Política de tratamiento de datos personales

PERSONAL DATA PROTECTION AND PROCESSING POLCY

Training Center «Splitmassage»

1. General Provisions

1.1. This Policy on the Processing of Personal Data (hereinafter referred to as the Policy) has been drawn up in accordance with paragraph 2 of Article 18.1 of the Federal Law «On Personal Data» No. 152-FZ dated July 27, 2006, as well as other regulatory legal acts of the Russian Federation in the field of protection and processing of personal data and applies to all personal data (hereinafter referred to as data) that the Organization (hereinafter referred to as the Operator, the Company) may receive from a personal data subject who is a party to a civil law contract, from an Internet user (hereinafter referred to as the User) during their use of any of the websites, services, programs, products or services of Training Center LLC «Splitmassage», as well as from a personal data subject who is in relations with the Operator in relations regulated by labor legislation (hereinafter referred to as the Employee).

1.2. The Operator ensures protection of processed personal data from unauthorized access and disclosure, unauthorized use or loss in accordance with the requirements of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data".

1.3. The Operator has the right to make changes to this Policy. When making changes, the date of the last update of the version is indicated in the heading of the Policy. The new version of the Policy comes into force from the moment it is posted on the website, unless otherwise provided by the new version of the Policy.

2. Terms and accepted abbreviations

Personal data – any information related to a directly or indirectly determined or determinable individual (subject of personal data).

Processing of personal data – any action (operation) or set of actions (operations) performed with the use of automation tools or without the use of such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Automated processing of personal data – processing of personal data using computer technology.

Personal data information system (PDIS) – a set of personal data contained in databases and information technologies and technical means ensuring their processing.

Personal data made publicly available by the subject of personal data – personal data, access to which is provided to an unlimited number of persons by the subject of personal data or at his request.

Blocking of personal data is a temporary cessation of processing of personal data (except for cases where processing is necessary to clarify personal data).

Destruction of personal data is actions that make it impossible to restore the content of personal data in the personal data information system and (or) as a result of which the tangible media of personal data are destroyed.

Operator is an organization that independently or jointly with other persons organizes the processing of personal data, and also determines the purposes of processing personal data subject to processing, actions (operations) performed with personal data.

3. Processing of personal data

3.1. Obtaining personal data.

3.1.1. All personal data should be obtained from the subject. If the subject's personal data can only be obtained from a third party, the subject must be notified of this or consent must be obtained from him.

3.1.2. The operator must inform the subject of the purposes, intended sources and methods of obtaining personal data, the nature of the personal data to be obtained, the list of actions with personal data, the period during which consent is valid and the procedure for its revocation, as well as the consequences of the subject's refusal to give written consent to receive them.

3.1.3. Documents containing personal data are created by:
– copying original documents (passport, education document, TIN certificate, pension certificate, etc.);
– entering information into accounting forms;
– obtaining originals of the necessary documents (work record book, medical report, characteristics, etc.).

3.2. Processing of personal data.

3.2.1. Personal data is processed:
– with the consent of the personal data subject to the processing of his personal data;
– in cases where the processing of personal data is necessary for the implementation and performance of functions, powers and duties imposed by law;
– in cases where personal data is processed, access to which is provided to an unlimited number of persons by the personal data subject or at his request (hereinafter referred to as personal data made publicly available by the personal data subject).

3.2.2. Purposes of personal data processing:
– implementation of labor relations;
– implementation of civil law relations;
– to contact the user in connection with filling out the feedback form on the website, including sending notifications, requests and information regarding the use of the store's website, processing, approval of orders and their delivery, execution of agreements and contracts;
- depersonalization of personal data to obtain depersonalized statistical data, which are transferred to a third party for research, performance of work or provision of services on behalf of the store.

3.2.3. Categories of personal data subjects.
The personal data of the following personal data subjects are processed:
– individuals who are in employment relationships with the Company;
– individuals who have resigned from the Company;
– individuals who are job candidates;
– individuals who are in civil law relationships with the Company;
– individuals who are Users of the Store Website.

3.2.4. Personal data processed by the Operator:
– data obtained in the course of employment relationships;
– data obtained for the selection of job candidates;
– data obtained in the course of civil law relationships;
– data received from Users of the Store Website.

3.2.5. Personal data are processed:
– using automation tools;
– without using automation tools.

3.3. Storage of personal data.

3.3.1. Personal data of subjects may be received, further processed and transferred for storage both on paper and in electronic form.

3.3.2. Personal data recorded on paper are stored in locked cabinets or in locked rooms with limited access rights.

3.3.3. Personal data of subjects processed using automation tools for different purposes are stored in different folders.

3.3.4. Storage and placement of documents containing personal data in open electronic directories (file sharing services) in the ISPD is prohibited.

3.3.5. Personal data shall be stored in a form that allows the subject of personal data to be identified for no longer than is required for the purposes of their processing, and they shall be destroyed upon achieving the purposes of their processing or in the event of the loss of the need to achieve them.

3.4. Destruction of personal data.

3.4.1. Documents (media) containing personal data shall be destroyed by burning, crushing (grinding), chemical decomposition, turning into a shapeless mass or powder. A shredder may be used to destroy paper documents.

3.4.2. Personal data on electronic media shall be destroyed by erasing or formatting the media.

3.4.3. The fact of destruction of personal data shall be confirmed by a documented act on the destruction of media.

3.5. Transfer of personal data.

3.5.1. The operator shall transfer personal data to third parties in the following cases:
– the subject has expressed his consent to such actions;
– the transfer is provided for by Russian or other applicable legislation within the framework of the procedure established by law.

3.5.2. List of persons to whom personal data is transferred.
– Pension fund for accounting (on legal grounds);
– tax authorities (on legal grounds);
– Social Insurance Fund (on legal grounds);
– territorial fund for compulsory medical insurance (on legal grounds);
– medical insurance organizations for compulsory and voluntary medical insurance (on legal grounds);
– banks for calculating wages (on the basis of an agreement);
– police in cases established by law;
– anonymized personal data of Users of the online store website are transferred to the Store's counterparties.

4. Personal data protection

4.1. In accordance with the requirements of regulatory documents, the Operator has created a personal data protection system (PDPS), consisting of legal, organizational and technical protection subsystems.

4.2. The legal protection subsystem is a set of legal, organizational, administrative and regulatory documents that ensure the creation, operation and improvement of the PDPS.

4.3. The organizational protection subsystem includes the organization of the PDPS management structure, the permit system, the protection of information when working with employees, partners and third parties.

4.4. The technical protection subsystem includes a set of technical, software, software and hardware tools that ensure the protection of personal data.

4.4. The main measures to protect personal data used by the Operator are:

4.5.1. Appointment of a person responsible for the processing of personal data, who organizes the processing of personal data, training and instruction, internal control over compliance by the institution and its employees with personal data protection requirements.

4.5.2. Identification of current threats to the security of personal data when processing them in the ISPD and development of measures and activities to protect personal data.

4.5.3. Development of a policy regarding the processing of personal data.

4.5.4. Establishing rules for access to personal data processed in the ISPD, as well as ensuring the registration and accounting of all actions performed with personal data in the ISPD.

4.5.5. Establishing individual passwords for employee access to the information system in accordance with their work responsibilities.

4.5.6. Use of information security tools that have undergone the established procedure for assessing the compliance of information.

4.5.7. Certified anti-virus software with regularly updated databases.

4.5.8. Compliance with conditions that ensure the safety of personal data and exclude unauthorized access to them.

4.5.9. Detection of facts of unauthorized access to personal data and taking measures.

4.5.10. Restoration of personal data modified or destroyed due to unauthorized access to them.

4.5.11. Training of the Operator's employees directly involved in the processing of personal data in the provisions of the legislation on personal data, including the requirements for the protection of personal data, documents defining the Operator's policy regarding the processing of personal data, local acts on issues of processing personal data.

4.5.12. Implementation of internal control and audit.

5. Basic rights of the personal data subject and obligations of the Operator

5.1. Basic rights of the personal data subject.

The subject has the right to access his personal data and the following information:
– confirmation of the fact of personal data processing by the Operator;
– legal grounds and purposes of personal data processing;
– purposes and methods of personal data processing used by the Operator;
– name and location of the Operator, information about persons (except for the Operator's employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Operator or on the basis of federal law;
– terms of personal data processing, including storage periods;
– the procedure for exercising the rights provided for by the Federal Law by the personal data subject;
– name or surname, first name, patronymic and address of the person processing personal data on behalf of the Operator, if the processing is or will be entrusted to such person;
– contacting the Operator and sending him requests;
– appealing against the actions or inactions of the Operator.

5.2. Operator's Responsibilities.

The Operator is obliged to:
– when collecting personal data, provide information on the processing of personal data;
– in cases where the personal data was not received from the personal data subject, notify the subject;
– in case of refusal to provide personal data, the subject is explained the consequences of such refusal;
– publish or otherwise provide unlimited access to the document defining its policy regarding the processing of personal data, to information on the implemented requirements for the protection of personal data;
– take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data;
– respond to requests and appeals from personal data subjects, their representatives and the authorized body for the protection of the rights of personal data subjects.