Personal Data Processing Policy
1. General Provisions
This Personal Data Processing Policy has been prepared in accordance with Federal Law No. 152-FZ “On Personal Data” dated July 27, 2006, as amended (hereinafter referred to as the “Personal Data Law”), as well as other regulatory legal acts of the Russian Federation in the field of personal data processing and protection. It defines the procedure for processing personal data and the measures taken by Sole Proprietor Veronika Vitalyevna Anufrieva (hereinafter referred to as the “Operator”) to ensure the security of personal data.
1.1. The Operator considers the observance of human and civil rights and freedoms in the processing of personal data, including the right to privacy, personal and family confidentiality, as a top priority and a fundamental condition of its activities.
1.2. This Policy of the Operator regarding the processing of personal data (hereinafter referred to as the “Policy”) applies to all information that the Operator may receive about visitors of the website https://kedrcity.ru.
1.3. This Policy takes into account the types of activities carried out, including within the framework of the following OKVED codes:
- 55.10 – Hotel and other short-stay accommodation activities;
- 56.10 – Restaurant activities and food delivery services.
1.4. Contact Information of the Person Responsible for Personal Data Processing
The person responsible for organizing the processing of personal data: Nikita Andreevich Pronin
Email: office@kedrcity.ru
Phone: +7 (423) 230-96-96
Postal address: 1-ya Zapadnaya St., 28, Artem, Primorsky Krai, Russia, 692759
2. Key Terms Used in the Policy
2.1. Automated processing of personal data — processing of personal data using computer technology.
2.2. Blocking of personal data — temporary suspension of the processing of personal data (except when processing is necessary to clarify personal data).
2.3. Website — a set of graphic and informational materials, as well as software and databases, made available on the Internet at https://kedrcity.ru.
2.4. Personal data information system — a set of personal data contained in databases, and information technologies and technical tools used for their processing.
2.5. Depersonalization of personal data — actions that result in the inability to determine, without using additional information, whether the personal data belongs to a specific User or another personal data subject.
2.6. Processing of personal data — any action (operation) or set of actions (operations) performed with or without the use of automation tools on personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data.
2.7. Operator — a government body, municipal authority, legal or natural person that independently or jointly with others organizes and/or carries out the processing of personal data, as well as determines the purposes of personal data processing, the scope of personal data to be processed, and the actions (operations) performed with the personal data.
2.8. Personal data — any information that relates directly or indirectly to an identified or identifiable User of the website https://kedrcity.ru.
2.9. Personal data made publicly available by the personal data subject — personal data to which access is granted to an unlimited number of persons by the personal data subject by giving consent for processing such data in accordance with the procedure established by the Personal Data Law (hereinafter — personal data made publicly available).
2.10. User — any visitor of the website https://kedrcity.ru.
2.11. Provision of personal data — actions aimed at disclosing personal data to a specific person or a specific group of persons.
2.12. Dissemination of personal data — any actions aimed at disclosing personal data to an indefinite number of persons (personal data transfer) or at making personal data available to an unlimited number of persons, including publication of personal data in the media, posting in information and telecommunication networks, or providing access to personal data by any other means.
2.13. Cross-border transfer of personal data — the transfer of personal data to the territory of a foreign state to a foreign state authority, a foreign natural person, or a foreign legal entity.
2.14. Destruction of personal data — any actions that result in the irreversible destruction of personal data with the impossibility of further recovery of the content of personal data in the personal data information system and/or the destruction of physical media containing personal data.
3. Main Rights and Obligations of the Operator
3.1. The Operator has the right to:
— receive accurate information and/or documents containing personal data from the personal data subject;
— continue processing personal data without the consent of the personal data subject in the event that the subject withdraws their consent or submits a request to terminate processing, provided there are legal grounds for such processing as specified in the Personal Data Law;
— independently determine the composition and list of measures necessary and sufficient to fulfill the obligations set forth in the Personal Data Law and regulatory legal acts adopted in accordance with it, unless otherwise stipulated by the Personal Data Law or other federal laws.
3.2. The Operator is obliged to:
— provide the personal data subject, upon request, with information regarding the processing of their personal data;
— organize the processing of personal data in accordance with the current legislation of the Russian Federation;
— respond to inquiries and requests from personal data subjects and their legal representatives in accordance with the requirements of the Personal Data Law;
— submit the necessary information to the authorized body for the protection of the rights of personal data subjects within 10 days from the date of receiving such a request;
— publish or otherwise ensure unrestricted access to this Personal Data Processing Policy;
— take legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, dissemination, as well as from other unlawful actions involving personal data;
— cease the transfer (dissemination, provision, access) of personal data, stop processing and destroy personal data in the manner and cases provided for by the Personal Data Law;
— fulfill other obligations established by the Personal Data Law.
4. Main Rights and Obligations of Personal Data Subjects
4.1. Personal data subjects have the right to:
— receive information regarding the processing of their personal data, except in cases provided for by federal laws. The information must be provided by the Operator in an accessible form and must not include personal data relating to other personal data subjects, unless there are legal grounds for disclosing such data. The list of information and the procedure for obtaining it are established by the Personal Data Law;
— request the Operator to clarify, block, or delete their personal data if such data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing, and take legal measures to protect their rights;
— set a condition of prior consent for the processing of personal data for the purpose of promoting goods, works, and services in the market;
— withdraw consent to the processing of personal data and/or submit a request to terminate the processing of personal data;
— file a complaint with the authorized body for the protection of personal data subjects’ rights or through the courts against unlawful actions or inaction of the Operator in processing their personal data;
— exercise other rights provided by the legislation of the Russian Federation.
4.2. Personal data subjects are obliged to:
— provide the Operator with accurate information about themselves;
— notify the Operator about any clarification (updating or modification) of their personal data.
4.3. Persons who have submitted inaccurate information about themselves to the Operator or information about another personal data subject without that subject’s consent shall be held liable in accordance with the legislation of the Russian Federation.
4.4. Response Time to Requests from Personal Data Subjects
The Operator confirms receipt of a personal data subject’s request within 10 (ten) calendar days and provides a full response no later than 30 (thirty) calendar days from the date of receipt of the request.
5. Principles of Personal Data Processing
5.1. Personal data shall be processed on a lawful and fair basis.
5.2. The processing of personal data shall be limited to achieving specific, predetermined, and lawful purposes. Processing that is incompatible with the purposes of collecting personal data is not permitted.
5.3. The combination of databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other, is not allowed.
5.4. Only personal data that corresponds to the purposes of processing shall be subject to processing.
5.5. The content and volume of processed personal data must correspond to the stated purposes of processing. Excessive processing of personal data in relation to the stated purposes is not allowed.
5.6. The accuracy, sufficiency, and, where necessary, relevance of personal data to the purposes of processing must be ensured. The Operator shall take necessary measures and/or ensure that such measures are taken to delete or clarify incomplete or inaccurate data.
5.7. Personal data shall be stored in a form that allows the identification of the personal data subject for no longer than required by the purposes of personal data processing, unless a longer storage period is established by federal law, an agreement to which the personal data subject is a party, beneficiary, or guarantor. Processed personal data must be destroyed or depersonalized once the purposes of processing are achieved or when the need to achieve those purposes no longer exists, unless otherwise provided by federal law.
6. Purposes of Personal Data Processing
6.1. Purpose of processing:
• informing the User by sending emails;
• conclusion and execution of sales and service agreements;
• organization of product delivery;
• provision of technical support;
• collection of statistics and analytics;
• processing incoming requests and communicating with the User via phone, email, or messengers of their choice;
• conducting marketing mailings with the User’s consent.
6.2. Personal data:
• last name, first name, patronymic;
• email address;
• phone numbers;
• delivery address (postal code, region, city, street, building, apartment) in case of ordering goods, as well as payment details to the extent necessary to fulfill the contract.
6.3. The legal grounds for personal data processing are Federal Law No. 152-FZ “On Personal Data” dated July 27, 2006 (as amended), Federal Law No. 149-FZ “On Information, Information Technologies and Information Protection” dated July 27, 2006, as well as other regulatory legal acts of the Russian Federation, including Federal Law No. 38-FZ “On Advertising”.
6.4. Types of personal data processing:
collection, recording, systematization, accumulation, storage, destruction, and depersonalization of personal data.
7. Conditions for Personal Data Processing
7.1. Personal data shall be processed with the consent of the personal data subject to the processing of their personal data.
7.2. Personal data processing is necessary to achieve the purposes provided for by an international treaty of the Russian Federation or by law, for the fulfillment of the Operator’s functions, powers, and obligations as established by the legislation of the Russian Federation.
7.3. Personal data processing is necessary for the administration of justice, execution of a judicial act, or an act of another authority or official subject to enforcement under the legislation of the Russian Federation on enforcement proceedings.
7.4. Personal data processing is necessary for the performance of a contract to which the personal data subject is a party, beneficiary, or guarantor, as well as for entering into a contract at the initiative of the personal data subject or a contract under which the personal data subject will be a beneficiary or guarantor.
7.5. Personal data processing is necessary for the exercise of the legitimate rights and interests of the Operator or third parties or for achieving socially significant goals, provided that this does not violate the rights and freedoms of the personal data subject.
7.6. The processing of personal data made publicly available by the personal data subject or at their request is carried out (hereinafter referred to as “publicly available personal data”).
7.7. The processing of personal data subject to publication or mandatory disclosure in accordance with federal law is carried out.
7.8. The Website User gives consent to the processing of their personal data in the following cases:
– when registering a personal account on the Website;
– when logging in via social networks;
– when filling out a feedback form / requesting a callback on the Website;
– when subscribing to the newsletter;
– when submitting reviews;
– when entering into contracts.
7.9. Messengers (WhatsApp, Telegram) indicated on the Website are used exclusively as communication channels. Personal data is not collected or processed through them.
7.10. The Website may contain links to external data storage services (e.g., Google Drive, Yandex.Disk, etc.). These resources are not involved in the processing of personal data via the Website, and their owners bear responsibility for data processing on such platforms.
7.11. Notification to Roskomnadzor in the Event of a Personal Data Breach
In the event of unauthorized access to personal data, the Operator shall send an initial notification to Roskomnadzor no later than 24 (twenty-four) hours from the moment the breach is discovered, and a detailed notification no later than 72 (seventy-two) hours with information on the measures taken, the scope of the incident, and the assumed causes. The person responsible for submitting the notifications is specified in section 1.4.
8. Procedure for Collection, Storage, Transfer, and Other Types of Personal Data Processing
The security of personal data processed by the Operator is ensured through legal, organizational, and technical measures necessary to fully comply with the requirements of current legislation in the field of personal data protection.
8.1. The Operator ensures the safekeeping of personal data and takes all possible measures to prevent unauthorized access to personal data.
8.2. The User’s personal data shall never, under any circumstances, be transferred to third parties, except in cases related to the fulfillment of legal obligations or when the personal data subject has given consent to the Operator for the transfer of data to a third party to fulfill obligations under a civil law contract.
8.3. If inaccuracies in personal data are discovered, the User may update the data themselves by sending a notification to the Operator via email at office@kedrcity.ru with the subject “Personal Data Update”.
8.4. The duration of personal data processing is determined by the achievement of the purposes for which the personal data was collected, unless a different period is specified by contract or applicable law.
The User may withdraw their consent to personal data processing at any time by sending a notification to the Operator via email at office@kedrcity.ru with the subject “Withdrawal of Consent to Personal Data Processing”.
8.5. All information collected by third-party services, including payment systems, communication tools, and other service providers, is stored and processed by those entities (Operators) in accordance with their own User Agreements and Privacy Policies. The personal data subject is responsible for familiarizing themselves with these documents. The Operator is not liable for the actions of third parties, including the service providers mentioned in this section.
8.6. Restrictions imposed by the personal data subject on the transfer (excluding granting access), processing, or conditions of processing of personal data authorized for dissemination shall not apply when such data is processed for public, state, or other legally significant interests as defined by the legislation of the Russian Federation.
8.7. The Operator ensures the confidentiality of personal data during its processing.
8.8. The Operator stores personal data in a form that allows identification of the personal data subject for no longer than required to achieve the purposes of personal data processing, unless a longer period is established by federal law or a contract to which the personal data subject is a party, beneficiary, or guarantor.
8.9. Grounds for termination of personal data processing include: achievement of the purposes of processing, expiration of the data subject’s consent, withdrawal of consent by the data subject, a request to cease processing, or discovery of unlawful processing of personal data.
8.10. Localization of Personal Data Storage in the Russian Federation
The Operator ensures that all personal data of citizens of the Russian Federation is initially recorded, stored, and updated exclusively on servers physically located within the territory of the Russian Federation, in accordance with Part 5, Article 18 of Federal Law No. 152-FZ. Cross-border transfer is permitted only after local recording and software-based depersonalization of the data.
9. List of Actions Performed by the Operator with Collected Personal Data
9.1. The Operator performs the collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data.
9.2. The Operator carries out automated processing of personal data with or without the receipt and/or transmission of the obtained information via information and telecommunication networks.
9.3. Procedure for the Destruction of Personal Data
Upon achieving the purposes of processing or upon the occurrence of lawful grounds for deletion, the Operator shall destroy the personal data within no more than 30 calendar days in the following manner:
(a) preparation of a destruction report;
(b) deletion of data from information systems;
(c) physical destruction of paper-based documents;
(d) signing of the report by a commission consisting of two authorized employees.
10. Cross-Border Transfer of Personal Data
10.1. Before commencing the cross-border transfer of personal data, the Operator must notify the authorized body for the protection of personal data subjects’ rights of its intention to carry out such a transfer (this notification is submitted separately from the general notification of personal data processing).
10.2. Prior to submitting the above notification, the Operator must obtain relevant information from the authorities of the foreign country, or from foreign individuals or legal entities to whom the cross-border transfer of personal data is planned.
11. Confidentiality of Personal Data
The Operator and other persons who have access to personal data are obliged not to disclose or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by federal law.
12. Final Provisions
12.1. The User may request any clarification regarding the processing of their personal data by contacting the Operator via email at office@kedrcity.ru.
12.2. Any changes to the Operator’s personal data processing policy will be reflected in this document. The Policy remains in effect indefinitely until it is replaced by a new version.
12.3. The current version of the Policy is freely available online at: https://kedrcity.ru/privacy
