Personal data processing policy

1. TERMS AND DEFINITIONS

1.1. The following terms and definitions are used in this regulation on the processing and protection of personal data of Clients of Volgograd-sputnik Limited Liability Company and other users of the website https://excursions-volgograd.ru, owned by Volgograd-sputnik Limited Liability Company (hereinafter referred to as the Regulation):

personal data — any information directly or indirectly related to a specific or identifiable individual (subject of personal data), including: personal information that the user provides about himself independently, including data that is automatically transferred to the Operator in the process of the user using the website https://excursions-volgograd.ru (hereinafter referred to as the Site) using the software installed on the user's device; other information about the user, the collection or provision of which is necessary for the use of the Site;

Operator (Company) — Volgograd-sputnik Limited Liability Company, independently or jointly with other persons, organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data subject to processing, actions (operations) performed with personal data;

personal data processing — any action (operation) or set of actions (operations) performed with the use of automation tools or without the use of such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data; automated processing of personal data — processing of personal data using computer technology;

distribution of personal data — actions aimed at disclosing personal data to an indefinite number of persons;

provision of personal data — actions aimed at disclosing personal data to a specific person or a specific number of persons;

blocking of personal data — temporary cessation of processing of personal data (except for cases where processing is necessary to clarify personal data);

destruction of personal data — actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the tangible carriers of personal data are destroyed;

depersonalization of personal data — actions as a result of which it becomes impossible to determine the ownership of personal data to a specific subject of personal data without the use of additional information.

2. GENERAL PROVISIONS

2.1. This regulation on the processing and protection of personal data of Clients of Volgograd-sputnik Limited Liability Company and other users of the website http://excursions-volgograd.ru, defines the policy of Volgograd-sputnik Limited Liability Company (hereinafter referred to as the Company, Operator) regarding the processing of personal data, regulates the processing of personal data, establishes procedures aimed at preventing and identifying violations of the legislation of the Russian Federation, eliminating the consequences of such violations. The main purpose of this Regulation is to protect the rights and freedoms of a person and citizen when processing his personal data, including the protection of the rights to privacy, personal and family secrets.

2.2. Processing and ensuring the security of information classified as personal data is carried out by the Company in accordance with the legislation of the Russian Federation.

2.3. Personal data are confidential, strictly protected information and are subject to all requirements established by the internal documents of the Company for the protection of confidential information.

2.4. This Regulation has been developed in accordance with the Federal Law of 27.07.2006 No. 152-FZ "On Personal Data" and other regulatory legislative acts of the Russian Federation.

2.5. This Privacy Policy applies to the Company's website on the Internet - https://excursions-volgograd.ru, as well as to personal data provided by personal data subjects under contracts concluded at the Operator's offices. These Rules do not apply, the Company does not control and is not responsible for third-party websites to which the user can follow links available on the Site. On such websites, the user can collect or request other personal data, and other actions can be performed.

3. PRINCIPLES AND CONDITIONS FOR PROCESSING PERSONAL DATA

3.1. Personal data must be processed lawfully and fairly.

3.2. Personal data must be processed limited to achieving specific, predetermined and legitimate purposes.

3.3. Databases containing personal data processed for incompatible purposes may not be combined.

3.4. Only personal data that meet the purposes of their processing may be processed.

3.5. The content and volume of personal data processed must meet the stated purposes of processing.

3.6. When processing personal data, the accuracy of personal data, its sufficiency and, where necessary, relevance in relation to the purposes of processing personal data must be ensured.

3.7. Personal data shall be stored in a form that allows identifying the personal data subject for no longer than required for the purposes of processing the personal data, unless the storage period for personal data is established by federal law, an agreement to which the personal data subject is a party, beneficiary or guarantor.

3.8. The Company processes personal data if one of the following conditions is met:

3.8.1. personal data are processed with the consent of the personal data subject;

3.8.2. personal data are processed necessary to achieve the purposes stipulated by law, to implement and perform the functions, powers and duties imposed on the Operator by the legislation of the Russian Federation;

3.8.3. personal data are processed necessary for the performance of an agreement to which the personal data subject is a party, beneficiary or guarantor, as well as for concluding an agreement on the initiative of the personal data subject or an agreement under which the personal data subject will be a beneficiary or guarantor;

3.8.4. the processing of personal data is necessary to exercise the rights and legitimate interests of the Operator or third parties or to achieve socially significant goals, provided that this does not violate the rights and freedoms of the personal data subject;

3.8.5. the processing of personal data is carried out, access to which is granted to an unlimited number of persons by the personal data subject or at his request;

3.8.6. the processing of personal data is subject to publication or mandatory disclosure in accordance with federal law.

4. LIST OF PROCESSED PERSONAL DATA AND THE CIRCLE OF SUBJECTS WHOSE PERSONAL DATA ARE PROCESSED

4.1. The list of processed personal data subject to protection by the Operator is formed in accordance with the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data", internal regulatory documents of the Operator.

4.2. Information constituting personal data is any information relating directly or indirectly to a specific or determinable individual (personal data subject).

4.3. Depending on the personal data subject, the Operator processes personal data of the following categories of personal data subjects:

4.3.1. personal data of the Operator's employees;

4.3.2. personal data of the Site users;

4.3.3. personal data of the Company's Clients;

4.3.4. personal data of individuals who have contacted the Operator with complaints, applications and requests.

5. PURPOSES OF PERSONAL DATA PROCESSING

5.1. The Company processes the personal data of the personal data subject exclusively for the following purposes:

5.1.1. carrying out activities to facilitate the organization of contacts and provide consultations and services to users of the website http://excursions-volgograd.ru;

5.1.2. concluding, executing and terminating civil contracts (including loan agreements) with individuals, legal entities, individual entrepreneurs and other persons, in cases stipulated by current legislation and other documents established by the Operator;

5.1.3. organization of personnel records of the Operator, ensuring compliance with laws and other regulatory legal acts, concluding and fulfilling obligations under labor and civil law contracts: maintaining personnel and tax records, collecting reports on types of payment, accounting for needs, training and advanced training, for other purposes related to the fulfillment of the requirements of tax legislation, legislation on pension payments and income of individuals, pension legislation, filling out primary statistical documentation, in accordance with the Labor Code of the Russian Federation, the Tax Code of the Russian Federation, federal laws of the Russian Federation;

5.1.4. implementation of the functions assigned to the Operator by the legislation of the Russian Federation in accordance with the Civil Code of the Russian Federation, the Labor Code of the Russian Federation, the Tax Code of the Russian Federation, Federal Law of August 7, 2001 No. 115-FZ "On Combating the Legalization (Laundering) of Criminally Obtained Incomes and the Financing of Terrorism", Federal Law of July 27, 2006 No. 152-FZ "On Personal Data" and other acts;

5.1.5. identification of the user and/or his representative;

5.1.6. informing about the Operator's promotions, surveys, questionnaires, marketing research in relation to the services provided by the Operator or persons in whose interests the Operator acts;

5.1.7. communicating with the user if necessary, including sending notifications, requests and information related to his use of the Site, provision of services, as well as processing requests and applications from the user;

5.1.8. improving the quality of services provided, their ease of use, developing new services;

5.1.9. conducting statistical and other studies based on anonymized data.

6. CONSENT OF THE PERSONAL DATA SUBJECT TO THE PROCESSING OF HIS PERSONAL DATA

6.1. The personal data subject makes a decision to provide his personal data and gives consent to their processing freely, of his own free will and in his interests.

6.2. Consent to the processing of personal data must be specific, informed and conscious.

6.3. Consent to the processing of personal data may be given by the personal data subject or his representative in any form that allows confirmation of the fact of its receipt, unless otherwise established by federal law. By using the Operator's website on the Internet and clicking "I agree", the personal data subject expresses his consent and gives permission for the processing of his personal data in the manner prescribed by this Regulation. If the personal data subject does not agree with the provisions of this Regulation, he/she should refrain from using the Operator's website and transferring personal data to the Operator.

6.4. Consent to the processing of personal data may be revoked by the personal data subject by sending a written revocation to the Operator. The Operator has the right to continue processing personal data without the consent of the personal data subject strictly in the presence of grounds established by the current legislation.

7. RIGHTS AND RESPONSIBILITIES

7.1. The Company, acting as a personal data operator, has the right to:

7.1.1. defend its interests in court;

7.1.2. provide personal data of personal data subjects to state and other authorized bodies, if this is stipulated by the current legislation of the Russian Federation (tax, law enforcement agencies, etc.);

7.1.3. refuse to provide personal data in cases stipulated by the legislation of the Russian Federation;

7.1.4. process the personal data of the subject without his consent, in cases stipulated by the legislation of the Russian Federation.

7.2. The operator has the right to transfer the user's personal data to third parties in the following cases:

7.2.1. The user has explicitly expressed his consent to such actions;

7.2.2. The transfer is necessary within the framework of the user's use of a certain service of the Site or to provide a service to the user. In this case, the confidentiality of personal data is ensured, and the user will be explicitly notified of such transfer;

7.2.3. The transfer is provided for by Russian or other applicable legislation within the framework of the procedure established by law;

7.2.4. In order to ensure the possibility of protecting the rights and legitimate interests of the Operator or third parties in cases where the user violates the terms of the agreement with the Operator.

7.3. The Operator has the right to entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, on the basis of an agreement concluded with this person. The person processing personal data on behalf of the Operator is obliged to comply with the principles and rules for processing personal data stipulated by the legislation of the Russian Federation.

7.4. The Operator does not check the accuracy of the personal data provided by users and does not monitor their legal capacity. However, the Operator assumes that the user provides reliable and sufficient personal data on the issues requested on the Site and keeps this data up to date.

7.5. The personal data subject has the right to:

7.5.1. demand clarification of their personal data, their blocking or destruction if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, and also take measures provided by law to protect their rights;

7.5.2. demand a list of their personal data processed by the Operator and the source of their receipt;

7.5.3. receive information on the processing periods of their personal data, including the storage periods;

7.5.4. demand notification of all persons who were previously provided with incorrect or incomplete personal data of all exclusions, corrections or additions made to them;

7.5.5. appeal to the authorized body for the protection of the rights of personal data subjects or in court against illegal actions or inactions during the processing of their personal data;

7.5.6. to protect their rights and legitimate interests, including compensation for damages and (or) compensation for moral damages in court.
8. PERSONAL DATA PROCESSING PERIODS

8.1. The personal data processing periods are determined in accordance with the period specified in the consent of the personal data subject, the Order of the Ministry of Culture of the Russian Federation dated 25.08.2010 No. 558 "On approval of the "List of standard management archival documents generated in the course of activities of state bodies, local governments and organizations, indicating storage periods", as well as other requirements of the legislation and local acts of the Operator.

8.2. The Operator creates and stores conditions that ensure the safety of personal data, including when using the Site, in accordance with the document storage requirements established by RF Government Resolution No. 687 of 15.09.2008. Upon completion of the established processing periods, personal data are destroyed without the possibility of restoration.

9. ENSURING THE SECURITY OF PERSONAL DATA

9.1. The security of personal data processed by the Operator is ensured by the implementation of legal, organizational, technical and software measures necessary and sufficient to meet the requirements of federal legislation in the field of personal data protection.

9.2. The Operator takes the necessary organizational and technical measures to ensure the security of personal data from accidental or unauthorized access, destruction, modification, blocking of access and other unauthorized actions.

9.3. The Operator applies the following organizational and technical measures:

9.3.1. appointment of officials responsible for organizing the processing and protection of personal data;

9.3.2. limiting and regulating the composition of employees with access to personal data;

9.3.3. familiarizing employees with the requirements of federal legislation and regulatory documents of the Operator on the processing and protection of personal data;

9.3.4. ensuring the accounting and storage of personal data carriers, excluding theft, substitution, unauthorized copying and destruction;

9.3.5. identifying threats to the security of personal data during their processing, forming threat models on their basis.

9.3.6. developing a personal data protection system for the corresponding class of information systems based on the threat model;

9.3.7. implementing a permit system for user access to information resources, software and hardware for processing and protecting information;

9.3.8. password protection of user access to the personal data information system;

9.3.9. using access control tools to communication ports, input/output devices, removable machine media and external storage devices;

9.3.10. implementing anti-virus control, preventing the introduction of malicious programs (virus programs) and software backdoors into the corporate network;

9.3.11. using firewalling;

9.3.12. detection of intrusions into the Operator's corporate network that violate or create preconditions for violation of established requirements for ensuring the security of personal data;

9.3.13. backup copying of information;

9.3.14. ensuring the restoration of personal data modified or destroyed due to unauthorized access to them;

9.3.15. training employees using information security tools applied in personal data information systems in the rules for working with them;

9.3.16. accounting for the information security tools applied, operational and technical documentation for them;

9.3.17. placement of technical means of processing personal data within the protected area;

9.3.18. maintaining technical means of security, alarm systems of premises in a state of constant readiness.

10. FINAL PROVISIONS

10.1. This Regulation is an internal document of the Company, but at the same time publicly available, and is subject to posting on the Website at: https://excursions-volgograd.ru/ru/page/privacy-policy, as well as in the Operator's offices - for the Client (personal data subject) to familiarize themselves with before concluding an agreement. When filling out online applications on the Website, the user confirms their consent to this Regulation by checking the appropriate box in the feedback form.

10.2. This Regulation is subject to change, supplementation in the event of the emergence of new legislative acts and special regulatory documents on the processing and protection of personal data.

10.3. The Company has the right to make changes to this Regulation. When making changes, the date of the last update of the version is indicated in the heading of the Regulation. The new version of the Regulation comes into force from the moment of its posting on the Website, unless otherwise provided by the new version of the Regulation.

10.4. The law of the Russian Federation shall apply to these Regulations and the relations between the Company and users.

10.5. The compliance with the requirements of these Regulations shall be monitored by the person responsible for ensuring the security of the personal data of the Company.

10.6. The liability of the Company officials who have access to personal data for failure to comply with the requirements of the rules governing the processing and protection of personal data shall be determined in accordance with the legislation of the Russian Federation and the internal documents of the Company.

10.7. You can obtain more detailed information about our privacy policy, the processing of personal data, as well as other legally significant documents at any time by calling any of the telephone numbers listed on the Company's Website.