Personal Data Processing Policy
- General Provisions
This Personal Data Processing Policy has been prepared in accordance with the requirements of Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data,” as currently in force (hereinafter, the Personal Data Law), as well as other regulatory legal acts of the Russian Federation governing the processing and protection of personal data, and sets out the procedure for personal data processing and the measures to ensure the security of personal data implemented by Individual Entrepreneur Veronika Vitalyevna Anufrieva (hereinafter, the Operator).
1.1. The Operator regards compliance with human and civil rights and freedoms in the processing of personal data, including protection of the rights to privacy and personal and family secrecy, as the most important objective and condition of its activities.
1.2. This Operator’s Personal Data Processing Policy (hereinafter, the Policy) applies to all information that the Operator may obtain about visitors to the website https://kedrcity.ru.
1.3. This Policy takes into account the activities carried out by the Operator, including those falling within the following OKVED codes:
• 55.10 – Hotels and other temporary accommodation services;
• 56.10 – Restaurant activities and food delivery services;
1.4. Contact details of the person responsible for personal data processing
Person responsible for organizing personal data processing: Nikita Andreevich Pronin, e-mail: office@kedrcity.ru, telephone: +7 (423) 230-96-96, postal address: 28 1st Zapadnaya Street, Artem, Primorsky Krai, Russia, 692759.
- Key Terms Used in the Policy
2.1. Automated personal data processing means the processing of personal data by means of computer equipment.
2.2. Blocking of personal data means the temporary cessation of personal data processing (except where processing is necessary to clarify personal data).
2.3. Website means a collection of graphic and informational materials, as well as computer programs and databases, ensuring their availability on the Internet at https://kedrcity.ru.
2.4. Personal data information system means a set of personal data contained in databases and the information technologies and technical means used to process such personal data.
2.5. Depersonalization of personal data means actions resulting in the impossibility, without the use of additional information, of determining whether personal data belongs to a specific User or another personal data subject.
2.6. Personal data processing means any action (operation) or set of actions (operations) performed with or without the use of automation tools in relation to personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data.
2.7. Operator means a state authority, municipal authority, legal entity, or individual that independently or jointly with others organizes and/or carries out personal data processing, and determines the purposes of personal data processing, the composition of personal data subject to processing, and the actions (operations) performed with personal data.
2.8. Personal data means any information relating directly or indirectly to an identified or identifiable User of the website https://kedrcity.ru.
2.9. Personal data authorized by the personal data subject for dissemination means personal data to which an unlimited number of persons have been granted access by the personal data subject through consent to the processing of personal data authorized by the personal data subject for dissemination in the manner prescribed by the Personal Data Law (hereinafter, personal data authorized for dissemination).
2.10. User means any visitor to the website https://kedrcity.ru.
2.11. Provision of personal data means actions aimed at disclosing personal data to a specific person or a specific group of persons.
2.12. Dissemination of personal data means any actions aimed at disclosing personal data to an indefinite group of persons (transfer of personal data) or making personal data available to an unlimited number of persons, including publication in mass media, posting in information and telecommunications networks, or granting access to personal data in any other way.
2.13. Cross-border transfer of personal data means the transfer of personal data to the territory of a foreign state to a foreign state authority, a foreign individual, or a foreign legal entity.
2.14. Destruction of personal data means any actions as a result of which personal data is irreversibly destroyed, making it impossible to restore the content of personal data in the personal data information system and/or resulting in the destruction of the physical media containing personal data.
2.15. Cookie files mean small fragments of data sent by a website and stored on the User’s device, which may contain technical identifiers, information about the User’s actions on the website, information about the device and browser used, the date and time of the visit, as well as other technical data necessary for the operation of the website and for analytics.
2.16. Analytical cookie files mean cookie files used to collect information about visits to the website, the User’s actions on the website, traffic sources, technical parameters of the device and browser, as well as other data used for website statistics and analytics.
2.17. Yandex.Metrica web analytics service means an analytics tool used by the Operator to obtain information about website traffic, User behavior on the website, traffic sources, technical characteristics of users’ devices, and other statistical indicators. - Main Rights and Obligations of the Operator
3.1. The Operator has the right to:
— obtain reliable information and/or documents containing personal data from the personal data subject;
— if the personal data subject withdraws consent to personal data processing, as well as upon receipt of a request to cease personal data processing, continue processing personal data without the consent of the personal data subject if grounds specified in the Personal Data Law exist;
— independently determine the composition and list of measures necessary and sufficient to ensure compliance with the obligations set forth in the Personal Data Law and the regulatory legal acts adopted pursuant thereto, unless otherwise provided by the Personal Data Law or other federal laws.
3.2. The Operator is obliged to:
— provide the personal data subject, at their request, with information concerning the processing of their personal data;
— organize personal data processing in accordance with the procedure established by the current legislation of the Russian Federation;
— respond to appeals and requests from personal data subjects and their legal representatives in accordance with the requirements of the Personal Data Law;
— provide the authorized body for the protection of the rights of personal data subjects, upon its request, with the necessary information within 10 days from the date of receipt of such request;
— publish or otherwise ensure unrestricted access to this Policy on personal data processing;
— take legal, organizational, and technical measures to protect personal data against unlawful or accidental access, destruction, modification, blocking, copying, provision, dissemination, and other unlawful actions involving personal data;
— cease the transfer (dissemination, provision, access) of personal data, cease processing, and destroy personal data in the manner and in the cases provided for by the Personal Data Law;
— perform other duties provided for by the Personal Data Law. - Main Rights and Obligations of Personal Data Subjects
4.1. Personal data subjects have the right to:
— receive information relating to the processing of their personal data, except in cases provided for by federal laws. Such information shall be provided by the Operator in an accessible form and shall not contain personal data relating to other personal data subjects, except where there are lawful grounds for disclosing such personal data. The list of information and the procedure for obtaining it are established by the Personal Data Law;
— require the operator to clarify, block, or destroy their personal data if such personal data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing, and to take the measures provided by law to protect their rights;
— require prior consent for the processing of personal data for the purposes of promoting goods, works, and services on the market;
— withdraw consent to personal data processing, as well as submit a request to cease personal data processing;
— appeal unlawful actions or omissions of the Operator in the processing of their personal data to the authorized body for the protection of the rights of personal data subjects or in court;
— exercise other rights provided for by the legislation of the Russian Federation.
4.2. Personal data subjects are obliged to:
— provide the Operator with accurate information about themselves;
— notify the Operator of any clarification (update or modification) of their personal data.
4.3. Persons who provide the Operator with inaccurate information about themselves or information about another personal data subject without that person’s consent shall bear liability in accordance with the legislation of the Russian Federation. - Principles of Personal Data Processing
5.1. Personal data shall be processed on a lawful and fair basis.
5.2. Personal data processing shall be limited to the achievement of specific, predetermined, and lawful purposes. Personal data processing incompatible with the purposes of collecting personal data shall not be permitted.
5.3. The merging of databases containing personal data processed for purposes incompatible with one another shall not be permitted.
5.4. Only personal data that corresponds to the purposes of its processing shall be processed.
5.5. The content and scope of processed personal data shall correspond to the stated purposes of processing. The redundancy of processed personal data in relation to the stated purposes of processing shall not be permitted.
5.6. When processing personal data, the accuracy, sufficiency, and, where necessary, relevance of personal data in relation to the purposes of processing shall be ensured. The Operator shall take the necessary measures and/or ensure that such measures are taken to delete or clarify incomplete or inaccurate data.
5.7. Personal data shall be stored in a form allowing identification of the personal data subject for no longer than required by the purposes of personal data processing, unless the retention period for personal data is established by federal law or by an agreement to which the personal data subject is a party, beneficiary, or guarantor. Processed personal data shall be destroyed or depersonalized upon achievement of the purposes of processing or if the need to achieve those purposes is lost, unless otherwise provided by federal law. - Purposes of Personal Data Processing
6.1 Purpose of processing:
• informing the User by sending electronic messages;
• entering into and performing contracts for the sale of goods and provision of services;
• organizing the delivery of goods;
• providing technical support;
• maintaining statistics and analytics;
• processing incoming inquiries and providing feedback to the User by telephone, e-mail, or messengers, at the User’s choice;
• carrying out marketing mailings with the User’s consent.
6.2 Personal data:
• surname, first name, patronymic;
• e-mail address;
• telephone numbers;
• delivery address (postal code, region, city, street, house number, apartment) of the user when placing an order for goods, as well as payment details, to the extent necessary for contract performance.
6.2.1. For the purposes of maintaining website statistics and analytics, the Operator may use analytical cookie files and the Yandex.Metrica web analytics service.
6.2.2. As part of the use of analytical cookie files and the Yandex.Metrica service, the following information about the User may be processed: cookie identifiers, IP address, information about the User’s actions on the website, information about pages viewed, visit time, traffic sources to the website, as well as information about the User’s device, browser, operating system, interface language, and other technical parameters.
6.2.3. The above information is used solely for the purposes of analyzing website traffic, improving the content and functionality of the website, enhancing usability, identifying and correcting technical errors, as well as evaluating the effectiveness of information and services posted on the website.
6.3 The legal grounds for personal data processing are Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data” (as currently in force), Federal Law No. 149-FZ dated 27 July 2006 “On Information, Information Technologies and Information Protection,” as well as other regulatory legal acts of the Russian Federation, including Federal Law No. 38-FZ “On Advertising.”
6.3.1. Data processing carried out using analytical cookie files and the Yandex.Metrica service is based on the User’s consent provided through the banner and/or the cookie settings interface on the website.
6.3.1. Data processing carried out using analytical cookie files and the Yandex.Metrica service is based on the User’s consent provided through the banner and/or the cookie settings interface on the website.
6.4 Types of personal data processing:
Collection, recording, systematization, accumulation, storage, destruction, and depersonalization of personal data.
- Conditions for Personal Data Processing
7.1. Personal data shall be processed with the consent of the personal data subject to the processing of their personal data.
7.2. Personal data processing is necessary to achieve the purposes provided for by an international treaty of the Russian Federation or by law, and for the exercise of functions, powers, and duties imposed on the operator by the legislation of the Russian Federation.
7.3. Personal data processing is necessary for the administration of justice and the execution of a judicial act, an act of another body, or an act of an official subject to enforcement in accordance with the legislation of the Russian Federation on enforcement proceedings.
7.4. Personal data processing is necessary for the performance of a contract to which the personal data subject is a party, beneficiary, or guarantor, as well as for entering into a contract at the initiative of the personal data subject or a contract under which the personal data subject will be a beneficiary or guarantor.
7.5. Personal data processing is necessary for the exercise of the rights and legitimate interests of the operator or third parties, or for the achievement of socially significant purposes, provided that this does not violate the rights and freedoms of the personal data subject.
7.6. Personal data subject to processing may include personal data made publicly available by the personal data subject or at their request (hereinafter, publicly available personal data).
7.7. Personal data subject to publication or mandatory disclosure in accordance with federal law may be processed.
7.8. The Website User gives consent to the processing of their personal data in the following cases:
– when registering on the Website in a personal account;
– when authorizing via social networks;
– when filling out a feedback form / requesting a callback on the Website;
– when subscribing to a mailing list;
– when submitting reviews;
– when entering into contracts.
– when expressing consent to the use of analytical cookie files and the processing of data using the Yandex.Metrica service through the banner and/or the cookie settings interface on the website.
7.8.1. Analytical cookie files and the Yandex.Metrica service are used by the Operator only after receiving the relevant consent of the User.
7.8.2. Until the User’s consent is obtained, analytical cookie files and the Yandex.Metrica service shall not be activated or used.
7.8.3. The User has the right to refuse the use of analytical cookie files or to change previously selected settings at any time through the cookie management interface posted on the website.
7.8.4. The User’s refusal to use analytical cookie files does not affect the ability to use the main functions of the website, except where certain functions objectively require the use of strictly necessary cookie files.
7.9. Messengers (WhatsApp, Telegram) indicated on the Website are used exclusively as communication channels. They are not used to collect or process personal data.
7.10. The Website may contain links to external data repositories (for example, Google Drive, Yandex Disk, etc.). These resources do not participate in the processing of personal data through the website, and responsibility for data processing on such platforms rests with their owners.
7.11 Notification to Roskomnadzor of a personal data breach
If unauthorized access to personal data is detected, the Operator shall send an initial notification to Roskomnadzor no later than 24 (twenty-four) hours from the moment the breach is detected, and an extended notification no later than 72 (seventy-two) hours containing information on the measures taken, the scale of the incident, and the presumed causes. The person responsible for sending such notifications is specified in Clause 1.4. - Procedure for the Collection, Storage, Transfer, and Other Types of Personal Data Processing
The security of personal data processed by the Operator is ensured through the implementation of legal, organizational, and technical measures necessary for full compliance with the requirements of the current legislation in the field of personal data protection.
8.1. The Operator shall ensure the safety of personal data and shall take all possible measures to prevent unauthorized persons from gaining access to personal data.
8.2. The User’s personal data shall never, under any circumstances, be transferred to third parties, except in cases related to compliance with current legislation or where the personal data subject has given the Operator consent to transfer data to a third party for the performance of obligations under a civil law contract.
8.3. If inaccuracies in personal data are identified, the User may update such data independently by sending a notice to the Operator at office@kedrcity.ru with the subject line “Updating Personal Data.”
8.4. The period of personal data processing shall be determined by the achievement of the purposes for which the personal data was collected, unless another period is provided for by an agreement or current legislation.
The User may withdraw consent to personal data processing at any time by sending a notice to the Operator by e-mail to office@kedrcity.ru with the subject line “Withdrawal of Consent to Personal Data Processing.”
8.4.1. The User has the right to change previously given consent to the use of analytical cookie files and the processing of data using the Yandex.Metrica service at any time through the “Cookie Settings” section (link) posted on the website. Any change to the User’s choice shall apply to subsequent website sessions, taking into account the technical capabilities of the User’s browser and device.
8.5. All information collected by third-party services, including payment systems, communication tools, and other service providers, is stored and processed by such persons (Operators) in accordance with their User Agreement and Privacy Policy. The personal data subject and/or with the said documents. The Operator shall not be liable for the actions of third parties, including the service providers referred to in this clause.
8.5.1. When using the Yandex.Metrica web analytics service, certain technical data of the User may be processed with the participation of the person ensuring the operation of the said service, to the extent necessary to achieve the purposes of website statistics and analytics, in accordance with the rules governing the use of the relevant service.
8.6. Prohibitions established by the personal data subject on the transfer (except for granting access), as well as on the processing or conditions of processing (except for obtaining access) of personal data authorized for dissemination, shall not apply in cases of personal data processing in state, public, and other public interests defined by the legislation of the Russian Federation.
8.7. When processing personal data, the Operator shall ensure the confidentiality of personal data.
8.8. The Operator shall store personal data in a form allowing identification of the personal data subject for no longer than required by the purposes of personal data processing, unless the retention period for personal data is established by federal law or by an agreement to which the personal data subject is a party, beneficiary, or guarantor.
8.9. Grounds for the termination of personal data processing may include achievement of the purposes of personal data processing, expiration of the consent period of the personal data subject, withdrawal of consent by the personal data subject, or a request to cease personal data processing, as well as the identification of unlawful personal data processing.
8.10. Localization of Personal Data Storage within the Territory of the Russian Federation
The Operator shall ensure the initial recording, storage, and updating of all personal data of citizens of the Russian Federation exclusively on servers physically located within the territory of the Russian Federation, in accordance with Part 5 of Article 18 of Federal Law No. 152-FZ. Cross-border transfer is permitted only after local recording and software-based depersonalization of the data. - List of Actions Performed by the Operator with Received Personal Data
9.1. The Operator performs collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (dissemination, provision, access), depersonalization, blocking, deletion, and destruction of personal data.
9.2. The Operator performs automated processing of personal data with receipt and/or transfer of the obtained information via information and telecommunications networks or without such transfer.
9.3. Procedure for the destruction of personal data
Upon achievement of the processing purposes or the occurrence of lawful grounds for deletion, the Operator shall, within no more than 30 calendar days, destroy personal data as follows: (a) drawing up a destruction report; (b) deleting data from information systems; (c) physical destruction of paper media; (d) signing the report by a commission of two authorized employees. - Cross-Border Transfer of Personal Data
10.1. Before commencing activities involving the cross-border transfer of personal data, the Operator is obliged to notify the authorized body for the protection of the rights of personal data subjects of its intention to carry out such cross-border transfer of personal data (such notification shall be submitted separately from the notification of the intention to process personal data).
10.2. Before submitting the above notification, the Operator is obliged to obtain the relevant information from the authorities of the foreign state, foreign individuals, and foreign legal entities to whom the cross-border transfer of personal data is planned. - Confidentiality of Personal Data
The Operator and other persons who have obtained access to personal data are obliged not to disclose personal data to third parties and not to disseminate it without the consent of the personal data subject, unless otherwise provided by federal law. - Final Provisions
12.1. The User may obtain any clarifications on issues of interest relating to the processing of their personal data by contacting the Operator via e-mail at office@kedrcity.ru.
12.2. Any changes to the Operator’s personal data processing policy shall be reflected in this document. The Policy shall remain in effect indefinitely until replaced by a new version.
12.3. The current version of the Policy is freely available on the Internet at https://kedrcity.ru/privacy.
