1. General Provisions
1.1. This Personal Data Processing Policy (hereinafter referred to as the Policy) was prepared in accordance with Paragraph 2 Part 1 Article 18.1 of the Federal Law of the Russian Federation No. 152-FZ "On Personal Data" dated 27 July 2006 (hereinafter referred to as the Data Protection Law/DP Law) and defines the position of the following legal entity: RAMMKA LLC / OOO "RAMKA" (Principal State Registration Number/OGRN: 1187746635570, Taxpayer Identification Number/INN: 9731005339, with its registered address at: ul. Osennyaya, d. 16, of. 48, Moscow) and/or its affiliates (hereinafter referred to as the Company) with regard to processing and protection of Personal Data (hereinafter referred to as the Data), respect for the rights and freedoms of individuals and, in particular, their right to protection of privacy, personal and family secrets.
2. Scope of Application
2.1. This Policy applies to the Data received both before and after the implementation of this Policy.
2.2. The Company ensures the reliable protection of the Data while understanding the importance and value of the Data, as well as taking care to respect the constitutional rights of citizens of both the Russian Federation and other states.
3.1. The Data refers to any information related to a specified or identifiable (either directly or indirectly) individual (citizen). Such information includes, in particular: last name, first name, patronymic, registration/mailing address, e-mail, phone number, date or place of birth, link to a personal website or an account in social networks.
3.2. The Data processing refers to any action (operation) or series of actions (operations) with the Data performed by using automation tools and/or without using such tools. Such actions (operations) include: collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, or destruction of the Data.
3.3. The Data Security refers to the protection of the Data from any unauthorized and/or unwarranted access, destruction, modification, blocking, copying, provision or distribution, as well as from other illegal actions taken in relation to the Data.
4. Legal Basis and Purpose of Data Processing
4.1. The processing and security of the Data in the Company is carried out and ensured in accordance with the requirements of the Constitution of the Russian Federation, the DP Law, the Labor Code of the Russian Federation, the subordinate acts and other federal laws of the Russian Federation that govern the cases and features of data processing, as well as by the guidelines and procedural documents adopted by the Federal Service for Technology and Export Control of Russia and the Russian Federal Security Service.
4.2. The subjects of the Data processed by the Company are:
4.3. The Company processes the subjects’ Data for the following purposes:
1) providing information on products, ongoing promotions and personal account status;
2) identifying a participant of a loyalty program; ensuring the procedure for registering the bonuses accumulation and use;
3) the Company fulfilling the obligations under a loyalty program.
1) providing information on products/services, ongoing promotions and special offers;
2) analyzing the quality of the service provided by the Company and improving the quality of the Company customer service;
3) providing information on the order status;
4) executing the agreement, including the purchase and sale agreement (incl. that concluded remotely on the Website), providing paid services; providing services, as well as accounting for the services rendered to service consumers for mutual settlements;
5) delivering the ordered product to the customer who placed an order on the Website, and returning the product.
5. Principles and Conditions of Data Processing
5.1. When processing the Data, the Company shall adhere to the following principles: Data processing is carried out legally and on a fair basis; the Data are not disclosed to third parties and are not distributed without the consent of the Data subject, except in the cases that require disclosure upon request by authorized state bodies or as a result of legal proceedings; the specific legitimate purpose is identified prior to the processing (also collection) of the Data; collecting only the Data that are necessary and sufficient for the stated purpose of the processing; prohibition to integrate the databases containing the Data the processing of which is carried out for the purposes incompatible with each other; Data processing is limited to the specified, explicit and legitimate purposes; the Data processed must be destroyed or depersonalized upon the fulfillment of the processing purposes or in case of absence of any further need to achieve these purposes, unless otherwise specified by federal laws.
5.2. The Company may include the subjects’ Data in public Data sources; when doing that, the Company shall obtain a written consent of the subject to their Data being processed; the subject may also express their consent by using the specific section on the Website (checkbox) - tick the relevant box to express their agreement.
5.3. The Company shall not process the Data related to race, nationality, political views, religious, philosophical or other beliefs, sexual life, membership in public associations, including trade unions.
5.4. Biometric Data (information on physiological and biological characteristics of a person that may serve as a ground to establish this person’s identity and that are used by the operator to establish the identity of the Data subject) are not processed by the Company.
5.5. The Company shall not perform any cross-border Data transfer.
5.6. The Company is entitled to transfer the Data to third parties (the Federal Tax Service, the State Pension Fund and other state agencies) in the cases provided for by the legislation of the Russian Federation.
5.7. The Company has the right to entrust the processing of the subjects’ Data to third parties (upon the Data subject’s consent) based on the agreement concluded with such parties, also in accordance with the User Agreement and the Personal Data Processing Policy posted on the Website.
5.8. The parties that process the Data under the contract concluded with the Company (operator’s contract of agency) are obliged to comply with the principles and rules of Data processing and protection provided for by the DP Law. For each third party, the contract shall define the purpose of processing and the list of actions (operations) with the Data that will be performed by the third party processing the Data; the contract shall establish the obligation of the third party to maintain confidentiality and ensure the Data security during the processing; it shall also specify the requirements for the protection of the processed Data in accordance with the DP Law.
5.9. In order to comply with the requirements of the current legislation of the Russian Federation and its contractual obligations, the Company shall process the Data both with and without the use of automation tools. The processing operations include: collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (provision, access), depersonalization, blocking, deletion, or destruction of the Data.
5.10. The Company shall not allow for making decisions that are based solely on automated Data processing and that generate legal consequences for the Data subject or otherwise affect their rights and legitimate interests, except in cases stipulated by the legislation of the Russian Federation.
6. Rights and Obligations of Data Subjects and the Company with Regard to Data Processing
6.1. The subject whose Data are processed by the Company has the right to:
- confirmation of the fact of Data processing and information about the availability of the Data related to the relevant Data subject;
- information on the legal grounds for and the purpose of Data processing;
- information on the methods of Data processing used by the Company;
- information on the Company’s name and location;
- information on the parties (with the exception of the Company employees) that have access to the Data or to whom the Data may be disclosed under a contract with the Company or under a federal law;
- a list of processed Data related to the Data subject and information about their source, unless a different procedure for providing such Data is prescribed by a federal law;
- information on the terms of Data processing, including the terms of their storage;
- information on the procedure for the Data subject’s exercise of the rights provided for by the DP Law;
- name (last name, first name, patronymic) and address of the party that processes the Data on behalf of the Company;
- other information provided for by the DP Law or other legal acts of the Russian Federation;
- amending the Data, as well as blocking or destroying them if the Data are incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
- revoking the subject’s consent to the processing of their Data at any time; demanding the elimination/correction of the Company’s illegal actions in relation to the Data;
- reporting the Company’s actions or lack of actions to the Federal Service for Supervision of Communications, Information Technology and Mass Communications (Roskomnadzor) or appealing to court if the Data subject believes that the Company processes their Data in violation of the DP Law or otherwise violates their rights and freedoms;
6.2. During the process of Data processing the Company shall:
1) name and address of the Company or last name, first name, patronymic and address of its representative;
2) purpose and legal basis of the Data processing;
3) expected users of the Data;
4) legal rights of Data subjects;
5) Data source.
7. Data Protection Requirements
7.1. When processing the Data, the Company shall take the necessary legal, organizational and technical measures in order to protect the Data from unauthorized and/or unlawful access, destruction, modification, blocking, copying, provision, distribution of the Data, as well as from other illegal actions attempted in relation to the Data.
7.2. In accordance with the DP Law, such measures include (but are not limited to):
- identification of threats to the Data security during their processing via personal data information systems;
- application of organizational and technical measures to ensure the Data security during their processing in personal data information systems, necessary to meet the Data protection requirements, the implementation of which ensures the levels of the Data security established by the Government of the Russian Federation;
- use of information security tools that have successfully passed the compliance assessment procedure;
- assessment of the effectiveness of measures taken to ensure the Data security before commissioning of the personal data information system;
- keeping record of machine media that store the Data, if the Data are stored in machine-readable form;
- detection of unauthorized access to the Data and taking measures to prevent such incidents in the future;
- recovery of the Data modified or destroyed due to unauthorized access to them;
- establishing rules for access to the Data processed in the personal data information system, as well as ensuring registration and keeping record of all actions performed with the Data in the personal data information system.
8. Duration of Data Processing (Storage)
8.1. The duration of the Data processing (storage) is determined based on the Data processing purposes, in accordance with the validity terms of the contract with the Data subject, the requirements of federal laws, the requirements of Data operators (on whose behalf the Company processes the Data), the basic rules of the organizations’ archives, and the action limitation periods.
8.2. The Data whose processing (storage) period has expired must be destroyed, unless otherwise specified in the federal law. Storing the Data after the termination of their processing is allowed only after their depersonalization.
9. Procedure for Receiving Clarifications on Data Processing Issues
9.1. Persons whose Data are processed by the Company may receive clarifications on the processing of their Data by contacting the Company personally or by sending a corresponding written request to the address of the Company’s location: ul. Osennyaya, d. 16, of. 48, Moscow.
9.2. The official request to the Company must contain:
10. Features of Processing and Protection of the Data Collected by the Company by Using the Internet
10.1. The Company processes the Data received from the Website users via the http://rammka.ru/ online resource (hereinafter jointly referred to as the Website), as well as via incoming calls to the Company’s phone number +7 (908)994-76-12 or via the Company’s e-mail email@example.com
10.2. Data Collection
There are two main ways used by the Company to collect the Data via the Internet:
10.2.1. Data Provision
Personal provision of the Data (data entry by individuals themselves):
10.2.2. Submitting the Data by the Data subjects themselves via the Company’s phone number +7(908)994-76-12 or the Company’s e-mail firstname.lastname@example.org
10.3. Automatically Collected Information
The Company may collect and process information that is not personal data:
The Company automatically receives certain types of information obtained in the course of user interaction with the Website, e-mail correspondence, etc. This refers to technologies and services, such as web protocols, cookies, web tags, as well as applications and tools employed by the specified third party.
However, web tags, cookies, and other monitoring technologies do not allow for the automatic Data reception. If a Website user chooses to provide their own Data (for example, when filling out a feedback form or sending an e-mail message), then the processes of automatic collection of detailed information shall be activated - in order to ensure the convenience of using websites and/or to improve interaction with users.
10.4. Use of Data
The Company has the right to use the Data provided in accordance with the stated purposes of their collection only with the consent of the Data subject if such consent is required in accordance with the data-related legislation of the Russian Federation.
The Data obtained in a generalized and depersonalized form may be used to better understand the needs of customers who purchase the goods and services sold by the Company, as well as to improve the quality of service.
10.5. Data Transmission
The Company may assign third parties with the Data processing only upon the Data subject’s consent. The Data may also be transferred to third parties in the following cases:
a) as a response to legitimate requests from authorized state bodies, in accordance with laws, court decisions, etc.
b) the Data may not be transferred to third parties for marketing, commercial or other similar purposes, unless the Data subject’s prior consent to this has been obtained.
10.6. The Website contains links to other web resources that might contain information that is useful and interesting to the Website users. That said, this Policy does not apply to such other websites. The users who follow the links to other websites are advised to read the Data Processing Policies posted on those websites.
10.7. The Website user may withdraw their consent to Data processing at any time by sending a message, calling the Company’s phone number +7 (908)994-76-12, writing to the Company’s e-mail email@example.com, or by sending a written notification to the Company’s address: ul. Osennyaya, d. 16, of. 48, Moscow. After receiving such message, the processing of the user’s Data will be terminated and their Data will be deleted, except for the cases where the processing may be continued in accordance with the legislation.
11. Final Provisions
This Policy is a local regulatory act of the Company. This Policy is publicly available. This Policy is made publicly available by means of being published on the Company’s Website. This Policy may be revised in any of the following cases: