Personal Data Processing Policy
1. General provisions. This personal data processing policy has been developed as required by Federal Law dated 27 July 2006 No. 152-FZ 'On Personal Data' (the Personal Data Law) and defines the personal data processing procedure and measures to ensure the security of personal data taken by JSC ROITECH (hereinafter 'the Operator').
1.1. The Operator sets out the rights and freedoms of a human and citizen, including the protection of the right to privacy and a personal and family life, as its most important goal and the basis of its activities when processing personal data.
1.2. The Operator's personal data processing policy (hereinafter 'the Policy') is applicable to all information about visitors to https://roitech.ru
that can be obtained by the Operator.
2. Basic terms used in the Policy
2.1 'Automated personal data processing' refers to the processing of personal data using computer equipment.
2.2. 'Blocking personal data' refers to the temporary termination of processing personal data, unless said processing is required in order to update personal data.
2.3. 'Website' refers to a set of graphic and informational materials, and the software and databases required to make them available on the internet at https://roitech.ru
2.4. 'Personal data information system' refers to a set of personal data contained in the personal data database so as to facilitate the processing of personal data using information technology and equipment.
2.5. 'Depersonalization of personal data' refers to an action after which it is impossible to identify personal data as belonging to a specific User or another subject of personal data without additional information.
2.6. 'Personal data processing' refers to any action(s)/operation(s) whereby personal data is used either manually or automatically, including collecting, recording, systematizing, accumulating, storing, specifying (updating, revising), retrieving, using, transmitting (distributing, providing, accessing), depersonalizing, blocking, deleting or destroying personal data.
2.7. 'The Operator' means a state authority, municipal body, legal entity or private individual which, independently or together with other entities, arranges and/or conducts personal data processing, and establishes personal data processing goals, the scope of personal data to be processed, and the actions/operations to be carried out with regard to processing personal data.
2.8. 'Personal data' refers to any information directly or indirectly related to a specific or identified User of https://roitech.ru
2.9. 'Personal data permitted for distribution by the personal data subject' refers to personal data to which the subject of the personal data has provided access for an unlimited number of people by providing their consent to process personal data permitted for distribution as provided by the Personal Data Law (hereinafter 'personal data permitted for distribution').
2.10. 'The User' refers to any visitor to https://roitech.ru
2.11. 'Provision of personal data' refers to actions undertaken in order to disclose personal data to a certain party or group of people.
2.12. 'Distribution of personal data' refers to any action undertaken in order to disclose personal data to an indefinite number of people (hereinafter 'disclosure of personal data') or to familiarize an unlimited number of people with said personal data, including by publishing such personal data on mass media platforms, information and telecommunication networks, or otherwise providing access to said personal data.
2.13. 'International personal data transfer' refers to the transfer of personal data to a foreign state, an authority in a foreign state, or a foreign private individual or legal entity.
2.14. 'Destruction of personal data' refers to any action which irreversibly destroys personal data so that it cannot be restored in an informational system of personal data, and/or destroys physical media used to store personal data.
3. Basic rights and responsibilities of the Operator
3.1. The Operator retains the right to:
– Obtain accurate information and/or documents containing personal data from a subject of personal data;
– If a subject of personal data withdraws their consent to personal data processing, the Operator shall have the right to continue processing personal data without such consent of the personal data subject, if there are grounds to do so under the Personal Data Law;
– Independently establish the scope and list of measures as necessary and sufficient to perform obligations provided by the Personal Data Law and the corresponding legal regulations, unless otherwise provided by the Personal Data Law or other federal laws.
3.2. The Operator shall:
– Provide the personal data subject with information about the processing of their personal data;
– Facilitate personal data processing as established set out in Russian law;
– Respond to requests from personal data subjects or their legal representatives, as required by the Personal Data Law;
– Provide the necessary information as requested by an authorized body in charge of the defense of personal data subjects' rights within 30 days after said request;
– Publish or otherwise provide unlimited access to this Personal Data Processing Policy;
– Take legal, administrative and technical actions to protect personal data against unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data, and other unlawful actions against personal data;
– Cease transmitting (distributing, providing, accessing) and processing personal data, and destroy it as and when provided by the Personal Data Law;
– Perform other obligations as provided by the Personal Data Law.
4. Basic rights and respsonsibilities of subjects of personal data
4.1. Subjects of personal data retain the right to:
– Obtain information regarding the processing of their personal data, except as provided by federal laws. The Operator shall provide information to a personal data subject in an convenient format; such information shall not contain personal data of other personal data subjects, unless there are legal grounds to disclose such personal data. The Personal Data Law outlines said information and describes how to obtain it.
– Demand that the Operator update, block or destroy their personal data, if the personal data is incomplete, obsolete, inaccurate, illegally obtained or is not necessary for the processing goal, and take measures as provided by the law to defend their rights;
– Set a condition of prior consent for personal data processing to promote goods, work and services;
– Withdraw their consent to personal data processing;
– Appeal unlawful actions or failure to act by the Operator during the processing of their personal data to an authorized body in charge of the defence of personal data subjects' rights or in court;
– Exercise other rights as provided by Russian law.
4.2. Subjects of personal data shall:
– Provide accurate personal data to the Operator;
– Inform the Operator whenever their personal data is updated/modified/revised.
4.3. Persons who have provided inaccurate personal data to the Operator or data about another personal data subject without the consent of the latter shall be liable according to the Russian law.
5. The Operator may process the following User personal data
5.1. Surname, name, patronymic.
5.3. Telephone numbers.
5.4. Year, month, day and place of birth.
5.6. The site also collects and processes depersonalized user data (including cookies) using internet statistics services (Yandex.Metrica, Google Analytics, etc.)
5.7. The above data is to be referred to hereinafter as personal data.
5.8. Special categories of personal data regarding race, nationality, political views, religious or philosophical beliefs, and personal relationships are not processed by the Operator.
5.9. Personal data permitted for distribution from among the special personal data categories as listed in part 1 article 10 of the Personal Data Law can be processed provided that the prohibitions and conditions of Article 10.1 of the Personal Data Law are observed.
5.10. User consent to the processing of personal data permitted for distribution is issued separately from other consents. In this case the conditions provided specifically by Article 10.1 of the Personal Data Law shall be observed. Requirements for the details of such consent are established by the authorized body in charge of the defence of personal data subjects' rights.
5.10.1 The User shall provide consent to process personal data permitted for distribution directly to the Operator.
5.10.2 The Operator shall publish processing conditions, limitations and conditions for processing of personal data by an unlimited number of people within at least three business days after the User has provided such consent.
5.10.3 Transmission of (distributing, providing, accessing) personal data permitted by a subject of personal data for distribution shall be stopped at any time whenever so requested by the personal data subject. Requests shall include the subject's surname, name, patronymic (where applicable), contact information (telephone, email or postal address) and the list of personal data that the Operator should cease to process. The personal data contained in said request may only be processed by the Operator it was sent to.
5.10.4 Consent to process personal data permitted for distribution is terminated when the Operator receives the demand as set out in clause 5.10.3.
6. Personal data processing principles
6.1. Personal data is processed on legal and fair grounds.
6.2. Personal data processing is limited to the achievement of specific predetermined and legal goals. Personal data which is inconsistent with the personal data collection goals shall not be processed.
6.3. Databases containing personal data processed for different, incompatible goals shall not be combined.
6.4. Only personal data which is consistent with the processing goals shall be processed.
6.5. The contents and scope of the processed personal data shall be consistent with the declared processing goals. The personal data shall not be excessive with respect to the declared processing goals.
6.6. The personal data to be processed shall be reliable, sufficient and, where required, up to date according to the personal data processing goals. The Operator will undertake the necessary actions and/or have them taken in order to delete or update incomplete or inaccurate data.
6.7. Personal data shall be stored in a such a manner so that the Operator can identify the personal data subject for no longer than required by the personal data processing goals, unless the personal data storage period is established by a federal law or contract, in which the personal data subject is a party, beneficiary, or trustor. The processed personal data is destroyed or depersonalized when the processing goals are achieved, or if such goals are no longer needed to be achieved, unless otherwise provided by a federal law.
7. Personal data processing goals
7.1. Personal data processing goals:
– Inform Users by sending them emails;
– Enter into, perform and terminate civil contracts;
– Provide access for Users to services, information and/or materials available on https://roitech.ru
7.2. The Operator shall also have the right to send User notifications about new products and services, special offers and events. The User can always unsubscribe from newsletters by sending the Operator a message at email@example.com containing the phrase 'Cancelation of notifications about new products, services and special offers'.
7.3. Depersonalized user data collected by internet statistics services are used in order to collect information about user actions on the website, helping to improve website quality and content.
8. Legal grounds for personal data processing
8.1. The legal grounds for personal data processing by the Operator are:
– Constituent documents of the Operator;
– Contracts entered into between the Operator and the personal data subject;
– Federal laws, other legal regulations governing personal data protection;
– User consent to personal data processing, including data permitted for distribution.
8.2. The Operator processes the personal data of users only if the User fills it in and/or sends it using special formats available at https://roitech.ru
sends it directly to the Operator. By filling in the corresponding forms and/or sending their personal data to the Operator, the User grants their consent to this Policy.
8.4. A personal data subject independently decides to provide their personal data and gives their consent of their free will and out of their own interest.
9. Personal data processing conditions
9.1. Personal data is processed if the personal data subject provides their consent.
9.2. Personal data processing is required in order to achieve goals as set out in an international contract or Russian law in order to exercise the functions, authority and obligations of the Operator in accordance with Russian law.
9.3. Personal data must be processed to administer justice, execute a judicial order, or the order of another authority or official to be executed according to Russian executive legislation.
9.4. Personal data must be processed in order to fulfil a contract, in which the personal data subject is a beneficiary or trustor, and to enter into a contract at the initiative of the personal data subject or a contract in which the personal data subject will be a beneficiary or trustor.
9.5. Personal data must be processed in order to exercise the rights and legal interests of the Operator or third parties, or to achieve public goals, provided that this does not violate the rights and freedoms of the personal data subject.
9.6. Personal data is processed, if the personal data subject has provided access to it to an unlimited number of people or else upon request (hereinafter 'Public Personal Data').
9.7. Personal data is processed, if it shall be published or disclosed according to a federal law.
10. Personal data processed by the Operator is collected, stored, transferred and otherwise processed and secured by implementing legal, administrative and technical actions as necessary to fulfil all requirements of the personal data protection law.
10.1. The Operator shall ensure the safety of personal data and take all actions necessary to prevent unauthorized persons from accessing said personal data.
10.2. User personal data will under no circumstances be transferred to third parties, unless it is required in order to exercise an existing law, or if the personal data subject has given their consent to the Operator to transfer the data to a third party to carry out its responsibilities under a civil contract.
10.3. If the personal data is found to be inaccurate, the User may update it independently by sending the Operator a notification to firstname.lastname@example.org, including the phrase 'Personal data update' in the message.
10.4. The personal data processing period depends on the goals it has been collected for, unless another period is provided by a contract or existing legislation.
The User may withdraw their consent to personal data processing at any time by sending the Operator an email at email@example.com, including the phrase 'Withdrawal of personal data processing consent' in the message.
10.5. All information collected by third party services, including payment systems, communication platforms, and other service providers, shall be stored and processed by such parties (Operators) according to their user agreements and privacy policies. Personal data subjects and/or Users shall familiarize themselves with such documents independently and in good time. The Operator is not responsible for the actions of third parties, including those of the service providers listed herein.
10.6. Prohibitions to transfer (except for access) and process personal data or processing conditions (except for access) established by the personal data subject for personal data permitted for distribution are not applicable if the personal data is processed in the interests of state, social or other public interests, as set out in Russian law.
10.7. The Operator shall ensure the confidentiality of personal data during processing.
10.8. The Operator shall store personal data in a such a manner so as to identify the personal data subject for not longer than required by the personal data processing goals, unless the personal data storage period is established by a federal law or contract in which the personal data subject is a party, beneficiary, or trustor
10.9. Personal data processing can be stopped after the personal data processing goals have been achieved, after the expiration of the personal data subject's consent for processing, or after the personal data subject withdraws their consent.
11. List of operator actions with obtained personal data
11.1. The operator collects, records, systematizes, accumulates, stores, specifies (updates, revises), retrieves, uses, transmits (distributes, provides, accesses), depersonalizes, blocks , deletes and destroys personal data.
11.2. The Operator automates personal data processing with or without receiving and/or transmitting the obtained information via information and telecommunication systems.
12. International personal data transfer
12.1. Before proceeding to international personal data transfer, the Operator shall make sure that the foreign state the personal data is to be transferred to provides reliable protection of the subject's personal data rights.
12.2. Personal data can be transferred to a foreign state that does not meet the above requirements only provided that there is a written consent from the personal data subject for the international transfer of their personal data, and/or to fulfil obligations under contracts of which the personal data subject is a party.
13. Confidentiality of personal data. The Operator and other parties which have gained access to the personal data shall not disclose it to third parties, or distribute it without the consent of the personal data subject unless otherwise provided by federal law.
14. Final provisions.
14.1. Users may obtain any explanations for the matters they are interested in regarding the processing of theit personal data by contacting the operator at firstname.lastname@example.org.
14.2. The Operator will reflect any revisions to the personal data processing policy in this document. The policy is valid permanently until it is superseded by a new version.
14.3. The valid version of the Policy is freely available at https://roitech.ru/privacy.