Policy of Sole Proprietor Parshukova I.V. regarding the processing of personal data
1. General provisions
1.1. This Policy of Sole Proprietor Parshukova I.V. regarding the processing of personal data (hereinafter – the Policy) has been developed pursuant to paragraph 2 part 1 article 18.1 of the Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” (hereinafter – the Personal Data Law) in order to ensure the protection of human and civil rights and freedoms when processing personal data, including the protection of the rights to privacy, personal and family secrecy.
1.2. The personal data operator is:
Sole Proprietor Parshukova Irina Vitalyevna (hereinafter – the Operator)
TIN: 772612023442
PSRNIP: 318774600539961
Legal address: 117545, Moscow, ul. Podolskikh Kursantov, d. 14, korp. 1, kv. 1
Email: love@axis.moscow
Phone: +7 (916) 366-93-49
1.3. Pursuant to part 2 article 18.1 of the Personal Data Law, this Policy is published in open access in the information and telecommunications network Internet at the Operator’s website at https://axis.moscow (hereinafter – the Website).
1.4. Basic terms used in the Policy:
personal data – any information relating to a directly or indirectly identified or identifiable individual (personal data subject);
personal data operator (operator) – a state body, municipal body, legal or natural person that, independently or jointly with others, organizes and (or) carries out the processing of personal data, as well as determines the purposes of personal data processing, the composition of personal data to be processed, and the actions (operations) performed with personal data;
personal data subject – an individual who can be directly or indirectly identified through personal data;
personal data processing – any action (operation) or set of actions (operations) performed with personal data, with or without the use of automation tools, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction;
automated processing of personal data – processing of personal data using computer technology;
distribution of personal data – actions aimed at disclosing personal data to an indefinite circle of persons;
provision of personal data – actions aimed at disclosing personal data to a specific person or a specific circle of persons;
blocking of personal data – temporary suspension of personal data processing (except in cases where processing is necessary to clarify personal data);
destruction of personal data – actions resulting in the impossibility of restoring the content of personal data in the personal data information system and (or) the destruction of tangible personal data carriers;
depersonalization of personal data – actions resulting in the impossibility, without the use of additional information, to determine whether personal data belongs to a specific personal data subject;
personal data information system – a set of personal data contained in databases and information technologies and technical means ensuring their processing.
1.5. Basic rights and obligations of the Operator.
1.5.1. The Operator shall:
process personal data solely for the purposes specified in the Policy, in compliance with the legislation of the Russian Federation, and take necessary and sufficient measures to ensure compliance with the obligations established by the Personal Data Law and the regulatory legal acts adopted in accordance with it;
not disclose personal data without the consent of the personal data subject (hereinafter – the User), unless otherwise provided by the legislation of the Russian Federation;
process personal data in accordance with the principles and rules established by the Personal Data Law;
organize the protection of personal data in accordance with the requirements of the legislation of the Russian Federation;
review requests from the User (or their legal representative) regarding the processing of personal data and provide reasoned responses;
provide the User (or their legal representative) with free access to their personal data;
take measures to clarify, block, delete, depersonalize the User’s personal data in cases established by the Personal Data Law.
1.5.2. The Operator has the right to:
independently determine the scope and list of measures necessary and sufficient to ensure compliance with the obligations established by the Personal Data Law and the regulatory legal acts adopted in accordance with it, unless otherwise provided by the Personal Data Law or other federal laws;
entrust the processing of personal data to another person with the consent of the User, unless otherwise provided by federal law, on the basis of a contract with that person, including state or municipal contracts, or by the adoption of a corresponding act by a state or municipal body;
in the event of withdrawal of consent to the processing of personal data by the User, continue processing such data without their consent on the grounds specified in the Personal Data Law;
receive from the User reliable information and/or documents containing the User’s personal data for the purposes of processing specified in the Policy;
require the User to timely update provided personal data.
1.6. Basic rights and obligations of the personal data subject.
1.6.1. The personal data subject shall:
ensure the accuracy of personal data provided to the Operator, necessary for the purposes of processing specified in the Policy;
provide the Operator with information to clarify (update, modify) the provided personal data if necessary.
1.6.2. The personal data subject has the right to:
receive complete information regarding the processing of their personal data by the Operator, except in cases provided by the legislation of the Russian Federation;
request clarification, blocking, or deletion of their personal data if such data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the declared purpose of processing;
provide the Operator with consent to the processing of personal data signed in a separate document;
withdraw consent to the processing of personal data;
take legal measures to protect their rights.
1.7. The Operator and Users also have other rights and obligations provided by the legislation of the Russian Federation.
1.8. The Operator shall maintain confidentiality and not disclose personal data to third parties without legal grounds. To protect data, the Operator applies, among other measures: antivirus software, data encryption, access rights limitation, maintaining a log of personal data processing, separate storage of personal data processed for different purposes, and other actions provided by the legislation of the Russian Federation.
1.9. Control over compliance with this Policy is carried out by the authorized person responsible for organizing the processing of personal data at the Operator.
1.10. Liability for violation of the legislation of the Russian Federation and regulatory acts in the field of personal data processing and protection is determined in accordance with the legislation of the Russian Federation.
2. Purposes of personal data processing
2.1. The processing of personal data shall be limited to achieving specific, predetermined, and lawful purposes. The processing of personal data that is incompatible with the purposes of collecting personal data is not permitted. The personal data being processed shall not be excessive in relation to the stated purposes of their processing.
2.2. The Operator processes personal data for the following purposes:
carrying out its activities in accordance with internal local acts, including the conclusion and execution of contracts with counterparties in the form of booking and accommodation services;
delegating authority to third parties to process personal data in accordance with part 3 article 6 of the Personal Data Law;
informing about the operation of the Website, monitoring, and improving service quality;
establishing feedback with the User, including sending notifications and requests;
proper provision of services, processing of User requests and applications;
providing the User with effective customer and technical support in case of problems;
maintaining internal guest records;
conducting web analytics, statistical, and research activities;
carrying out marketing and advertising actions, including informational mailings, for the purpose of establishing and further developing relationships (subject to the prior consent of the personal data subject);
conducting ongoing business activities (including, but not limited to, negotiations, litigation, claims management, execution of commercial, financial, and business contracts, sending offers, and commercial proposals);
concluding and regulating labor relations and other directly related relations, ensuring compliance with labor, tax, insurance, and pension legislation of the Russian Federation;
fulfilling the requirements of the legislation of the Russian Federation.
2.3. The Operator does not process special categories of personal data related to race, nationality, political opinions, religious or philosophical beliefs, intimate life, or criminal record.
3. Legal grounds for personal data processing
Constitution of the Russian Federation;
Civil Code of the Russian Federation;
Federal Law No. 152-FZ of 27.07.2006 “On Personal Data”;
Federal Law No. 149-FZ of 27.07.2006 “On Information, Information Technologies, and Information Protection”;
Federal Law No. 294-FZ of 26.12.2008 “On the Protection of the Rights of Legal Entities and Individual Entrepreneurs in the Exercise of State Control (Supervision) and Municipal Control”;
Decree of the President of the Russian Federation No. 188 of 06.03.1997 “On Approval of the List of Confidential Information”;
Decree of the Government of the Russian Federation No. 1119 of 01.11.2012 “On Approval of the Requirements for the Protection of Personal Data during Their Processing in Personal Data Information Systems”;
Order of the Federal Service for Technical and Export Control of Russia (FSTEC of Russia) No. 21 of 18.02.2013 “On Approval of the Composition and Content of Organizational and Technical Measures to Ensure the Security of Personal Data during Their Processing in Personal Data Information Systems”;
consents of personal data subjects to the processing of their personal data, executed separately from other consents of the personal data subject (in accordance with part 1 article 10.1 of the Personal Data Law);
contracts concluded between the Operator and personal data subjects.
4. Scope and categories of processed personal data, categories of personal data subjects
4.1. Categories of personal data subjects:
employees of the Operator who have concluded an employment contract with the Operator, including former employees and job applicants;
self-employed individuals (taxpayers under the Professional Income Tax regime), providing services or performing work for the Operator, representatives of counterparties – individuals who are employees, authorized representatives, or contact persons of organizations and individual entrepreneurs providing services or who have concluded contracts with the Operator;
guests – individuals who have actually used the Operator’s accommodation and related services;
clients – individuals who have concluded or intend to conclude a service agreement with the Operator, including persons who have submitted requests or made reservations but have not yet used the service, as well as visitors (users) of the Website;
individuals viewing pages of the Website https://axis.moscow on a computer and/or mobile device.
4.2. The personal data processed by the Operator include:
last name, first name, patronymic of the User;
date and place of birth;
gender, citizenship, age;
address of registration and actual residence;
mobile phone number;
email address;
passport details: series, number, name of the issuing authority, date of issue;
birth certificate details;
other or similar details of identity documents;
information about accompanying persons;
for foreign citizens – visa and migration card details, contact phone numbers, email address, purpose of visit;
data automatically transmitted to the Website services (through forms) during their use by means of the User’s device software, namely: IP address, cookie data, analytical trackers, information about the User’s browser (or another program used to access the services), behavioral data.
4.3. The Operator ensures that the content and scope of processed personal data correspond to the declared purposes of processing provided for in section 2 of this Policy.
5. Procedure and conditions for processing and storing personal data
5.1. The processing of personal data by the Operator is carried out in accordance with the requirements of the legislation of the Russian Federation using automation tools with transmission over the Internet.
5.2. The list of actions performed by the Operator with the User’s personal data for the purposes set out in section 2 of the Policy: collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction.
5.3. The processing of personal data by the Operator shall be carried out subject to obtaining the User’s consent (hereinafter – Consent), obtained in accordance with the requirements of Federal Law No. 152-FZ of 27.07.2006 “On Personal Data”, except in cases established by the legislation of the Russian Federation when personal data may be processed without such Consent.
5.4. The User decides to provide his/her personal data and gives Consent freely, of his/her own will, and in his/her own interest.
5.5. The period of processing of personal data is determined by achieving the purposes for which personal data were collected, unless another period is provided for by the contract with the User or applicable legislation.
The condition for termination of personal data processing may be the achievement of the purposes of personal data processing or the loss of the necessity to achieve these purposes, the expiration of the Consent or withdrawal of the Consent by the User, as well as the detection of unlawful processing of personal data.
5.6. If the Operator entrusts the processing and storage of personal data to another person on the basis of the relevant contract/agreement, the Operator shall be liable to the User for the actions of such person. If the Operator entrusts the processing and storage of personal data to a foreign legal entity, both the Operator and such legal entity shall be liable to the User.
5.7. Consent may be withdrawn in the following manner: by the personal data subject contacting the Operator by sending a message to the email address: love@axis.moscow, with a request to terminate the processing of personal data. Within a period not exceeding 10 business days from the date of receipt of such request by the Operator, the processing of personal data shall be terminated, except in cases provided for by the Personal Data Law. This period may be extended, but not more than by five business days. In such case, the Operator must send the personal data subject a reasoned notification indicating the reasons for the extension.
5.8. The Operator disseminates personal data permitted by the User for dissemination, i.e., performs actions aimed at disclosing them to an unlimited number of persons, in compliance with the requirements, prohibitions, and conditions established by part 9 article 9 and article 10.1 of Federal Law No. 152-FZ of 27.07.2006 “On Personal Data”. Disclosure to third parties and dissemination of personal data without the User’s consent is not permitted, unless otherwise provided by federal law. Consent to the processing of personal data permitted by the User for dissemination shall be executed separately from other consents of the User to the processing of his/her personal data, taking into account the requirements for the content of such consent approved by Roskomnadzor.
The transfer of personal data to third parties is carried out by the Operator only on the basis of a relevant contract with the third party, a material condition of which is the obligation of the third party to ensure confidentiality and security of personal data during their processing. The transfer of personal data to third parties shall be carried out only to the extent necessary to achieve the purposes of processing and exclusively to persons who have a confidentiality and personal data protection agreement with the Operator.
5.9. In processing personal data, the Operator takes or ensures that the necessary legal, organizational, and technical measures are taken to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, dissemination, as well as from other unlawful actions in relation to personal data.
5.10. Personal data shall be stored in a form that allows the identification of the User for no longer than required by the purposes of personal data processing, unless the period of storage of personal data is established by federal law, contract, of which the User is a party, beneficiary, or guarantor.
5.11. In processing personal data, the Operator complies with the requirements of article 18 of Federal Law No. 152-FZ of 27.07.2006 “On Personal Data”.
5.12. The Operator shall cease processing of personal data in the following cases:
unlawful processing of personal data has been identified, within the timeframes specified in section 6 of the Policy;
the purposes of processing have been achieved;
the Consent of the personal data subject to the processing of such data has expired or been withdrawn, in cases where the Personal Data Law permits the processing of such data only with Consent.
5.13. When collecting personal data, including through the information and telecommunication network Internet, the recording, systematization, accumulation, storage, clarification (updating, modification), retrieval of personal data of citizens of the Russian Federation using databases located outside the Russian Federation is not permitted, except in cases specified by the Personal Data Law.
6. Updating, correcting, deleting, destroying, anonymizing personal data, and responses to data subject requests for access to personal data
6.1. In the event of unlawful processing of personal data being identified upon a request by the User (or their representative), or upon receipt of such a request from the User (or their representative), or from the authorized body for the protection of personal data subjects, the Operator shall block the unlawfully processed personal data related to the relevant User, or ensure their blocking from the moment of such a request or receipt of the specified request from the User, for the duration of the verification.
In the event of inaccurate personal data being identified upon a request by the User or their representative, or upon such a request from the authorized body for the protection of personal data subjects, the Operator shall block the personal data related to that User, or ensure their blocking from the moment of such a request or receipt of the specified request for the duration of the verification, unless blocking the personal data would infringe upon the rights and lawful interests of the User or third parties.
6.2. If the inaccuracy of personal data is confirmed, the Operator shall, on the basis of information provided by the User (or their representative) or by the authorized body for the protection of personal data subjects, or based on other necessary documents, clarify the personal data or ensure their clarification within seven (7) working days from the date such information is provided.
6.3. In the event of unlawful processing of personal data being identified, the Operator shall, within no more than three (3) working days from the date of such identification, cease the unlawful processing of personal data or ensure the cessation of unlawful processing. If ensuring the lawfulness of personal data processing is not possible, the Operator shall, within no more than ten (10) working days from the date of identifying unlawful processing, destroy such personal data or ensure their destruction.
6.4. Upon achieving the purpose of personal data processing, the Operator shall destroy the personal data or ensure their destruction within no more than thirty (30) days from the date the purpose of processing is achieved, unless otherwise provided for by a contract to which the User is a party, beneficiary, or guarantor, by another agreement between the Operator and the User, or if the Operator is not entitled to process the personal data without the User’s consent under the Federal Law of 27.07.2006 No. 152-FZ “On Personal Data” or other federal laws.
6.5. If the User withdraws their consent to the processing of their personal data and the retention of personal data is no longer required for processing purposes, the Operator shall destroy the personal data or ensure their destruction within no more than thirty (30) days from the date such withdrawal is received, unless otherwise provided for by a contract to which the User is a party, beneficiary, or guarantor, by another agreement between the Operator and the User, or if the Operator is not entitled to process the personal data without the User’s consent under the Federal Law of 27.07.2006 No. 152-FZ “On Personal Data” or other federal laws.
6.6. Within no more than seven (7) working days from the date the User (or their representative) provides information confirming that such personal data were unlawfully obtained or are not necessary for the stated purpose of processing, the Operator shall destroy such personal data.
6.7. In the event that the Operator, Roskomnadzor, or another interested party identifies an incident of unlawful or accidental transfer (provision, dissemination) of personal data (access to personal data) that has resulted in the violation of the rights of personal data subjects, the Operator shall:
within 24 hours notify Roskomnadzor of the incident, the presumed causes that led to the violation of the rights of personal data subjects, the presumed harm caused to the rights of personal data subjects, and the measures taken to eliminate the consequences of the incident, and also provide information about the person authorized by the Operator to interact with Roskomnadzor on matters related to the incident;
within 72 hours notify Roskomnadzor of the results of the internal investigation of the identified incident and provide information about the persons whose actions caused it (if available).
6.8. The methods of destroying personal data are defined in the Operator’s internal regulations.
6.9. Processed data shall be destroyed or anonymized (including, but not limited to, by replacing part of the information specified in section 4 with an ID) once the purposes of processing are achieved or when the need to achieve such purposes no longer exists. The procedure for anonymizing personal data is established in the Operator’s internal regulations.
6.10. Detailed actions related to preventing and detecting violations in the field of personal data processing are established in the Operator’s internal regulations.
7. Liability of the Parties
7.1. The Operator is liable for violations of the requirements of the Federal Law of 27.07.2006 No. 152-FZ “On Personal Data” in accordance with the legislation of the Russian Federation.
7.2. The User has the right to claim damages and/or compensation for moral harm in court.
Moral harm caused to the User as a result of the violation of their rights, violation of personal data processing rules, as well as requirements for the protection of personal data established under the Federal Law of 27.07.2006 No. 152-FZ “On Personal Data” and the provisions of this Policy, shall be compensated in accordance with the legislation of the Russian Federation. Compensation for moral harm is carried out regardless of the compensation of property damage and losses incurred by the User.
8. Dispute Resolution
8.1. In case of disputes and/or disagreements arising from relations between the User and the Operator, such matters shall be resolved in accordance with the legislation of the Russian Federation.
8.2. The Policy and relations between the User and the Operator are governed by the applicable legislation of the Russian Federation.
9. Final Provisions
9.1. The Operator has the right to make changes to the Policy without the User’s consent.
9.2. The new version of the Policy comes into effect from the moment of its publication on the Website, unless otherwise provided by the new version of the Policy. The new version of the Policy applies to relations arising after it has come into force. The current version of the Policy is always available on the Operator’s Website. When making changes, the Operator notifies Users by publishing the new version of the Policy on the Website.