1. Basic concepts and definitions
For the purposes of this document, which defines the policy of Totallook Kids Limited Liability Company (hereinafter referred to as the Company) is a personal data operator and in relation to the processing of personal data (hereinafter referred to as the "Personal Data"), the following basic concepts are used:
Automated processing of Personal Data - Processing of Personal Data by means of computer hardware (hereinafter referred to as "MCH").
Actual threats to the security of Personal Data - a set of conditions and factors that create an actual danger of unauthorized, including accidental, access to Personal Data during their processing in the information system of personal data, which may result in the destruction, modification, blocking, copying, provision, distribution of Personal Data, as well as other unlawful actions.
Biometric Personal Data - information that characterizes physiological and biological features of a person, on the basis of which his/her identity can be established, and which is used by the Company to establish the identity of the Subject of Personal Data.
Blocking - temporary termination of processing of Personal Data (except for cases when processing of Personal Data is necessary to clarify the Personal Data).
Access - the ability to access and use Personal Data.
Personal Data Information System (PDNIS) - a set of information technologies and technical means contained in databases of Personal Data and supporting their processing.
Contractor - a natural person providing services to the Company under a civil law contract, except for assembly and delivery services;
Client - a natural person acting on behalf of himself/herself or a legal entity and purchasing and paying for goods through the Company's website or, as well as registering and/or ordering on the Company's website.
Tangible medium - a paper or machine-readable medium (including magnetic and electronic) on which Personal Data is recorded and stored.
Non-automated processing of Personal Data - processing of Personal Data contained in or extracted from an ISPDN, if such actions with Personal Data as the use, clarification, distribution, destruction of Personal Data in respect of each of the Subjects of Personal Data are performed with the direct participation of a human being.
Processing of Personal Data or Processing - any action (operation) or set of actions (operations) performed with Personal Data with or without the use of automation tools, including collection, recording, systematization, accumulation, storage, clarification (update, change), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of Personal Data.
Appeal - a proposal, statement or complaint sent to the Company in writing or in the form of an electronic document, as well as an oral appeal of a person.
Operator - a legal entity, independently or jointly with other persons organizing and (or) carrying out processing of personal data, as well as determining the purposes of personal data processing, composition of personal data subject to processing, actions (operations) performed with personal data;
Partner - a natural person who provides the Company with assembly and (or) delivery services under a civil law contract.
Visitor - a natural person who needs to enter the Company's territory on a one-time basis.
Personal Data (PDN) - any information related to a directly or indirectly defined or identifiable natural person (Personal Data Subject ).
Policy - this Policy of the Company regarding the processing of Personal Data.
Provision - actions aimed at disclosure of Personal Data to a certain person or a certain circle of persons.
Disclosure - Providing an opportunity to familiarize oneself with the Personal Data processed by the Company.
Dissemination - actions aimed at disclosure of Personal Data to an indefinite number of persons.
Consent - consent of the Data Subject to the processing of his/her Personal Data provided by him/her in accordance with the procedure provided for by the applicable laws of the Russian Federation, including a handwritten signature or submitted in the form of an electronic document signed in accordance with the federal law with an electronic signature, or submitted in any form that allows to confirm the fact of its receipt, including by accepting the terms of use of the website, application, including by placing a "tick" in the relevant consent box;
Special categories of Personal Data - information related to race, nationality, political views, religious or philosophical beliefs, health status, or intimate life.
Personal Data Subject - a defined or identifiable natural person to whom personal data is directly or indirectly related.
Cross-border transfer of Personal Data - transfer of Personal Data to the territory of a foreign country to an authority of a foreign country, a foreign individual or a foreign legal entity.
Destruction - actions that make it impossible to restore the content of Personal Data in an ISPDN and (or) result in the destruction of Personal Data carriers.
Authorized Body - the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) or its territorial body, which performs the functions of an authorized body for the protection of the rights of personal data subjects.
Promotion Participant - an individual who has accepted the terms and conditions of an incentive promotion or event organized by the Company independently or jointly with third parties.
2. General provisions
- 2.1. Limited Liability Company "Totallook Kids" (hereinafter referred to as the Company), TIN/KPP 7709951111/770901001, registered at the address: 105064, Moscow, Nizhny Susalny per, 5, bldg. 15, pom.I, room 10, has developed the "Policy on Personal Data Processing" for the purpose of protection and security of your personal data
- 2.2. This Policy has been prepared in accordance with paragraph 2, part 2. 1 part 1 of Article 18.1 of the Federal Act "On Personal Data" No. 152-FZ dated July 27, 2006 (hereinafter - 152-FZ "On Personal Data"). The Policy defines the purposes, procedure and conditions for processing the personal data of Personal Data Subjects - employees, close relatives of employees, persons previously in labor relations with the Company, individuals rendering services under a civil law contract, candidates for vacant positions, employees of counterparties, individuals who have applied to the Company, other Personal Data Subjects whose data are processed by the Company.
- 2.3. The Company reserves the right to update and change the Policy at any time.
- 2.4. The Policy shall come into force from the date of its approval.
3. Rights and obligations of personal data subjects
- 3.1. The Personal Data Subjects have the right:
- 3.1.1. To freely, of their own free will and in their own interest, provide their Personal Data and give their Consent to their processing, except for cases in which the provision of Personal Data is mandatory due to the requirements of applicable law.
- 3.1.2. Revoke his/her Consent to the processing of Personal Data in the manner provided for by the Consent to the processing of Personal Data; receive information regarding the processing of his/her Personal Data in the manner, form and within the timeframe established by the legislation of the Russian Federation (hereinafter - RF) on Personal Data on a free (free of charge) basis, including the right to receive copies of all records containing Personal Data, except as otherwise provided for by the legislation of Russian Federation.
- 3.1.3. Request clarification of his/her Personal Data, their blocking or destruction if the Personal Data is incomplete, outdated, unreliable, illegally obtained, not necessary for the stated purpose of processing or used for purposes not previously stated.
- 3.1.4. Object to a decision made solely based on the Automated Processing of Personal Data.
- 3.1.5. To appeal the Company's actions or inaction to the authorized body for protection of the rights of Personal Data Subjects or to a court of law if he/she believes that the Company is processing his/her Personal Data in violation of the requirements of 152-FZ "On Personal Data" or otherwise violates his/her rights and freedoms.
- 3.1.6. Appoint its representatives.
- 3.1.7. Take measures to protect his/her rights as provided for by the legislation of the Russian Federation.
- 3.1.8. Exercise other rights granted to them by the legislation of the Russian Federation.
- 3.2. In order to ensure the accuracy of Personal Data, their sufficiency, and, where necessary, their relevance to the purposes of Personal Data processing when providing consent for Personal Data processing and/or when Personal Data processing may be carried out without the Subject's consent on the grounds stipulated by federal laws, Data Subjects shall be obliged to provide accurate information about themselves and immediately notify the Company of any changes to their Personal Data previously provided to the Company or the provision of which is stipulated by the applicable laws of the Russian Federation.
4. Rights and obligations of the company when processing personal data
- 4.1. The Company, while processing Personal Data, has the right to:
- 4.1.1. Carry out processing of Personal Data obtained by the Company in a lawful manner for predetermined purposes.
- 4.1.2. Entrust the processing of Personal Data to another person with the consent of the Data Subjects on the basis of an agreement concluded with such person.
- 4.1.3. Restrict the Data Subject's access to his/her Personal Data in accordance with federal laws, including if such access violates the rights and legitimate interests of third parties.
- 4.1.4. Perform other actions with the Personal Data that do not contradict the laws of the Russian Federation.
- 4.1.5. If the Data Subject revokes his/her Consent to the processing of Personal Data, continue to process such Personal Data without the Data Subject's Consent, provided that there are legal grounds established by the laws of the Russian Federation.
- 4.1.6. Obtain the Personal Data from a person who is not the Subject of the Personal Data in compliance with the requirements of the applicable laws of the Russian Federation.
- 4.2. When processing Personal Data, the Company shall:
- 4.2.1. Not disclose or disseminate the Personal Data without the consent of the Data Subject, unless otherwise provided for by the laws of the Russian Federation.
- 4.2.2. Provide the Data Subject or his/her representative with an opportunity to familiarize themselves with the Subject's Personal Data being processed within 10 (ten) business days from the date of receipt of such a request. The period of information provision may be extended for 5 (five) business days in the presence of a motivated request from the Company.
- 4.2.3. Explain to the Data Subject the legal consequences of a refusal to provide Personal Data if the provision of Personal Data is mandatory in accordance with the laws of the Russian Federation.
- 4.2.4. Ensure recording, systematization, accumulation, storage, clarification (update, change), retrieval of the Personal Data of Russian citizens using databases located on the territory of the Russian Federation, except for the cases specified in the 152-FZ "On Personal Data".
- 4.2.5. Explain to the Data Subject the procedure for making a decision based solely on the Automated Processing of his/her Personal Data and the possible legal consequences of such a decision, and provide an opportunity to object to such a decision.
- 4.2.6. Take necessary legal, organizational and technical measures to protect Personal Data from unlawful or accidental access to them, destruction, modification, blocking, copying, provision, distribution of Personal Data, as well as from other unlawful actions in relation to Personal Data.
- 4.2.7. Report to the authorized body for protection of the rights of the Subjects of Personal Data at the request of this body the necessary information within 10 (ten) business days from the date of receipt of such a request. The term for providing information may be extended for 5 (five) business days upon a motivated request from the Company.
- 4.2.8. Process requests from the Data Subjects in accordance with the procedure set forth in this Policy.
- 4.2.9. Eliminate violations of the law committed in the course of processing of Personal Data, to clarify, block and destroy Personal Data.
- 4.2.10. If the Personal Data is not received from the Personal Data Subject, take the actions provided for by Russian legislation, including, prior to the commencement of processing of such Personal Data, the Company shall provide the Personal Data Subject with the following information (except as provided for in Part Four of Article 18, 152-FZ "On Personal Data"):
- the name and location address of the Company;
- the purpose of the Processing of Personal Data and its legal basis;
- intended users of Personal Data;
- the rights of the Data Subject;
- the source of obtaining the Personal Data.
- 4.2.11. Obtain the Consents of the Personal Data Subjects for the processing of their Personal Data, except for cases provided for by the legislation of the Russian Federation, in which the processing of Personal Data is possible without the Consent of the Personal Data Subject.
- 4.2.12. When collecting Personal Data, ensure recording, systematization, accumulation, storage, clarification (update, change), retrieval of Personal Data of the Subjects of Personal Data who are citizens of the Russian Federation, using databases located in the territory of the Russian Federation.
- 4.2.13. Provide unrestricted access to this Policy and to the information on the implemented requirements to the protection of Personal Data on the Company's electronic resource (website), on the pages of the websites through which the Company collects Personal Data.
- 4.2.14. Block or ensure blocking of Personal Data for the period of internal audit in case of detection of:
- unlawful processing of Personal Data;
- inaccurate Personal Data;
- failure to destroy Personal Data within the period of time specified in the laws of the Russian Federation in the field of Personal Data or in the Company's local acts;
- 4.2.15. In accordance with the established procedure, inform the Personal Data Subjects or their representatives of the availability of Personal Data relating to the respective the Personal Data Subjects, and provide them with the opportunity to familiarize themselves with such Personal Data free of charge upon application and/or receipt of requests from such Data Subjects or their representatives, unless otherwise provided for by Russian law.
- 4.2.16. At the request of the Personal Data Subject or his/her representative, make the necessary changes to the Personal Data within the time limits established by law if they are incomplete, inaccurate or irrelevant, or destroy the Personal Data if, in accordance with the information provided by the Data Subject or his/her representative, the Personal Data are not necessary for the stated purpose of processing.
- 4.2.17. Inform the recipients of documents, electronic files and other information containing Personal Data of the need to maintain confidentiality of the Personal Data received.
- 4.2.18. Perform other duties imposed on the Company as a Personal Data Operator in accordance with the legislation of the Russian Federation.
5. Purposes of processing, categories of subjects, list, methods and terms of personal data processing
- 5.1. The Company processes the Personal Data of the Subjects in order to achieve specific, predetermined and legitimate purposes.
- 5.1.1. The Company processes the data of individual entrepreneurs for the purpose of conclusion, execution, amendment or termination of an agreement to which the Personal Data Subject is a party. For processing for these purposes, the Company uses: surname, first name, patronymic, TIN, OGRN, registration address, information on the status of an individual entrepreneur. When processing, the Company performs the following actions: collection, recording, systematization, accumulation, storage, clarification, blocking, deletion, destruction.
- 5.1.2. The Company processes data about the representative of a legal entity for the purpose of conclusion, execution, amendment or termination of a contract to which the represented legal entity is a party. For processing for these purposes the Company uses: surname, first name, patronymic, name of the represented legal entity and contact e-mail. When processing, the Company performs the following actions: collection, recording, systematization, accumulation, storage, clarification, blocking, deletion, destruction.
- 5.2. The Company is not allowed to process Personal Data that is incompatible with the stated purposes of processing.
- 5.3. The Company uses cookies. By visiting the Company's website(s), the Personal Data Subject consents to the processing of cookies using metric services (e.g., Yandex.Metrica) and other similar services to analyze and improve the level of performance of the relevant website and/or mobile application.
- 5.4. The Company does not process biometric categories of Personal Data.
- 5.5. The Company reserves the right to trust the Data Subjects and not to verify the accuracy of the received Personal Data.
6. Legal grounds for personal data processing
- 6.1. The Company processes Personal Data based on the following laws and regulations:
- 6.1.1. Constitution of the Russian Federation;
- 6.1.2. Civil Code of the Russian Federation;
- 6.1.3. Labor Code of the Russian Federation;
- 6.1.4. Tax Code of the Russian Federation;
- 6.1.5. Other federal laws, including:
- 6.1.5.1. Federal Act of the Russian Federation No. 149-FZ dated July 27, 2006 "On Information, Information Technologies and Information Protection";
- 6.1.5.2. Federal Act of the Russian Federation No. 38-FZ "On Advertising" dated March 13, 2006;
- 6.1.5.3. Federal Act of the Russian Federation No. 126-FZ "On Communications" dated July 7, 2003;
- 6.2. The Company processes Personal Data based on the consent of the Personal Data Subjects to the processing of their Personal Data.
- 6.3. The Company also has the right to process Personal Data in the following cases:
- 6.3.1. In cases where the processing of personal data is necessary for the execution of an agreement to which the Data Subject is a party or a beneficiary or guarantor, as well as for the conclusion of an agreement at the initiative of the Personal Data Subjects or an agreement under which the Personal Data Subjects will be a beneficiary or guarantor.
- 6.3.2. In cases when personal data processing is necessary for the exercise of rights and legitimate interests of the Company or third parties, provided that the rights and freedoms of the Personal Data Subjects are not violated, including in accordance with local regulations and other internal regulatory documents of the Company;
- 6.3.3. In other cases permissible under the personal data legislation.
7. Procedure and conditions of personal data processing
- 7.1. Processing of Personal Data (including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), blocking, deletion and destruction) shall be carried out by the Company in the following ways:
- 7.1.1. non-automated processing of Personal Data;
- 7.1.2. automated processing of Personal Data with or without transmission of the received information via information and telecommunications networks;
- 7.1.3. mixed processing of Personal Data.
- 7.2. In order to achieve the purposes of processing and on the basis of the Data Subject's Consent, the Company may entrust the processing of Personal Data to third parties. When entering into an agreement with a person who processes Personal Data on behalf of the Company, the Company shall determine the list of actions with Personal Data to be performed by the person performing the processing, the purposes of Personal Data processing, the obligation of such person to maintain the confidentiality of Personal Data and ensure the security of Personal Data during processing, the requirements for the protection of Personal Data processed in accordance with the laws of the Russian Federation, and other requirements provided for in Part 3, Article 6, Paragraph 3 of the 152-FZ "On Personal Data". If the processing of Personal Data is entrusted to a third party, the Company shall be liable to the Data Subject for the actions of such party. A person processing Personal Data on behalf of the Company shall be liable to the Company.
- 7.3. Transfer of Personal Data to third parties with the consent of the Data Subjects or in cases stipulated by the legislation of the Russian Federation.
- 7.4. When transferring Personal Data to third parties, the Company informs the receiving party in the terms of the agreement, cover letter or notice that the transferred information contains Personal Data, in respect of which confidentiality requirements must be observed.
- 7.5. The Company shall have the right to transfer Personal Data across borders in foreign countries. When performing cross-border transfer of Personal Data in foreign countries, the Company shall be guided by the requirements of the Russian legislation in the field of personal data security and the requirements of the Authorized Body.
- 7.6. The Company shall not make any decisions giving rise to legal consequences with respect to the Data Subject or otherwise affecting his/her rights and legitimate interests based solely on the automated processing of his/her Personal Data.
- 7.7. The Subjects' Personal Data shall be stored on both machine (electronic) and paper carriers of Personal Data.
- 7.8. Paper carriers of Personal Data shall be stored only in the locations specified in the list of storage locations for paper carriers of Personal Data.
- 7.9. When storing tangible carriers of Personal Data, the Company complies with the conditions for ensuring the safety of Personal Data and excluding unauthorized access to them.
- 7.10. The terms of processing of Personal Data shall be determined based on:
- 7.10.1. the purposes of processing the Personal Data;
- 7.10.2. the Consent to process Personal Data;
- 7.10.3. Federal Act No. 125-FZ dated 22.10.2004 "On Archiving in the Russian Federation" and other federal laws;
- 7.10.4. an agreement to which the Personal Data Subjects is a party, beneficiary or guarantor.
- 7.11. The termination of the processing of Personal Data shall be carried out upon expiration of the established terms of processing of Personal Data, at the request of the Personal Data Subjects in cases provided for by federal laws, upon revocation of the Data Subject's consent to the processing of his/her Personal Data (unless the Company has the right to continue processing Personal Data on another legal basis), upon achievement of the purpose of processing Personal Data or loss of the need to achieve the purpose, as well as upon detection of unlawful processing of Personal Data.
- 7.12. Personal Data shall be stored in a form that makes it possible to identify the Personal Data Subjects for no longer than required by the purpose of processing the Personal Data, unless Russian law, the Personal Data Subject’s Consent or an agreement sets other storage periods forth.
8. Updating, correction, deletion and destruction of personal data
- 8.1. Upon receipt of a request from the Personal Data Subjects, his/her representative or at the request of the Authorized Body with information that the Personal Data being processed are incomplete, inaccurate or irrelevant, the Company shall block (temporarily stop processing) the Personal Data and arrange for verification of the information set forth in the request. In the event that the Data Subject's arguments are confirmed, the Company shall make the necessary changes within a period not exceeding seven (7) business days from the date of receipt of such request, and the blocking of the Personal Data shall be lifted.
- 8.2. Upon receipt of a request from the Personal Data Subjects, his/her representative or at the request of the Authorized Body with information that the Personal Data being processed are illegally obtained or are not necessary for the stated purposes of processing the Personal Data, as well as in case of independent detection of such fact, the Company shall, within 3 (three) business days, block the Personal Data and arrange for verification of the legality of the Personal Data being processed. If there are no legal grounds for processing Personal Data, the Company shall destroy such Personal Data within a period not exceeding 10 (ten) business days from the date of receipt of the request or discovery of the fact of unlawful processing of Personal Data, and shall inform the Personal Data Subjects thereof (if the request is received from a representative of the Subject or Authorized Body). Subject or the Authorized Body, the information shall be sent to the Subject's representative or the Authorized Body, respectively).
- 8.3. The information specified in clauses 8.1 and 8.2 of the Policy shall be deemed to have been received from the Personal Data Subjects or his/her representative if it is provided in the form of a hard copy letter signed by the Data Subject or his/her representative, or sent from the e-mail address specified by the Data Subject or his/her representative when registering on the website or application, the rights to which belong to the Company, or provided in any other manner that gives the Company grounds to believe that the data was provided directly by the Personal Data Subjects.
- 8.4. The Company shall notify the Data Subject or his/her representative of the changes made and measures taken in accordance with clauses 8.1 and 8.2 above. 8.1 and 8.2 above, and take reasonable measures to notify third parties to whom the Personal Data Subject's Personal Data has been disclosed.
- 8.5. Upon achievement of the purposes of processing of the Personal Data, as well as in the event that the Data Subject revokes the Consent to their Processing within a period not exceeding 30 (thirty) days, the Company shall destroy the Personal Data and ensure the destruction of such processing by another person (if the processing is performed by another person acting on behalf of the Company), unless otherwise provided for in a contract to which the Personal Data Subjects is a party, beneficiary or guarantor, or if the Company has no other grounds for processing the Personal Data.
- 8.6. If the Personal Data Subjects requests the Company to cease processing of his/her Personal Data, the Company shall, within a period not exceeding ten (10) business days from the date of receipt of such request, cease processing of the Personal Data or ensure that such processing is ceased by another person (if processing is performed by another person acting on behalf of the Company), unless otherwise provided for in a contract to which the Data Subject is a party, beneficiary or guarantor, or if the Company has no other grounds for processing the Personal Data.
- 8.7. 8.7. The Company shall be entitled to carry out-processing without the Personal Data Subject's consent on the grounds provided for by the 152-FZ "On Personal Data" or other federal laws.
9. Consideration of appeals and requests of personal data subjects or their representatives
- 9.1. Appeals and requests may be submitted by the Personal Data Subjects or their legal representatives to the Company in person or sent by mail to the location of the Company according to the Unified State Register of Legal Entities.
- 9.2. Appeals and requests may also be sent by e-mail posted on the Company's website https://ttlook.ru with indication of the desired method of receiving a response from the Company:, by post or by e-mail to the address of the Personal Data Subjects or his/her legal representative specified in the Appeal or request.
- 9.3. The Company shall provide a response to the Address related to the processing of Personal Data, as well as to the request of the Authorized Body, within 10 (ten) business days from the moment of their registration.
- 9.4. The Data Subject shall have the right to request the Company to obtain information regarding the processing of his/her Personal Data, including the following information:
- 9.4.1. confirmation of the fact of processing of Personal Data by the Company;
- 9.4.2. legal grounds for processing Personal Data;
- 9.4.3. the purposes and methods of processing of Personal Data applied by the Company;
- 9.4.4. name and location of the Company, information about persons (except for Company employees) who have access to Personal Data or to whom Personal Data may be disclosed on the basis of an agreement with the Company or on the basis of federal law;
- 9.4.5. 9.4.5. processed Personal Data related to the respective Personal Data Subjects, the source of their receipt;
- 9.4.6. the terms of processing of Personal Data, including the terms of their storage;
- 9.4.7. the procedure for exercising by the Personal Data Subjects of the rights provided for by the 152-FZ "On Personal Data";
- 9.4.8. data on the performed or intended cross-border transfer of Personal Data;
- 9.4.9. name or surname, first name, patronymic and address of the person processing Personal Data on the Company's instruction, if the processing has been or will be entrusted to such a person.
- 9.5. Upon receipt of the request specified in clause 9.4 of this Policy, the Company shall have the right to request from the Personal Data Subjects the details of an identity document (type of document, series, number, date of issue, issuing authority), information on contractual relations or other information confirming the fact of processing of Personal Data, if the provision of such information is provided in accordance with 152-FZ "On Personal Data" and/or is necessary for the Company to correctly process the Personal Data Subjects request.
- 9.6. The Company shall have the right to deny the Personal Data Subjects access to information about the processing of his/her Personal Data if the provision of such information violates the rights and legitimate interests of third parties, as well as in other cases established by the laws of the Russian Federation.
- 9.7. If the above information and the processed Personal Data have been made available for review to the Personal Data Subjects at his/her request, the Data Subject has the right to re-apply to the Company or send a repeated request in order to obtain the above information and familiarize himself/herself with such Personal Data not earlier than 30 days after the initial Application or initial request, unless a shorter period of time is established by federal law, a regulatory legal act adopted in accordance therewith, or an agreement to which he/she is a party or beneficiary, or by a contract to which he/she is a party or beneficiary.
- 9.8. The Personal Data Subjects has the right to re-apply to the Company or send a repeated request in order to obtain the specified information, as well as for the purpose of familiarization with the processed Personal Data prior to the expiration of the 30-day period, if such information and (or) the processed Personal Data were not provided to him/her for familiarization in full as a result of consideration of the initial Application. The repeated request must contain a justification for the repeated request.
- 9.9. The Company shall have the right to refuse to fulfill a repeated request from a Data Subject that does not meet the above conditions. Such refusal shall be motivated.
10. Fulfillment of obligations on processing and protection of personal data
- 10.1. The Company independently determines the composition and list of measures necessary and sufficient to ensure the fulfillment of obligations stipulated by the Federal Law of 27.07.2006 No. 152-FZ "On Personal Data" and regulatory legal acts adopted in accordance with it, unless otherwise provided for by federal laws.
- 10.2. The Company applies the following measures to ensure the fulfillment of obligations stipulated by the Federal Law of 27.07.2006 No. 152-FZ "On Personal Data" in the field of personal data processing:
- a person responsible for organizing the processing of personal data is appointed;
- a person responsible for ensuring personal data security in information systems is appointed;
- Policies on personal data processing are issued;
- internal control and audit of compliance of personal data processing with the legislation of the Russian Federation, requirements to personal data protection, and the Company's Policy on personal data processing;
- assessment of the damage that may be caused to the subjects of personal data in case of violation of Federal Law No. 152-FZ, the correlation between this damage and the measures taken by the Company;
- breaches of confidentiality requirements by employees of the divisions are detected in a timely manner;
- users' powers in information systems are divided depending on their job responsibilities;
- rules for granting access to personal data information systems are established, periodic review (revision) of access rights of employees depending on their position and job duties is carried out; - other organizational and technical measures to ensure personal data security are applied in accordance with the requirements of regulatory legal acts, this Policy, internal regulatory documents of the Company on personal data processing.
- 10.3. In order to ensure security of personal data during their processing, the Company shall take the necessary legal, organizational and technical measures to protect personal data from unlawful or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions in respect of personal data.
11. Conclusion
- 11.1. This Policy is a publicly available document and shall be posted in the public domain at the Company's location, on the Website at https://ttlook.ru.
- 11.2. The responsibility of the Company's officials who process Personal Data or have access to Personal Data for failure to comply with the requirements of the regulations governing the processing and protection of Personal Data shall be determined in accordance with the laws of the Russian Federation, as well as local regulations and organizational and administrative documents of the Company.
- 11.3. Failure to comply with the requirements of Federal Law No. 152-FZ and other legislative acts regulating requirements in the field of personal data shall be subject to disciplinary, administrative, criminal and other liability established by law.