Policy

1. General Provisions

1.1. This Personal Data Processing Policy (hereinafter referred to as the Policy) was prepared in accordance with Paragraph 2 Part 1 Article 18.1 of the Federal Law of the Russian Federation No. 152-FZ "On Personal Data" dated 27 July 2006 (hereinafter referred to as the Data Protection Law/DP Law) and defines the position of the following legal entity: RAMMKA LLC / OOO "RAMKA" (Principal State Registration Number/OGRN: 1187746635570, Taxpayer Identification Number/INN: 9731005339, with its registered address at: ul. Osennyaya, d. 16, of. 48, Moscow) and/or its affiliates (hereinafter referred to as the Company) with regard to processing and protection of Personal Data (hereinafter referred to as the Data), respect for the rights and freedoms of individuals and, in particular, their right to protection of privacy, personal and family secrets.

2. Scope of Application

2.1. This Policy applies to the Data received both before and after the implementation of this Policy.

2.2. The Company ensures the reliable protection of the Data while understanding the importance and value of the Data, as well as taking care to respect the constitutional rights of citizens of both the Russian Federation and other states.

3. Definitions

3.1. The Data refers to any information related to a specified or identifiable (either directly or indirectly) individual (citizen). Such information includes, in particular: last name, first name, patronymic, registration/mailing address, e-mail, phone number, date or place of birth, link to a personal website or an account in social networks.

3.2. The Data processing refers to any action (operation) or series of actions (operations) with the Data performed by using automation tools and/or without using such tools. Such actions (operations) include: collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, or destruction of the Data.

3.3. The Data Security refers to the protection of the Data from any unauthorized and/or unwarranted access, destruction, modification, blocking, copying, provision or distribution, as well as from other illegal actions taken in relation to the Data.

4. Legal Basis and Purpose of Data Processing

4.1. The processing and security of the Data in the Company is carried out and ensured in accordance with the requirements of the Constitution of the Russian Federation, the DP Law, the Labor Code of the Russian Federation, the subordinate acts and other federal laws of the Russian Federation that govern the cases and features of data processing, as well as by the guidelines and procedural documents adopted by the Federal Service for Technology and Export Control of Russia and the Russian Federal Security Service.

4.2. The subjects of the Data processed by the Company are:

  • customers – consumers, including visitors of the website http://rammka.ru/ owned by the Company (also for the purpose of placing an order on the website (http://rammka.ru) with a subsequent delivery to the customer), service recepients;
  • paricipants of bonus and loyalty programs;

 4.3. The Company processes the subjects’ Data for the following purposes: 

  • implementation, in accordance with federal laws, of the functions, powers and duties entrusted to the Company by the legislation of the Russian Federation, including, but not limited to: the Civil Code of the Russian Federation, the Tax Code of the Russian Federation, the Labor Code of the Russian Federation, the Family Code of the Russian Federation, Federal Law No. 27-FZ "On Individual (Personified) Accounting in the System of Compulsory Pension Insurance" dated 01.04.1996, Federal Law No. 152-FZ "On Personal Data" dated 27.07.2006, Federal Law No. 53-FZ "On Military Duty and Military Service" dated 28.03.1998, Federal Law No. 31-FZ "On Mobilization Preparation and Mobilization in the Russian Federation" dated 26.02.1997, Federal Law No. 14-FZ "On Limited Liability Companies" dated 08.02.1998, Federal Law No. 2300-1 "On Protection of Consumer Rights" dated 07.02.1992, Federal Law No. 129-FZ "On Accounting" dated 21.11.1996, Federal Law No. 326-FZ "On Mandatory Medical Insurance in the Russian Federation" dated 29.11.2010;
  • As for participants of bonus and loyalty programs: the processing is done for the purpose of:

1) providing information on products, ongoing promotions and personal account status;

2) identifying a participant of a loyalty program; ensuring the procedure for registering the bonuses accumulation and use;

3) the Company fulfilling the obligations under a loyalty program.

  • As for customers/consumers: the processing is done for the purpose of:

1) providing information on products/services, ongoing promotions and special offers;

2) analyzing the quality of the service provided by the Company and improving the quality of the Company customer service;

3) providing information on the order status;

4) executing the agreement, including the purchase and sale agreement (incl. that concluded remotely on the Website), providing paid services; providing services, as well as accounting for the services rendered to service consumers for mutual settlements;

5) delivering the ordered product to the customer who placed an order on the Website, and returning the product.

5. Principles and Conditions of Data Processing

5.1. When processing the Data, the Company shall adhere to the following principles: Data processing is carried out legally and on a fair basis; the Data are not disclosed to third parties and are not distributed without the consent of the Data subject, except in the cases that require disclosure upon request by authorized state bodies or as a result of legal proceedings; the specific legitimate purpose is identified prior to the processing (also collection) of the Data; collecting only the Data that are necessary and sufficient for the stated purpose of the processing; prohibition to integrate the databases containing the Data the processing of which is carried out for the purposes incompatible with each other; Data processing is limited to the specified, explicit and legitimate purposes; the Data processed must be destroyed or depersonalized upon the fulfillment of the processing purposes or in case of absence of any further need to achieve these purposes, unless otherwise specified by federal laws.

5.2. The Company may include the subjects’ Data in public Data sources; when doing that, the Company shall obtain a written consent of the subject to their Data being processed; the subject may also express their consent by using the specific section on the Website (checkbox) - tick the relevant box to express their agreement.

5.3. The Company shall not process the Data related to race, nationality, political views, religious, philosophical or other beliefs, sexual life, membership in public associations, including trade unions.

5.4. Biometric Data (information on physiological and biological characteristics of a person that may serve as a ground to establish this person’s identity and that are used by the operator to establish the identity of the Data subject) are not processed by the Company.

5.5. The Company shall not perform any cross-border Data transfer.

5.6. The Company is entitled to transfer the Data to third parties (the Federal Tax Service, the State Pension Fund and other state agencies) in the cases provided for by the legislation of the Russian Federation.

5.7. The Company has the right to entrust the processing of the subjects’ Data to third parties (upon the Data subject’s consent) based on the agreement concluded with such parties, also in accordance with the User Agreement and the Personal Data Processing Policy posted on the Website.

5.8. The parties that process the Data under the contract concluded with the Company (operator’s contract of agency) are obliged to comply with the principles and rules of Data processing and protection provided for by the DP Law. For each third party, the contract shall define the purpose of processing and the list of actions (operations) with the Data that will be performed by the third party processing the Data; the contract shall establish the obligation of the third party to maintain confidentiality and ensure the Data security during the processing; it shall also specify the requirements for the protection of the processed Data in accordance with the DP Law.

5.9. In order to comply with the requirements of the current legislation of the Russian Federation and its contractual obligations, the Company shall process the Data both with and without the use of automation tools. The processing operations include: collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (provision, access), depersonalization, blocking, deletion, or destruction of the Data.

5.10. The Company shall not allow for making decisions that are based solely on automated Data processing and that generate legal consequences for the Data subject or otherwise affect their rights and legitimate interests, except in cases stipulated by the legislation of the Russian Federation.

6. Rights and Obligations of Data Subjects and the Company with Regard to Data Processing

6.1. The subject whose Data are processed by the Company has the right to:

  • receive from the Company the following:

- confirmation of the fact of Data processing and information about the availability of the Data related to the relevant Data subject;

- information on the legal grounds for and the purpose of Data processing;

- information on the methods of Data processing used by the Company;

- information on the Company’s name and location;

- information on the parties (with the exception of the Company employees) that have access to the Data or to whom the Data may be disclosed under a contract with the Company or under a federal law;

- a list of processed Data related to the Data subject and information about their source, unless a different procedure for providing such Data is prescribed by a federal law;

- information on the terms of Data processing, including the terms of their storage;

- information on the procedure for the Data subject’s exercise of the rights provided for by the DP Law;

- name (last name, first name, patronymic) and address of the party that processes the Data on behalf of the Company;

- other information provided for by the DP Law or other legal acts of the Russian Federation;

  • demand the following actions be done or accepted by the Company:

- amending the Data, as well as blocking or destroying them if the Data are incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;

- revoking the subject’s consent to the processing of their Data at any time; demanding the elimination/correction of the Company’s illegal actions in relation to the Data;

- reporting the Company’s actions or lack of actions to the Federal Service for Supervision of Communications, Information Technology and Mass Communications (Roskomnadzor) or appealing to court if the Data subject believes that the Company processes their Data in violation of the DP Law or otherwise violates their rights and freedoms;

  • protect their rights and legitimate interests, including the receipt (as a result of court proceedings) of a compensation for non-pecuniary and/or other damages.

6.2. During the process of Data processing the Company shall:

  • provide the Data subject (upon request) with the information that concerns the processing of their Personal Data, or provide a legal refusal within thirty days from the date of receipt of such request from the Data subject or their representative;
  • explain to the Data subject the legal consequences of refusing to provide the Data, if the Data provision is mandatory in accordance with a federal law;
  • prior to the start of Data processing (if the Data is not received from the Data subject), provide the following information to the Data subject, except as provided for in Part 4 Article 18 of the DP Law:

1) name and address of the Company or last name, first name, patronymic and address of its representative;

2) purpose and legal basis of the Data processing;

3) expected users of the Data;

4) legal rights of Data subjects;

5) Data source.

  • take the necessary legal, organizational and technical measures or ensure that they are taken - in order to protect the Data from any unauthorized or accidental access; from destruction, modification, blocking, copying, provision or distribution, as well as from other illegal actions attempted in relation to the Data;
  • publish on the Internet - and provide, via the Internet, unrestricted access to - the document defining its policy on the Data processing, or to the information about the implemented requirements to the Data protection;
  • provide Data subjects and/or their representatives, free of charge and upon a relevant request, with the possibility to review the Data - within 30 days from the date of receipt of such request;
  • block the unlawfully processed Data related to the Data subject, or ensure their blockage (if Data processing is carried out by another party acting on behalf of the Company) from the moment of receiving a relevant application or request and for the verification period, in case of detection of illegal Data processing when the Data subject or their representative applies, or upon the request of the Data subject or their representative or an authorized body protecting the rights of personal data subjects;
  • specify the Data or ensure they are specified (if the Data are processed by another party acting on behalf of the Company) within 7 business days from the date of the Data submission, and remove the Data blockage, if the fact of inaccuracy of the Data is confirmed based on the information provided by the Data subject or their representative;
  • terminate the illegal processing of the Data or ensure that the unlawful Data processing by the party acting on behalf of the Company is stopped, in case of detection of the unlawful processing of the Data by the Company or by the party acting under a contract with the Company, within a period not exceeding 3 business days from the date of such detection;
  • terminate the Data processing or ensure its termination (if the Data processing is carried out by another party acting under a contract with the Company) and destroy the Data or ensure their destruction (if the Data processing is carried out by another party acting under a contract with the Company) once the purpose of Data processing is attained, unless otherwise provided for by the contract to which the Data subject is a party, beneficiary or guarantor, if the purpose of Data processing is attained;
  • terminate the Data processing or ensure its termination, and destroy the Data or ensure their destruction, if the Data subject withdraws their consent to the Data processing, provided the Company does not have the right to process the Data without the Data subject’s consent;
  • keep a log of requests from PD subjects that shall contain records of the requests from Data subjects with regard to the Data receipt, as well as of the facts of Data provision following these requests;

7. Data Protection Requirements

7.1. When processing the Data, the Company shall take the necessary legal, organizational and technical measures in order to protect the Data from unauthorized and/or unlawful access, destruction, modification, blocking, copying, provision, distribution of the Data, as well as from other illegal actions attempted in relation to the Data.

7.2. In accordance with the DP Law, such measures include (but are not limited to):

  • assignment of a party responsible for organizing the Data processing, and a party responsible for ensuring the Data security;
  • development and approval of local acts on Data processing and protection;
  • application of legal, organizational and technical measures to ensure the Data security:

- identification of threats to the Data security during their processing via personal data information systems;

- application of organizational and technical measures to ensure the Data security during their processing in personal data information systems, necessary to meet the Data protection requirements, the implementation of which ensures the levels of the Data security established by the Government of the Russian Federation;

- use of information security tools that have successfully passed the compliance assessment procedure;

- assessment of the effectiveness of measures taken to ensure the Data security before commissioning of the personal data information system;

- keeping record of machine media that store the Data, if the Data are stored in machine-readable form;

- detection of unauthorized access to the Data and taking measures to prevent such incidents in the future;

- recovery of the Data modified or destroyed due to unauthorized access to them;

- establishing rules for access to the Data processed in the personal data information system, as well as ensuring registration and keeping record of all actions performed with the Data in the personal data information system.

  • control over the measures taken to ensure the Data security and the level of protection of personal data information systems;
  • assessment of the harm that may be caused to Data subjects in case of violation of the DP Law, the ratio of this harm and the measures taken by the Company to ensure compliance with the obligations provided for by the DP Law;
  • compliance with the conditions that prevent unauthorized access to tangible media that store the Data and ensure their security;
  • familiarization of the Company’s employees directly involved in the Data processing with the provisions of the Russian Federation Data legislation, including the Data protection requirements, local acts on Data processing and protection; and training of the Company’s employees.

8. Duration of Data Processing (Storage)

8.1. The duration of the Data processing (storage) is determined based on the Data processing purposes, in accordance with the validity terms of the contract with the Data subject, the requirements of federal laws, the requirements of Data operators (on whose behalf the Company processes the Data), the basic rules of the organizations’ archives, and the action limitation periods.

8.2. The Data whose processing (storage) period has expired must be destroyed, unless otherwise specified in the federal law. Storing the Data after the termination of their processing is allowed only after their depersonalization.

9. Procedure for Receiving Clarifications on Data Processing Issues

9.1. Persons whose Data are processed by the Company may receive clarifications on the processing of their Data by contacting the Company personally or by sending a corresponding written request to the address of the Company’s location: ul. Osennyaya, d. 16, of. 48, Moscow.

9.2. The official request to the Company must contain:

  • last name, first name, patronymic of the Data subject or their representative;
  • number of the main identity document of the Data subject or their representative, information about the date of issue of the specified document and the issuing authority;
  • information confirming that the Data subject has relations with the Company; contact information that will be used by the Company when sending the response to the request;
  • signature of the Data subject (or their representative). If the request is sent in electronic form, it must be made in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

10. Features of Processing and Protection of the Data Collected by the Company by Using the Internet

10.1. The Company processes the Data received from the Website users via the http://rammka.ru/ online resource (hereinafter jointly referred to as the Website), as well as via incoming calls to the Company’s phone number +7 (908)994-76-12 or via the Company’s e-mail rammkacom@gmail.com

10.2. Data Collection

There are two main ways used by the Company to collect the Data via the Internet:

10.2.1. Data Provision

Personal provision of the Data (data entry by individuals themselves):

  • last name
  • name
  • patronymic
  • registration/mailing address
  • e-mail
  • phone number
  • date or place of birth
  • link to a personal website or a social network account

10.2.2. Submitting the Data by the Data subjects themselves via the Company’s phone number +7(908)994-76-12 or the Company’s e-mail rammkacom@gmail.com

10.3. Automatically Collected Information

The Company may collect and process information that is not personal data:

  • information about the interests of Website users based on the search queries entered by Website users with regard to the products sold and offered for sale by the Company - in order to provide the Company’s customers who use the Website with up-to-date information, as well as to generalize and analyze the information about the products and Website sections that are most in demand among the Company’s customers;
  • processing and storing the search queries of Website users for the purpose of summarizing and creating the client statistics on the use of Website sections.

The Company automatically receives certain types of information obtained in the course of user interaction with the Website, e-mail correspondence, etc. This refers to technologies and services, such as web protocols, cookies, web tags, as well as applications and tools employed by the specified third party.

However, web tags, cookies, and other monitoring technologies do not allow for the automatic Data reception. If a Website user chooses to provide their own Data (for example, when filling out a feedback form or sending an e-mail message), then the processes of automatic collection of detailed information shall be activated - in order to ensure the convenience of using websites and/or to improve interaction with users.

10.4. Use of Data

The Company has the right to use the Data provided in accordance with the stated purposes of their collection only with the consent of the Data subject if such consent is required in accordance with the data-related legislation of the Russian Federation.

The Data obtained in a generalized and depersonalized form may be used to better understand the needs of customers who purchase the goods and services sold by the Company, as well as to improve the quality of service.

10.5. Data Transmission

The Company may assign third parties with the Data processing only upon the Data subject’s consent. The Data may also be transferred to third parties in the following cases:

a) as a response to legitimate requests from authorized state bodies, in accordance with laws, court decisions, etc.

b) the Data may not be transferred to third parties for marketing, commercial or other similar purposes, unless the Data subject’s prior consent to this has been obtained.

10.6. The Website contains links to other web resources that might contain information that is useful and interesting to the Website users. That said, this Policy does not apply to such other websites. The users who follow the links to other websites are advised to read the Data Processing Policies posted on those websites.

10.7. The Website user may withdraw their consent to Data processing at any time by sending a message, calling the Company’s phone number +7 (908)994-76-12, writing to the Company’s e-mail rammkacom@gmail.com, or by sending a written notification to the Company’s address: ul. Osennyaya, d. 16, of. 48, Moscow. After receiving such message, the processing of the user’s Data will be terminated and their Data will be deleted, except for the cases where the processing may be continued in accordance with the legislation.

11. Final Provisions

This Policy is a local regulatory act of the Company. This Policy is publicly available. This Policy is made publicly available by means of being published on the Company’s Website. This Policy may be revised in any of the following cases:

  • following the changes to the legislation of the Russian Federation in the field of personal data processing and protection;
  • in cases of receiving instructions from the competent state authorities to eliminate the inconsistencies that affect the scope of the Policy;
  • by decision of the Company’s management;
  • following the changes to the purposes and duration of Data processing;
  • when changing the organizational structure or the structure of information and/or telecommunications systems (or introducing new ones);
  • when using new technologies for Data processing and protection (including transmission or storage);
  • if there appears a need to change the process of Data processing related to the Company’s activities. In case of any non-compliance with the provisions of this Policy, the Company and its employees shall be held liable in accordance with the current legislation of the Russian Federation. The compliance with the requirements of this Policy is monitored by the parties responsible for the organization of the Company’s Data Processing, as well as for the security of personal data.