"Hotel Product" LTD PERSONAL DATA PROCESSINGPOLICY

1. General Provisions

Personal Data Protection Policy of "Hotel Product" LTD is aimed at providing unlimited access to information regarding the processing of personal data as well as information on the requirements for the protection of personal data at "Hotel Product" LTD.
This Policy describes the procedure for processing and protecting individuals in connection with the implementation of labor practices, entry into the agreements, and fulfillment of contractual obligations by "Hotel Product" LTD.
Personal data shall be classified as confidential information and shall be protected from unauthorized, including accidental, access.

2. Basic concepts in the area of personal data

Personal data shall mean any information relating directly or indirectly to a specific or identifiable individual, including:
full name;
date and place of birth;
registration address, place of residence;
marital, social, property statuses;
education, profession, income, etc.
Also, the following terms are used in this Policy:
Personal data processor shall mean a legal entity, which, independently or jointly with the third parties, organizes and processes personal data and determines the purposes of processing, the scope of personal data and actions with them;
Personal data subject shall mean an individual whose personal data is processed by the personal data processor.
Personal data processing shall mean any action performed with personal data, including collection, recording, systematization, accumulation, storage, improvement (update, amendment), extraction, use, transfer (distribution, provision, access), anonymization, locking, deletion, and destruction.
Automated processing of personal data shall mean processing of personal data with the use of computation engineering.
Distribution of personal data shall mean actions aimed at the disclosure of personal data to the public at large.
Provision of personal data shall mean actions aimed at the disclosure of personal data to a particular person or a particular number of persons.
Destruction of personal data shall mean actions resulting in the impossibility to restore the content of personal data in the personal data information system or in destruction of personal data storage media.
Anonymization of personal data shall mean actions that make it impossible without the use of additional information to determine the specific personal data owner.
Personal data information system shall mean a set of personal data contained in the databases as well as information technologies and technical means ensuring processing of such personal data.

3. Personal data processing

Personal data shall be collected directly from the personal data subject. If the provision of personal data is mandatory in accordance with the legislation, the legal consequences of the refusal to provide such data shall be explained to the personal data subject.
Collecting personal data from a third party is possible only subject to the availability of legal grounds.
When collecting personal data, including through the Internet, recording, systematization, accumulation, storage, improvement (update, amendment), extraction of personal data with the use of databases located in the territory of the Russian Federation shall be provided.
Collecting and processing personal data of an individual concerning his/her political and religious beliefs as well as private life is prohibited. In cases where the processing of such information is necessary in connection with the fulfillment of contractual obligations, such data can be collected and processed only subject to the written consent of an individual or his/her legal representative.
The processing of personal data shall be carried out subject to the consent of the personal data subject or in cases provided for by the legislation.
The processing of personal data shall be carried out solely for the purpose of complying with the laws and regulations, concluding agreements and fulfilling contractual obligations.
The processing of personal data shall be carried out only by the employees of the personal data processor authorized by the management according to the established procedure.
Personal data shall be processed electronically (in the personal data information systems, data media).
Personal data shall be stored permanently in a form allowing identifying the personal data subject, but as long as specified in a written order of the personal data subject.
The storage of personal data shall be carried out in view of confidential treatment.
The transfer of personal data to a third party shall be carried out only subject to the consent of the personal data subject or in cases expressly provided for by the legislation.
Disclosure of personal data to a third party without the written consent of the relevant personal data subject is prohibited, unless it is necessary to protect the life, health or other vital interests of the personal data subject.
The disclosure of personal data to a third party for commercial purposes without the written consent of the relevant subject is prohibited. The processing of personal data in order to promote goods, works, services on the market as well as for political campaigning shall be carried out only subject to the prior consent of the subject.
The processor shall have the right to assign the processing of personal data to a third party with the consent of the personal data subject.
The following persons shall have the right of access to the personal data processed by "Hotel Product" LTD:
Director General of "Hotel Product" LTD;
other employees of "Hotel Product" LTD, for whom the processing of personal data is necessary in connection with the performance of their duties. The admission of employees to the personal data shall be carried out by management according to the established procedure.
Any subject whose personal data is processed at "Hotel Product" LTD shall have the right to access his/her personal data, including the following information:
confirmation of the fact of processing his/her personal data;
legal grounds and purposes of processing his/her personal data;
goals and methods used by the processor for processing personal data;
name and location of the processor, information on the persons who have access to the personal data (except for the processor's employees) or to whom personal data may be disclosed on the basis of an agreement with the processor or according to the legislation;
the list of personal data to be processed relating to the relevant subject, and the source of their collection;
time frame for processing personal data and periods of their storage;
the procedure for the exercise by a subject of the rights provided for by the legislation;
the name of the person processing the personal data on behalf of the processor in the case where processing is assigned to a third party.

4. Personal data protection

When processing personal data, the necessary legal, organizational and technical measures shall be taken to protect personal data from unlawful or accidental access, destruction, modification, locking, copying, provision, distribution, as well as from other illegal actions regarding personal data.

5. Terms and conditions as well as principles of processing personal data in accordance with the GDPR

When processing personal data in the information systems of "Hotel Product" LTD in accordance with the requirements of Regulation EU 2016/679 of the European Parliament and of the Council "On the protection of natural persons with regard to the processing of personal data and on the free movement of such data" (General Data Protection Regulation, hereinafter referred to as the "GDPR"), the list of personal data to be processed may contain the following categories:
- basic information on the subject (full name, date of birth, gender, address of registration or actual residence, number of the main ID document, information on the date of issue of the said document and the issuing authority);
- basic information on the authorized representative of the subject (full name, date of birth, gender, address of registration or actual residence, number of the main ID document, information on the date of issue of the said document and the issuing authority, details of the power of attorney or other document confirming the powers of the representative);
- contact information (phone number, email address);
- scanned copies of the main ID document of the personal data subject;
- information collected and accumulated in the information systems of "Hotel Product" LTD in the process of providing services under the agreement to which the personal data subject is a party, including information on the history of the use of services.
"Hotel Product" LTD collects personal data of the subjects, including with the use of the information systems of "Hotel Product" LTD, through a variety of means: directly from the personal data subjects, their representatives, through the third parties as a part of agreements execution, one of the parties to which is the personal data subject. Personal data shall be transferred by the employees of the accommodation facility in order to execute agreements, one of the parties to which is the personal data subject. In this case, the agreements shall mean both commercial agreements and labor contracts. Personal data may also be collected from public authorities or organizations with a view of fulfilling the requirements of the law. Personal data may also be collected from the publicly available sources to obtain information on the subject in order to generate customized service offers to the fullest extent possible.
Personal data shall be processed subject to one of the following terms and conditions:
- the personal data subject gave his/her consent to the processing of personal data for one or more specific purposes;
- processing is necessary to fulfill the agreement, one of the parties to which is the personal data subject, or to take measures at the request of the personal data subject;
- processing is necessary to fulfill the obligations of "Hotel Product" LTD;
- processing is necessary to protect the vital interests of the personal data subject or other individual;
- processing is necessary to carry out tasks implemented in the interests of the state.
Personal data shall be processed permanently, but within the time frame specified in the notification on the need to stop processing personal data of the personal data subject received by "Hotel Product" LTD.
The personal data subject shall have the following rights in relation to the processing of his/her personal data:
- he/she may request confirmation of the fact of processing his/her personal data. He/she shall have the right to familiarize him/herself with the personal data processed, with information on the purposes of processing, on the categories of personal data processed and on the guarantees when the data are transferred to the third parties, on the processing time frame, sources of personal data collection, on the availability of an exclusively automated decision-making process. The subject can receive a copy of his/her personal data processed in the automated systems of "Hotel Product" LTD;
- he/she may request to correct his/her personal data in case of inaccuracies in the scope of the personal data processed;
- he/she may request to restrict the processing of all or a part of his/her personal data if 1) the accuracy of the personal data is disputed by the personal data subject, or 2) the illegal processing of personal data is revealed and the subject requires not to destroy them, but to restrict their processing, or 3) "Hotel Product" LTD shall, in accordance with the legislation, destroy personal data, but the subject needs such data to substantiate the application or claim in the framework of a judicial, criminal or administrative proceedings or during the judgement execution, or 4) the personal data subject objects to their processing (restriction for the period during which "Hotel Product" LTD will establish the fact of precedence of the legal grounds for further processing of his/her personal data over the legal requirements of the personal data subject);
- he/she may require to remove his/her personal data from the information systems of "Hotel Product" LTD and/or other available physical storage media if: 1) personal data are no longer required for the purposes for which they were collected, or 2) the personal data subject withdraws his/her consent on the basis of which the processing was carried out if there is no other legal grounds for further processing, or 3) the personal data are processed illegally, or 4) the personal data shall be destroyed in order to comply with the statutory obligation in accordance with the requirements of the legislation;
- he/she may request to provide him/her with a list of his/her personal data collected by "Hotel Product" LTD for processing in a structured, universal and machine-readable format and/or instruct "Hotel Product" LTD to transfer his/her personal data to a third party (if "Hotel Product" LTD has the appropriate engineering capabilities). In this case, "Hotel Product" LTD shall not be liable for the actions of a third party with personal data which may be committed in the future;
- he/she can file a complaint with the appropriate supervisory agencies if, in his/her opinion, when processing his/her personal data, «Hotel Product» LTD somehow violates his/her rights in the area of personal data processing.
The personal data subject shall understand that if a request is received from him/her to restrict processing, delete personal data, with an objection to the processing or withdrawal of consent to the processing of his/her personal data, he/she may be denied the fulfillment of obligations under the agreement to which the specified personal data subject is a party.
«Hotel Product» LTD may transfer personal data to the following categories of third parties:
- to its counterparties (for example, providing server rental services) subject to the availability of an agency agreement;
– to the state agencies in order to comply with legal requirements.
Cross-border transfer of personal data to the territories of foreign states that do not provide adequate protection of the rights of personal data subjects may be carried out only subject to the consent of the subject and/or in order to execute the agreement and/or in order to fulfill the requirements of the law. The specified cross-border transfer of personal data shall be based on the agreements guaranteeing the observance of the rights and freedoms of the personal data subjects.

6. Responsibility

Employees and other persons who got access to the personal data shall bear disciplinary, administrative, civil and criminal liability in accordance with federal laws of the Russian Federation for the violation of the requirements established by the legislation.

7. Final provisions

This Policy shall come into force from the moment of its approval and shall remain in force without limit of time. Amendments to the Policy shall be made by means of separate instruments of «Hotel Product» LTD.
All stakeholders shall have unlimited access to this Policy, including personal data subjects and public authorities exercising control and supervision function in the area of personal data.

8. Methods of contact with «Hotel Product» LTD regarding personal data processing

If there are any questions, proposals or intentions to exercise one or more of the rights of the personal data subject, he/she shall have the right to contact «Hotel Product» LTD in one of the following ways:
– at the address: 191025, Russian Federation, St. Petersburg, 67 Nevsky Prospect, letter A, room 10N;
– by phone: + 442038075923;
– by e-mail: help@bnovo.pro.