and exclusively to persons that have an agreement with the Operator on confidentiality and protection of personal data.
5.9. When processing personal data, the Operator takes or ensures the adoption of necessary legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution, as well as from other unlawful actions in respect of personal data.
5.10. Personal data are stored in a form that allows the User to be identified for no longer than required by the purposes of personal data processing, unless a period for storing personal data is established by federal law or by an agreement to which the User is a party, beneficiary, or guarantor.
5.11. In processing personal data, the Operator complies with the requirements of article 18 of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data.”
5.12. The Operator terminates the processing of personal data in the following cases:
– an instance of unlawful processing is identified, within the time limits specified in Section 6 of the Policy;
– the purpose of processing has been achieved;
– the period of validity of, or the consent of, the personal data subject to processing has expired or been withdrawn where, under the Personal Data Law, such processing is permissible only with consent.
5.13. When collecting personal data, including via the Internet, the recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of personal data of citizens of the Russian Federation using databases located outside the Russian Federation are not permitted, except in cases specified in the Personal Data Law.
Updating, Correction, Deletion, Destruction, Depersonalization of
Personal Data, Responses to Personal
Data Subjects’ Requests for Access
6.1. If unlawful processing of personal data is identified upon a request by the User (their representative) or at the request of the User (their representative) or of the authorized body for the protection of the rights of personal data subjects, the Operator shall block the unlawfully processed personal data relating to the relevant User, or ensure their blocking from the time of such request or receipt of the User’s request, for the period of verification. If inaccurate personal data are identified upon a request by the User or their representative or at their request or at the request of the authorized body for the protection of the rights of personal data subjects, the Operator shall block the personal data relating to such User, or ensure their blocking from the time of such request or receipt of the request for the period of verification, if blocking the personal data does not violate the rights and legitimate interests of the User or third parties.
6.2. If the inaccuracy of personal data is confirmed, the Operator, on the basis of information provided by the User (their representative) or by the authorized body for the protection of the rights of personal data subjects, or other necessary documents, shall clarify the personal data or ensure their clarification within seven business days from the date such information is provided.
6.3. If unlawful processing of personal data is identified, the Operator, within a period not exceeding three business days from the date of such identification, shall cease the unlawful processing of personal data or ensure the cessation of the unlawful processing of personal data; and if it is impossible to ensure lawful processing, within a period not exceeding ten business days from the date unlawful processing is identified, shall destroy such personal data or ensure their destruction.
6.4. Upon achieving the purpose of processing personal data, the Operator shall destroy the personal data or ensure their destruction within a period not exceeding thirty days from the date the purpose of processing personal data is achieved, unless otherwise provided for by a contract to which the User is a party, beneficiary, or guarantor, or by another agreement between the Operator and the User, or unless the Operator is not entitled to process personal data without the User’s consent on the grounds provided for by Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” or other federal laws.
6.5. In the event the User withdraws consent to the processing of their personal data and if the retention of personal data is no longer required for the purposes of processing personal data, the Operator shall destroy the personal data or ensure their destruction within a period not exceeding thirty days from the date such withdrawal is received, unless otherwise provided for by a contract to which the User is a party, beneficiary, or guarantor, or by another agreement between the Operator and the User, or unless the Operator is not entitled to process personal data without the User’s consent on the grounds provided for by Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” or other federal laws.
6.6. Within a period not exceeding seven business days from the date the User (their representative) provides information confirming that such personal data were unlawfully obtained or are not necessary for the stated purpose of processing, the Operator shall destroy such personal data.
6.7. If the Operator, Roskomnadzor, or another interested party identifies an instance of unlawful or accidental transfer (provision, distribution) of personal data (access to personal data) that has resulted in a violation of the rights of personal data subjects, the Operator shall:
– within 24 hours — notify Roskomnadzor of the incident, the presumed causes that led to the violation of the rights of personal data subjects, the presumed harm caused to the rights of personal data subjects, and the measures taken to eliminate the consequences of the incident, and provide information about the person authorized by the Operator to interact with Roskomnadzor on issues related to the incident;
– within 72 hours — notify Roskomnadzor of the results of the internal investigation of the identified incident and provide information about the persons whose actions caused it (if any).
6.8. Methods for destroying personal data are established in the Operator’s internal regulations.
6.9. Processed data are subject to destruction or depersonalization (including, but not limited to, by replacing part of the information specified in Section 4 with an ID) upon achieving the purposes of processing or upon loss of the necessity to achieve those purposes. The procedure for depersonalization of personal data is established in the Operator’s internal regulations.
6.10. Detailed actions related to the prevention and detection of violations in the field of personal data processing are established in the Operator’s internal regulations.
Liability of the Parties
7.1. The Operator is liable for violation of the requirements of Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” in accordance with the laws of the Russian Federation.
7.2. The User has the right to claim, in court, compensation for losses and/or compensation for moral harm. Moral harm caused to the User as a result of a violation of their rights, violation of the rules for processing personal data, as well as the requirements for personal data protection established pursuant to Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data,” and the provisions of this Policy, is subject to compensation in accordance with the laws of the Russian Federation. Compensation for moral harm is provided regardless of compensation for property damage and losses incurred by the User.
Dispute Resolution
8.1. In the event of disputes and/or disagreements arising from relations between the User and the Operator, such matters shall be resolved in accordance with the current laws of the Russian Federation.
8.2. The current laws of the Russian Federation apply to this Policy and to relations between the User and the Operator.
Final Provisions
9.1. The Operator may amend the Policy without the User’s consent.
9.2. The new version of the Policy takes effect from the moment it is posted on the Website, unless otherwise provided for by the new version of the Policy. The new version of the Policy applies to relations arising after it enters into force. The current version of the Policy is always available on the Operator’s Website. When amendments are made, the Operator notifies users by posting the new version of the Policy on the Website.
Verification (not part of the Policy): All sections (1–9), clauses, subclauses, lists, law titles, numbers, addresses, contacts, URLs, and time limits (24h/72h/7/10/30 business days) match the Russian original; capitalization and defined terms (“Operator,” “User,” “Personal Data Law,” “Website,” “Roskomnadzor”) are used consistently.