ВЕРСИЯ САЙТА ДЛЯ СЛАБОВИДЯЩИХ

HOME PAGE arrow HOTEL OVERVIEW arrow REGULATION ON PROCESSING AND PROTECTION OF PERSONAL DATA

REGULATION

ON PROCESSING AND PROTECTION OF PERSONAL DATA

IN “HERMITAGE HOTEL” LLC

(“HERMITAGE” HOTEL) 

I. BASIC PROVISIONS AND TERMS

The Regulation on processing and protection of personal data in "Hermitage Hotel" LLC was developed in compliance with the Constitution of the Russian Federation, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Strasbourg, 28.01.1981), Federal Law No. 160-FZ of 19.12.05 "On ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data", Federal Law No. 152-FZ of 27.07.06 "On Personal Data", Federal Law "Labor Code of the Russian Federation", Federal Law No. 132-FZ of 24.11.96 "On the Fundamental Principles of Tourist Activities in the Russian Federation", Federal Law No. 14-ФЗ of 08.02.98 "On Limited Liability Companies", Government Decree of the Russian Federation No. 1085 of 09.10.15 "On Approval of the Rules for the Provision of Hotel Services in the Russian Federation", Government Decree of the Russian Federation No. 713 of 17.07.95 "On Approval of the Rules for Registration and Withdrawal of Citizens of the Russian Federation from Registration at the Place of Residence within the Russian Federation", Government Decree of the Russian Federation No. 9 of 15.01.07 "On the Procedure for the Migration Registration of Foreign Citizens and Individuals without Citizenship in the Russian Federation" and other federal laws and subordinate regulatory acts aimed at ensuring the operator’s obligations under the Federal Law "On Personal Data".

This Regulation determines the activities of "Hermitage Hotel" LLC (hereinafter referred to as the "Company") as an operator engaged in processing of personal data with regard to processing and protection of personal data.

"Hermitage Hotel" LLC is a subject of the hotel business and an object of the tourism industry (Certificate No. 550006976 of 08.06.2016), which defines the purposes and tasks related to processing and protection of personal data.

Processing personal data (hereinafter referred to as PD), the Company considers the main tasks to be observance of the principles of legality, fairness and confidentiality in the processing of personal data. The Company is responsible for maintaining the confidentiality and security of the personal data being processed.

This Regulation applies to all cases of processing of personal data by the Company regardless of whether the processing of personal data is automated or manual, whether it is performed manually or automatically.

This Regulation is an internal local act of the Company binding for all departments and Employees of the Company. The period of validity of the Regulation is two years from the date of its approval.

Responsibility for updating of this Regulation and the current control over the implementation of the Regulation are assigned to an authorized employee appointed by the order of the Company who is responsible for organizing the processing and protection of PD. On the basis of requirements of the Regulation, the Company develops internal documents of the Company related to processing of PD.

The Regulation is a public document for an unlimited scope of persons; its text is posted on the website: www.hermitage-hotel.ru.

The processing of personal data in the Company should be limited to the achievement of legitimate, specific and pre-determined goals. Only those personal data are subject to processing and only to the extent that meet the objectives of their processing.

Personal data (PD) is any information related to a directly or indirectly defined or determined individual, a subject of personal data.

Processing of personal data is any action with personal data performed with the use of automation tools or without using such tools.

Subject of personal data is an identified or unidentified individual with respect to which personal data processing is carried out.

Employee is an individual (subject of personal data) who has entered into an employment contract with the Company.

Applicant is an individual (subject of personal data) who has submitted his personal data to the Company with the proposal to conclude an employment contract.

Partner is a legal entity or an individual entrepreneur, a personal data operator with whom the Company has contractual relations, in fulfillment of obligations under which the Partner instructs the Company as a third party to process the Client’s PD.

Client is an individual, a customer of a hotel product (subject of personal data), who has concluded an agreement with the Company or a Partner for the sale of a hotel product formed by the Company.

Other individual is an individual (subject of personal data) who has concluded an agreement with the Company for the provision of a certain type of services or works, or an employee of the Partner.

Visitor is an individual (subject of personal data) who is not an Employee and who has been legally allowed to enter the premises of the Company.

Authorized employee is an Employee appointed by the order of the Director General of the Company to be responsible for ensuring information security and protection of personal data.

Dissemination of personal data is any action aimed at disclosing personal data to an undetermined scope of persons.

Provision of personal data is any action aimed at disclosing personal data to a specific person or a certain scope of persons.

Cross-border transfer of personal data is a transfer of personal data to the territory of a foreign state to the authority of a foreign state, to a foreign individual or to a foreign legal entity.

Consent of the subject of PD to processing of his/her PD: the subject of PD decides to provide his/her PD and agrees to their processing freely, by his/her own will, in his/her interest. The consent to the processing of PD must be specific, informed, and deliberate. The consent can be given by the subject of PD or his/her representative in any form that allows determining the fact of its receipt, unless otherwise established by the Federal Law.

You can use our website www.hermitage-hotel.ru for booking hotel, tourist, additional and related services provided by the Company. By providing your personal data to "HERMITAGE Hotel" LLC and performing implicative actions, i.e. by clicking "I agree", you express your consent and give your permission to process your personal data in the manner prescribed by this Regulation. If you do not agree with the Regulation, we ask you kindly to refrain from using this website and transferring your personal data to "HERMITAGE Hotel" LLC.

 

II. OBJECTIVES, TERMS AND PROCEDURES FOR PERSONAL DATA PROCESSING

1. Objectives of processing PD

The Company carries out processing of personal data solely for the purposes of:

  • exercising the functions assigned to the Company by the Charter and legislation of the Russian Federation as a subject of the hotel business and an object of the tourism industry, including the implementation of clause 21 of the Government Decree of the Russian Federation No. 1085 of 09.10.15 "On Approval of the Rules for the Provision of Hotel Services in the Russian Federation";

  • organizing the accounting of Employees and the Founder(s) of the Company in accordance with the requirements of laws and other regulatory and legal acts, assisting them in career growth and employment, training, all types of compulsory insurance, providing legislative benefits and compensations;

  • taking a decision on concluding an employment contract with an Applicant;

  • with Clients and Partners under contracts for the sale of tourist products, hotel services, additional and related services to hotel and tourist services;

  • fulfilling the obligations of the Company and exercising the rights of the Company under concluded contracts, to which the Client is a party, a beneficiary or a guarantor, as well as for the conclusion of contracts initiated by the Client or contracts in which the Client will be a beneficiary or guarantor;

  • fulfilling the obligations of the Company and exercising the rights of the Company under contracts concluded with other individuals or legal entities in accordance with the norms of the Civil Code of the Russian Federation;

  • processing personal data, the access of an unlimited scope of persons to which is provided at the request of the Employee or the Client;

  • performing marketing and advertising activities in order to establish and further develop relations with Clients and Partners;

  • performing current economic activities (negotiations, litigation, claim activity, conclusion of economic, financial and entrepreneurial contracts, sending offers, quotations, etc.) with due regard to art. 15 of the Federal Law "On Personal Data". To achieve this goal, the Company may apply to publicly available sources of personal data regulated by the laws of the Russian Federation ("On State Registration", "On State Registration of Legal Entities and Individual Entrepreneurs", etc.) located on websites of state and municipal authorities, enterprises and organizations containing public personal data, to directories, address books, social networks, other sources of publicly available information.

Only those personal data are subject to processing in the Company that meet the above-mentioned purposes of processing. Personal data are not subject to processing in the event of non-conformity of their nature and scope with the objectives to be achieved.

The Company does not process special categories of personal data relating to racial origin, nationality, political views, religious or philosophical convictions, intimate life, and criminal record.

 

2. Workers’ admission to processing of PD

Personal data in the Company can be processed only by Employees authorized for this according to the prescribed procedure.

Employees of the Company are allowed to process personal data only by the decision of the Director General.

Employees admitted to processing of personal data in the Company have the right to start working with personal data only after a signed acquaintance with local acts regulating the processing of PD in the Company.

Employees engaged in processing of personal data in the Company must act in accordance with their job descriptions, regulations and other administrative documents of the Company and follow the Company’s requirements for compliance with non-disclosure behavior.

 

3. Receiving PD, their categories, storage time

The Company receives personal data only on the grounds that the subject of personal data decides to provide his/her personal data to the Company and agrees to their processing freely, by his/her own will and in his/her interest. The consent to the processing of personal data must be specific, informed, and deliberate. The consent to the processing of personal data can be given by the subject of personal data or his/her representative in any form that allows confirming the fact of its receipt. As a rule, such consent is given at the conclusion of written agreements with the Company or our Partners or by performing of implicative actions on the website of the Company or our Partners by the subject of personal data.

The consent to the processing of personal data may be withdrawn by the subject of personal data.

The following categories of personal data are processed in the Company:

  • personal data of Employees and the Founder. Sources of receipt: from subjects of personal data;

  • personal data of Clients. Sources of receipt: from subjects of personal data or Partners on the basis of concluded contracts;

  • personal data of Partners and their representatives. Sources of receipt: from subjects of personal data or Partners on the basis of concluded contracts;

  • personal data of Visitors. Sources of receipt: from subjects of personal data;

  • Personal data of Applicants. Sources of receipt: from subjects of personal data;

  • personal data of other Individuals. Source of receipt: from subjects of personal data.

Terms of processing and storage of personal data are defined in compliance with the terms of the agreement with the subject of personal data, with the document retention period established by the Tax Code of the Russian Federation, Federal Law "On Accounting", Federal Law "Labor Code of the Russian Federation", Decree of the Ministry of Culture of the Russian Federation No. 558 of August 25, 2010 "On approval of the list of standard management archival documents generated in the course of activities of state authorities, local authorities and organizations with the indication of storage terms", other legal requirements and regulations as well as with the term of the consent to processing of personal data given by the subject if such consent is to be given in accordance with the requirements of the legislation.

 

4. Processed categories of personal data

The following categories of personal data are processed in "Hermitage Hotel" LLC:

1) Founder, Employees, Applicants for vacant positions:

    • surname, name, patronymic, date and place of birth, citizenship;

    • former surname, name, patronymic, date and place of birth (in case of changes);

    • address of registration and actual residence, date of registration at the place of residence;

    • knowledge of foreign languages, languages of the peoples of the Russian Federation;

    • education (when and what educational organizations graduated from, numbers of diplomas, training program or specialties according to diploma, qualification according to diploma);

    • work performed from the beginning of employment;

    • type, series, number of the document proving the identity of the citizen of the Russian Federation, name of the issuing authority, date of issue;

    • marital status;

    • contact phone number, information on other means of communication;

    • military service obligation, information on military registration;

    • taxpayer identification number;

    • number of the insurance certificate of compulsory pension insurance;

    • details of the compulsory health insurance policy;

    • details of certificates of acts of civil status;

    • bank card number, account number, full bank card payment details;

    • other personal data necessary for work, formation of the personnel reserve.

For the founder, the personal data specified in items 1-3, 6-12, 14, 15 of the above list are processed.

For applicants for a vacant position, personal data specified in items 1-6, 9 of the list are processed.

2) Clients, guests of Clients:

    • surname, name, patronymic, date and place of birth, sex, citizenship;

    • citizenship at birth;

    • address of registration and actual residence, date of registration at the place of residence;

    • passport details of a citizen of the Russian Federation: series, number, name of the issuing authority, date of issue;

    • details of a foreign passport of the Russian Federation: series, number, name of the issuing authority, date of issue, validity period;

    • birth certificate details;

    • other or similar information about identity documents (document);

    • for foreign citizens: visa and migration card details;

    • contact telephone numbers, e-mail address;

    • marital status;

    • work place details;

    • purpose of visit.

3) the scope of personal data of Partners, representatives of Partners, Visitors, other individuals is determined by the arising legal relationships, is determined by agreement between the Parties.

 

5. Transfer of PD to third parties

The transfer of personal data is carried out by the Company solely to achieve the objectives stated in the Regulation for processing of personal data.

The transfer of personal data to third parties is carried out either with a written consent of the personal data subject, which is formalized in accordance with the form prescribed by law, or for performance of a contract to which the subject of personal data is a party, a beneficiary or a guarantor, or for making a contract on the initiative of the personal data subject or a contract in which the personal data subject will be a beneficiary or a guarantor, or in cases where it is necessary to prevent threats to life and health of the personal data subject; or in other cases established by the federal legislation.

The transfer of personal data to third parties is carried out by the Company only on the basis of a relevant agreement with a third party, the essential condition of which is the obligation of the third party to provide confidentiality of personal data and security of personal data when processing them.

 

III. SAFETY MEASURES FOR PERSONAL DATA

Prior to processing of personal data, the Company has taken legal, technical and organizational measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal acts against them. Security of personal data is achieved, in particular, in the following ways:

  1. Implementation of non-disclosure behavior to personal data in the Company, when all documents and data containing information about personal data are confidential in the Company.

  2. Organization of security procedures for premises in which information systems and tangible media of PD (storage areas of PD) are located, preventing the possibility of uncontrolled entry or stay in these premises of persons who do not have the right to access these premises.

  3. Approval of the full list of personal data subject to protection in the Company.

  4. Approval of the list of persons carrying out the processing of personal data in the Company or having access to them, persons responsible for organizing the processing of PD.

  5. Prohibition for Employees processing personal data to carry out unauthorized or unregistered copying of personal data.

  6. Familiarization of the Company’s Employees, who process personal data, with the provisions of the legislation of the Russian Federation on personal data and local acts of the Company;

  7. Ensuring the separate storage of personal data (tangible media), processing of which is carried out without the use of automation tools and for various purposes.

  8. Registration of documents on processing of personal data without the use of automated systems in separate office records, storage of documents in securely locked cabinets and safes, the keys of which are kept only by the Employees responsible for this activity.

  9. Control over the measures taken to ensure the security of personal data and the level of security of information systems of personal data.

The Company is responsible for development, implementation and effectiveness of the lawful standards regulating personal data acquisition, processing and protection. The Company assigns personal liability of its Employees for compliance with the non-disclosure mode established in the Company.

The divisional manager is personally responsible for compliance by the Employees of his division with the lawful standards governing the acquisition, processing and protection of personal data. The manager who allows an employee to access documents and information containing personal data is personally responsible for this permission.

Every Employee of the company who receives a document containing personal data for work is solely responsible for the safety of the data storage device and the confidentiality of information.

Employees guilty of violating the lawful standards governing the receipt, processing and protection of personal data have disciplinary, administrative, civil or criminal liability in accordance with federal laws.

The Company is not liable for losses and other costs incurred by the subjects of personal data as a result of provision of unreliable and incomplete personal data.

 

IV. THE ORDER OF DESTRUCTION OF PERSONAL DATA

The issue of destruction of the allocated documents containing personal data shall be considered collectively by the Director General of the Company and by the person responsible for organizing the processing and ensuring the security of personal data in the Company.

According to the results of the meeting, it is necessary to compose a protocol and an act on the allocation of documents to destruction.

The official responsible for archival activities organizes the work on the destruction of documents containing personal data.

Destruction of personal data on electronic media at the end of the processing period is performed by mechanical violation of the integrity of the media that does not allow the reading or recovery of personal data, or by removing from electronic media by methods and means to ensure the removal of residual information.

As a result of the destruction of cases (on paper and (or) electronic media), an entry is made in the act on the allocation of documents to destruction.

 

V. RIGHTS OF THE PERSONAL DATA SUBJECT

The personal data subject has the following rights:

  • the right to receive information about the Company, its location address, its possession of personal data referring to a certain personal data subject, as well as the right to acquaint himself with such personal data;

  • the right to demand from the Company to specify one’s personal data, as well as to block or destruct them if the personal data are incomplete, outdated, invalid, illegally obtained or are not necessary for the declared processing purpose;

  • the right to demand to stop processing one’s personal data;

  • the right to receive information regarding processing of one’s personal data, including the following: confirmation of the fact of processing of personal data by the Company, as well as the purpose of such processing; methods of processing personal data used by the Company; information on persons who have an access to or are able to access personal data; list of processed personal data and the source of their receipt; terms of processing of personal data, including the terms of their storage; information on what legal consequences for the subject of personal data the processing of his/her personal data may entail.

The right of the subject of personal data to access his/her personal data may be restricted in accordance with federal laws, art. 14 of the Federal Law "On Personal Data".

Access to his/her PD is given to the subject of personal data when the subject of PD applies for it personally or to his/her representative on the basis of a notarized power of attorney, and also on the basis of an electronic request of the personal data subject or his/her representative. The request should contain the number of the main document certifying the identity of the personal data subject or his/her legal representative, the power of attorney, information on the date of issue of the specified document and the issuing authority and the personal signature of the personal data subject or his/her legal representative. The request in electronic form must be signed by an electronic digital signature in accordance with the legislation of the Russian Federation.

The Company informs the subject of personal data or his/her legal representative about the availability of personal data relating to the relevant personal data subject, as well as provides an opportunity to get acquainted with them upon application of the subject of personal data or his/her legal representative or within ten working days from the date of receipt of the request of the subject of personal data or his/her legal representative.

 

VI. DETAILS OF THE COMPANY AND SUPERVISORYAUTHORITIES

1. Company:

HERMITAGE Hotel” Limited Liability Company

(“HERMITAGE Hotel” LLC)

OGRN (primary state registration number) 1076163007601 / INN (taxpayer identification number) 6163086365

Location address: 52, Ulyanovskaya Str., Rostov-on-Don, 344002

Postal address: 52, Ulyanovskaya Str., Rostov-on-Don, 344002

Telephone: 8 (863) 200-10-15;

Website: www.hermitage-hotel.ru

E-mail: sales@hermitage-hotel.ru

The person responsible for organizing the processing and ensuring the security of personal data in the Company is Larisa Yurievna Alekseeva, Deputy Director General for Personnel and Quality of Service, telephone: 8 (863) 200-12-88, e-mail: nvb@hermitage-hotel.ru

2.Supervisory organizations authorized in the field of protection of the rights of subjects of personal data:

- Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications (Roskomnadzor):

Address: 7, Kitaygorodsky pr., Bldg. 2, Moscow, 109074.

Information and Service Center: Telephone: (495) 987–68-00; Fax: (495) 987–68-01

- Directorate of Roskomnadzor on protection of the rights of subjects of personal data:

Telephone: (495) 987-68-57.

Roskomnadzor’se-mail - rsoc_in@rsoc.ru

- Roskomnadzor Directorate in Rostov Region

Postal address: 113/46, Metallurgicheskaya Str., Rostov-on-Don.

Reception office: tel.: (863) 223-79-11; website: www.61.rkn.gov.ru

If you have questions after consideration of the Regulation, you can receive clarifications by sending an official request to the following address: 52, Ulyanovskaya Str., Rostov-on-Don, 344002 or to the following e-mail: nvb@hermitage-hotel.ru

REGULATION ON PROCESSING AND PROTECTION OF PERSONAL DATA IN “HERMITAGE HOTEL” LLC  REGULATION ON PROCESSING AND PROTECTION OF PERSONAL DATA IN “HERMITAGE HOTEL” LLC
 




Official tourist portal of Rostov-on-Don
Мобильная версия сайта
TravelLine: Аналитика