- arising in the course of processing personal data of the Operator’s employees, as such relations are governed by a separate in-house regulation;
- that are not subject to the Law (clause 1, article 1 of the Law).
- Surname, given name, patronymic;
- Electronic mail address;
- Telephone number;
- Address;
- Date of birth;
- Gender;
- Social media accounts data;
- Internet pages requested;
- Cookie files;
- IP addresses;
- Purchase history.
- registration and/or authorization of a Personal Data Subject on the Operator’s website at shop.evalar.ru, as well as on other websites managed by the Operator;
- entering into and performing agreements to which a User is a party in accordance with the terms and conditions of a Public Offer including agreements for retail sale and purchase of Goods and commercial service agreements;
- processing orders placed by a Personal Data Subject and performing its obligations before such Personal Data Subject;
- informing Personal Data Subjects of promotions, special offers, new goods and services;
- providing Order status information;
- posting by Users and Buyers of their feedback about the Goods;
- quality analysis of the service provided by the Operator and improving the quality of the Operator’s customer service;
- identification of Users and Buyers in Promotion Campaigns, ensuring the procedure for crediting, recording and using bonus points provided under User and Buyer loyalty programs;
- performance by the Operator of its obligations to hold Promotion Campaigns; meeting other Website Terms of Use as provided by Website Use Rules;
- for other purposes, provided that the Operator’s relevant actions do not contradict applicable law and the Operator’s scope of activities, and the consent to the aforesaid processing has been obtained from the Personal Data Subject concerned;
- collection;
- recording;
- systematization;
- accumulation;
- storage;
- refinement (updating, amendment);
- extraction;
- use;
- transfer (dissemination, provision, access);
- оdepersonalization;
- blocking;
- deletion;
- destruction.
- Operator means a government authority, a municipal authority, a legal entity or an individual arranging for and/or performing the processing of personal data and defining the purposes and scope of personal data processing.
- Personal data means any information related to a directly or indirectly identified or identifiable individual (citizen).
- Personal data processing means any action (operation) or a series of actions (operations) with personal data performed using or without using automation facilities, including collection, recording, systematization, accumulation, storage, refinement (updating, amendment), extraction, use, transfer (dissemination, provision, access), depersonalization, blocking, deletion and destruction of personal data.
- PDP Supervisor means the Operator’s officer in charge of organizing the processing of Personal Data Subjects’ personal data, whose position may not be lower than the head of a structural subdivision.
- Mailing Group Service means the Operator’s structural unit responsible for organizing the processing of Personal Data Subjects’ personal data.
PRINCIPLES OF PERSONAL DATA PROCESSING, SECURITY.
Personal data security shall be understood as the protection of personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data and other illegal actions in respect of personal data. The Operator shall take necessary legal, organizational and technical measures to protect personal data.
- lawfulness and fairness;
- obtaining, in a timely and reliable manner, the consent from a Personal Data Subject to his/her personal data being processed;
- processing of only those personal data that meet the purposes for which they are processed;
- the scope and amount of personal data being processed must conform to the purposes for which they are processed. Personal data being processed may not be excessive in relation to the purposes for which they are processed;
- combining databases containing personal data that are processed for incompatible purposes is not allowed;
- personal data must be accurate, sufficient and, where necessary, relevant to the purposes of personal data processing. The Operator shall take necessary steps or cause the same to be taken to have incomplete or inaccurate data deleted or destroyed;
- personal data must be stored in a form that makes it possible to identify data subjects for no longer than is necessary for the purposes of personal data processing;
- ensuring that personal data are accurate, sufficient and relevant to the purposes of personal data processing;
- personal data must be destroyed or depersonalized as soon as the purposes of processing thereof have been achieved or if the achievement of such purposes is no longer required.
- Federal Law “On Personal Data” No. 152-FZ dd. 27.07.2006;
- this Policy;
- Article 12 of the Universal Declaration of Human Rights (1948);
- Article 17 of the International Covenant on Civil and Political Rights (1966);
- Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (1950);
- provisions of the Commonwealth of Independent States Convention on Human Rights and Fundamental Freedoms (Minsk, 1995) ratified by the Russian Federation on 11.08. 1998;
- the provisions of the Okinawa Charter on Global Information Society adopted on July 22, 2000;
- Russian Government Directive “On Approving the Requirements for Protection of Personal Data Processed in Personal Data Information Systems” No. 1119 dated 01.11.2012;
- Order of the Russian Federal Service for Technical and Export Control (FSTEC) “On Approving the List and Scope of Organizational and Technical Measures for Protection of Personal Data Processed in Personal Data Information Systems” No. 21 dated 18.02.2013;
- other regulatory and non-regulatory instruments governing personal data processing.
OBTAINING PERSONAL DATA
- directly from Personal Data Subjects when they enter their data on shop.evalar.ru website and other websites managed by the Operator;
- directly from Personal Data Subjects when they contact the call center;
- using any other methods that do not contradict the laws of the Russian Federation and the requirements of international law on the protection of personal data.
- checking the respective box in the relevant form to confirm the consent to the processing of personal data to the extent, for the purposes and in the manner described in the text intended for review before registration or placing an order.
- Consent shall be deemed received upon such registration or order placement, subject to confirmation by the Personal Data Subject in the prescribed manner, and shall continue in effect until the Personal Data Subject sends a respective request for termination of personal data processing to the Operator’s location address.
- In the absence of Personal Data Subject’s consent to the processing of his/her personal data, such processing shall not be performed.
to withdraw the consent to personal data processing given in writing, a respective request shall be sent in writing to the Operator’s location address.
PERSONAL DATA PROCESSING RULES AND PROCEDURES
- the provisions of the Russian Federation law on personal data including the requirements applicable to the procedure for protecting personal data;
- the documents defining the Operator’s policy with regard to personal data processing including this Policy, annexes and amendments hereto;
- in-house regulations on personal data processing.
The Operator’s employees may obtain only those personal data that they require to perform specific employment duties. The Operator’s employees engaged in the processing of personal data shall be informed about such processing, special aspects and rules of such processing established by regulatory legal instruments and the Operator’s internal documents.
- Director of the Organization;
- PDP Supervisor;
- employees engaged in the collection and processing of personal data;
- Personal Data Subjects or their authorized representatives.
The aforesaid persons shall have the right of access only to those personal data that they require to perform their specific functions, with copying and extracting allowed only with a written authorization issued by the PDP Supervisor, or as may be directly requested by a Personal Data Subject or his/her authorized representative. Should the Operator assign the processing of personal data to third parties, other than its employees, under respective agreements made with them (or on other grounds), pursuant to which they need have access to personal data of Personal Data Subjects, respective data shall only be provided by the Operator upon the execution of a relevant agreement with the persons processing personal data on behalf of the Operator, which agreement shall define the list of actions (operations) with personal data to be performed by the person processing them and the purposes of such processing; such agreement shall also provide for the obligation of such person to keep personal data confidential, ensure the security of personal data during the processing thereof and specify the requirements applicable to the protection of personal data being processed as provided for by Article 19 of the Law.
OPERATOR’S STRUCTURAL SUBDIVISIONS ENGAGED IN PERSONAL DATA PROCESSING
- familiarize the Operator’s employees with the provisions of the Russian Federation law on personal data, in-house regulations on personal data processing and personal data protection requirements;
- organize personal data processing by Operator’s employees;
- organize the receipt and processing of inquiries and requests from Personal Data Subjects or their representatives.
PROCEDURE FOR ENSURING THE RIGHTS OF PERSONAL DATA SUBJECTS BY THE OPERATOR
PERSONAL DATA RETENTION
MONITORING, LIABILITY FOR VIOLATION OR NON-COMPLIANCE WITH THIS POLICY
MISCELLANEOUS