Privacy policy

List of content

• Designations and abbreviations
• Introduction
• Principles of processing personal data
• Personal data processing conditions
• Rights of the subject of personal data
• Measures to ensure the security of personal data during their processing

Designations and abbreviations

INTRODUCTION

This document defines the policy of JSC “Sochi-Park” (hereinafter — Company) regarding the processing of personal data.

This Policy has been developed in accordance with the current legislation of the Russian Federation on personal data.

This Policy applies to all processes for the collection, recording, systematization, accumulation, storage, clarification, extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data, carried out with the use of automation tools and without use of such funds.

Principles of personal data processing

The processing of personal data is carried out on the basis of the following principles:

• the processing of personal data is carried out on a legal and fair basis;
• the processing of personal data is limited to the achievement of specific, predetermined and legal purposes;
• processing of personal data that is incompatible with the purposes of collecting personal data is not allowed;
• it is not allowed to combine databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other;
• only those personal data that meet the purposes of their processing are subject to processing;
• the content and volume of processed personal data correspond to the stated processing purposes. The processed personal data are not redundant in relation to the stated purposes of processing;
• when processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, their relevance in relation to the stated purposes of their processing is ensured;
• destruction or depersonalization of personal data upon achievement of the goals of their processing or in case of loss of the need to achieve these goals, if elimination is impossible. Companies committed violations of personal data, unless otherwise provided by federal law.

Terms of the personal data processing

The processing of personal data is carried out in compliance with the principles and rules established by the Federal Law “On Personal Data”. The processing of personal data is allowed in the following cases:

• processing of personal data is carried out with the consent of the subject of personal data to the processing of his personal data;
• the processing of personal data is necessary to achieve the goals provided for by an international treaty of the Russian Federation or by law, for the implementation and fulfillment of the functions, powers and duties imposed by the legislation of the Russian Federation on the operator;
• the processing of personal data is necessary for the administration of justice, the execution of a judicial act, an act of another body or official, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;
• processing of personal data is necessary for the execution of an agreement, to which the subject of personal data is either a party or a beneficiary or a surety, as well as for concluding an agreement on the initiative of the subject of personal data or an agreement under which the subject of personal data will be a beneficiary or a surety;
• the processing of personal data is necessary to protect the life, health or other vital interests of the personal data subject, if it is impossible to obtain the consent of the personal data subject;
• the processing of personal data is necessary to exercise the rights and legitimate interests of the operator or third parties, or to achieve the company’s important goals, provided that this does not violate the rights and freedoms of the subject of personal data;
• processing of personal data is carried out for statistical or other research purposes, subject to the mandatory depersonalization of personal data. An exception is the processing of personal data in order to promote goods, works, services on the market by making direct contacts with a potential consumer using communications, as well as for political campaigning;
• processing of personal data is carried out, access of an unlimited number of persons to which is provided by the subject of personal data, or at his request (hereinafter — personal data made publicly available by the subject of personal data);
• processing of personal data subject to publication or mandatory disclosure in accordance with federal law.

Company may include the personal data of subjects in publicly available sources of personal data, while the Company takes the subject’s written consent to the processing of his personal data. Company may process special categories of personal data related to race, nationality, health status, while the Company undertakes to take the subject’s written consent to the processing of his personal data.

Biometric personal data (information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity and which is used by the operator to establish the identity of the subject of personal data) are processed by the Company in accordance with the law.

Company carries out cross-border transfer of personal data only to the territory of foreign states that provide adequate protection of the rights of subjects of personal data.

The adoption, on the basis of exclusively automated processing of personal data, of decisions that generate legal consequences in relation to the subject of personal data or otherwise affecting his rights and legitimate interests is not carried out. Under the terms of the license to carry out the activities of the Company, there is no prohibition on the transfer of personal data to third parties without the consent in writing of the subject of personal data.

In the absence of the need for the subject’s written consent to the processing of his personal data, the consent of the subject can be given by the subject of personal data or his representative in any form that allows him to receive the fact of its receipt.

Company has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of an agreement concluded with this person (hereinafter referred to as the operator’s order). At the same time, the Company in the contract obliges the person who processes personal data on behalf of the Company to comply with the principles and rules for processing personal data provided for by this Federal Law.

If Company entrusts the processing of personal data to another person, Company bears responsibility to the subject of personal data for the actions of this person. The person who processes personal data on behalf of the Company is responsible to the Company.

Company undertakes and obliges other persons who have access to personal data not to disclose to third parties and not to distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law.

Rights of the subject of personal data

The subject of personal data decides on the provision of his personal data and agrees to their processing freely, of his own free will and in his interest. Consent to the processing of personal data can be given by the subject of personal data or his representative in any form that allows to confirm the fact of its receipt, unless otherwise provided by federal law.

The obligation to provide evidence of obtaining the consent of the subject of personal data to the processing of his personal data or proof of the existence of the grounds specified by the Federal Law “On Personal Data” rests with the Company. The subject of personal data has the right to receive information regarding the processing of his personal data, if such a right is not limited in accordance with federal laws. The subject of personal data has the right to demand from the Company clarification of his personal data, their blocking or destruction if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect their rights.

The processing of personal data in order to promote goods, works, services on the market by making direct contacts with a potential consumer using communication means, as well as for the purpose of political campaigning is allowed only with the prior consent of the subject of personal data. The specified processing of personal data is recognized as carried out without the prior consent of the subject of personal data, unless the Company proves that such consent has been obtained.

Company is obliged to immediately stop, at the request of the subject of personal data, the processing of his personal data for the above purposes.

It is forbidden to make decisions on the basis of solely automated processing of personal data that give rise to legal consequences in relation to the subject of personal data or otherwise affect his rights and legitimate interests, with the exception of cases provided for by federal laws, or with the consent in writing of the subject of personal data. If the subject of personal data believes that the Company is processing his personal data in violation of the requirements of the Federal Law “On Personal Data” or otherwise violates his rights and freedoms, the subject of personal data has the right to appeal against the actions or inaction of the Company to the Authorized body for the protection of the rights of subjects of personal data or in court.

The subject of personal data has the right to protect his rights and legal interests, including compensation for damages and (or) compensation for moral damage in court.

Measures to ensure the security of personal data during their processing

The company takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, alteration, blocking, copying, provision, distribution of personal data, as well as from other illegal actions with respect to personal data when processing personal data.

The safety of personal data is assured, in particular, by:

• identification of threats to the security of personal data during their processing in personal data information systems;
• the application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems, necessary to meet the requirements for the protection of personal data, the implementation of which is ensured by the levels of personal data protection established by the Government of the Russian Federation;
• application of the procedure for assessing the conformity of information protection means that have passed in the prescribed manner;
• evaluating the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of the personal data information system;
• taking into account machine carriers of personal data;
• detection of facts of unauthorized access to personal data and taking measures;
• restoration of personal data modified or destroyed due to unauthorized access to them;
• establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with personal data in the personal data information system;
• control over the measures taken to ensure the security of personal data and the level of security of information systems of personal data.