Privacy Polocy
APPROVED
By order of the General Manager
of LLC "MITS LUX",
organizer of the Pure Luxury workshop
No. 13/05-1/PD of "13" May 2025
1. General Provisions
1.1. This Policy of LLC "MITS LUX" (hereinafter referred to as the Operator, the Organization) regarding the processing of personal data defines the purposes, content, and procedure for processing personal data, measures aimed at protecting personal data, as well as procedures aimed at identifying and preventing violations of the legislation of the Russian Federation in the field of personal data in the Organization.
1.2. This Personal Data Processing Policy (hereinafter referred to as the Policy) is drawn up in accordance with Article 7, point 2 of Article 18.1 of Federal Law No. 152-FZ "On Personal Data" of July 27, 2006, Article 86 of the Labor Code of the Russian Federation, Article 152.2 of the Civil Code of the Russian Federation, as well as other regulatory legal acts of the Russian Federation in the field of personal data protection and processing. It applies to all personal data (hereinafter referred to as Data) that the Organization may receive from a personal data subject, a consumer or other customer who is a party to contractual relations under a tourist product and/or tourism services contract, contractors of the Organization who have entered into a civil law contract with the Organization, users of the website
https://www.mits.ru (hereinafter referred to as the "website"), which contains information about the Operator's services, as well as from a personal data subject who is in a relationship with the Operator regulated by labor law (hereinafter referred to as the Employee).
1.3. The Operator ensures the protection of processed personal data from unauthorized access and disclosure, unlawful use, or loss in accordance with the requirements of Federal Law No. 152-FZ "On Personal Data" of July 27, 2006.
1.4. The Operator, LLC "MITS LUX" (TIN/PSRN 7730717675/5147746443774), is located at: Moscow, Stolevova St., 7, apt. 240.
1.5. This Policy and its amendments are approved by the General Manager of LLC "MITS LUX" and are put into effect by an order. All employees of LLC "MITS LUX" must be familiarized with this Policy and its amendments under signature. This Policy is mandatory for all employees of LLC "MITS LUX" who have access to personal data.
1.6. To ensure unlimited access to this document, which defines the policy of LLC "MITS LUX" regarding personal data processing and the measures taken to protect personal data, LLC "MITS LUX" places the text of this Policy on the official website of LLC "MITS LUX", www.mits.ru (hereinafter referred to as the "Website").
1.7. The Website may contain hyperlinks to other websites provided by third parties. The Operator does not control and is not responsible for third-party websites that a user may access via links available on the website. After the user has left the websites, the Operator is not responsible for the protection and confidentiality of any information that the user, as a personal data subject and personal information, provides. The personal data subject should be cautious and familiarize themselves with the corresponding privacy policy of the website they are visiting.
1.8. LLC "MITS LUX" reserves the right to make necessary changes to the Policy when the current legislation of the Russian Federation and the conditions of its activities change.
1.1. This Policy of LLC "MITS LUX" (hereinafter referred to as the Operator, the Organization) regarding the processing of personal data defines the purposes, content, and procedure for processing personal data, measures aimed at protecting personal data, as well as procedures aimed at identifying and preventing violations of the legislation of the Russian Federation in the field of personal data in the Organization.
1.2. This Personal Data Processing Policy (hereinafter referred to as the Policy) is drawn up in accordance with Article 7, point 2 of Article 18.1 of Federal Law No. 152-FZ "On Personal Data" of July 27, 2006, Article 86 of the Labor Code of the Russian Federation, Article 152.2 of the Civil Code of the Russian Federation, as well as other regulatory legal acts of the Russian Federation in the field of personal data protection and processing. It applies to all personal data (hereinafter referred to as Data) that the Organization may receive from a personal data subject, a consumer or other customer who is a party to contractual relations under a tourist product and/or tourism services contract, contractors of the Organization who have entered into a civil law contract with the Organization, users of the website
https://www.mits.ru (hereinafter referred to as the "website"), which contains information about the Operator's services, as well as from a personal data subject who is in a relationship with the Operator regulated by labor law (hereinafter referred to as the Employee).
1.3. The Operator ensures the protection of processed personal data from unauthorized access and disclosure, unlawful use, or loss in accordance with the requirements of Federal Law No. 152-FZ "On Personal Data" of July 27, 2006.
1.4. The Operator, LLC "MITS LUX" (TIN/PSRN 7730717675/5147746443774), is located at: Moscow, Stolevova St., 7, apt. 240.
1.5. This Policy and its amendments are approved by the General Manager of LLC "MITS LUX" and are put into effect by an order. All employees of LLC "MITS LUX" must be familiarized with this Policy and its amendments under signature. This Policy is mandatory for all employees of LLC "MITS LUX" who have access to personal data.
1.6. To ensure unlimited access to this document, which defines the policy of LLC "MITS LUX" regarding personal data processing and the measures taken to protect personal data, LLC "MITS LUX" places the text of this Policy on the official website of LLC "MITS LUX", www.mits.ru (hereinafter referred to as the "Website").
1.7. The Website may contain hyperlinks to other websites provided by third parties. The Operator does not control and is not responsible for third-party websites that a user may access via links available on the website. After the user has left the websites, the Operator is not responsible for the protection and confidentiality of any information that the user, as a personal data subject and personal information, provides. The personal data subject should be cautious and familiarize themselves with the corresponding privacy policy of the website they are visiting.
1.8. LLC "MITS LUX" reserves the right to make necessary changes to the Policy when the current legislation of the Russian Federation and the conditions of its activities change.
2. Key Concepts
2.1. The following key concepts are used in this Policy:
Personal Data - any information related to a directly or indirectly defined or identifiable physical person (personal data subject). Such information, in particular, includes last name, first name, patronymic, year, month, date of birth, address, marital status, social status, property status, education, profession, income, and other information related to the personal data subject.
Confidential Personal Information - information that can be processed when visiting the Website, which is automatically transmitted to the Website's services during their use with the help of software installed on the personal data subject's device using cookie files (metric programs).
Operator - a legal or physical person who, independently or jointly with other persons, organizes and/or carries out the processing of personal data, and also determines the purposes of personal data processing, the composition of personal data to be processed, and the actions (operations) performed with personal data.
Personal Data Processing - any action (operation) or a set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (dissemination, provision, access), anonymization, blocking, deletion, and destruction of personal data.
Automated Personal Data Processing - personal data processing using computer technology.
Personal Data Information System - a set of personal data contained in databases and the information technologies and technical means that ensure their processing.
Publicly Available Personal Data - personal data placed by the personal data subject in publicly available sources of personal data (including directories, address books), access to which is provided to an unlimited number of people, or personal data placed in publicly available sources of personal data based on the written consent of the personal data subject.
Dissemination of Personal Data - actions aimed at disclosing personal data to an unlimited number of people.
Provision of Personal Data - actions aimed at disclosing personal data to a specific person or a specific group of people.
Blocking of Personal Data - a temporary cessation of personal data processing (except when processing is necessary to clarify personal data).
Anonymization of Personal Data - actions that make it impossible to determine the ownership of personal data to a specific personal data subject without using additional information.
Destruction of Personal Data - actions that make it impossible to restore the content of personal data in the personal data information system and/or as a result of which the physical carriers of personal data are destroyed.
Cross-border Personal Data Transfer - the transfer of personal data to the territory of a foreign state to a government authority of a foreign state, a foreign physical person, or a foreign legal entity.
2.2. The processing of personal data in the Organization is carried out with or without the use of automation tools and includes the collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (dissemination, provision, access), anonymization, blocking, deletion, and destruction of personal data of personal data subjects whose personal data is processed in the Organization.
2.3. Personal data processing without the use of automation tools can be carried out in the form of documents on paper carriers and in electronic form (files, databases) on electronic information carriers.
2.4. Categories of personal data subjects that the Operator processes:
2.4.1.
Employees - physical persons, job candidates, employees, their family members, former employees, as well as other persons whose personal data the Organization is obligated to process in accordance with labor legislation.
2.4.2.
Clients - physical persons, customers of tourist products and/or individual tourist services, or other physical persons who intend to order or purchase or are ordering, purchasing tourist services on behalf of the consumer (tourist), including legal representatives of a minor consumer (tourist).
2.4.3.
Clients - physical persons, tourists who use tourist products and services exclusively for personal and other needs not related to entrepreneurial activity.
2.4.4.
Contractors - physical persons (personal data subjects) who are entering or intending to enter into a civil law contract with the Operator.
2.4.5.
2.1. The following key concepts are used in this Policy:
Personal Data - any information related to a directly or indirectly defined or identifiable physical person (personal data subject). Such information, in particular, includes last name, first name, patronymic, year, month, date of birth, address, marital status, social status, property status, education, profession, income, and other information related to the personal data subject.
Confidential Personal Information - information that can be processed when visiting the Website, which is automatically transmitted to the Website's services during their use with the help of software installed on the personal data subject's device using cookie files (metric programs).
Operator - a legal or physical person who, independently or jointly with other persons, organizes and/or carries out the processing of personal data, and also determines the purposes of personal data processing, the composition of personal data to be processed, and the actions (operations) performed with personal data.
Personal Data Processing - any action (operation) or a set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (dissemination, provision, access), anonymization, blocking, deletion, and destruction of personal data.
Automated Personal Data Processing - personal data processing using computer technology.
Personal Data Information System - a set of personal data contained in databases and the information technologies and technical means that ensure their processing.
Publicly Available Personal Data - personal data placed by the personal data subject in publicly available sources of personal data (including directories, address books), access to which is provided to an unlimited number of people, or personal data placed in publicly available sources of personal data based on the written consent of the personal data subject.
Dissemination of Personal Data - actions aimed at disclosing personal data to an unlimited number of people.
Provision of Personal Data - actions aimed at disclosing personal data to a specific person or a specific group of people.
Blocking of Personal Data - a temporary cessation of personal data processing (except when processing is necessary to clarify personal data).
Anonymization of Personal Data - actions that make it impossible to determine the ownership of personal data to a specific personal data subject without using additional information.
Destruction of Personal Data - actions that make it impossible to restore the content of personal data in the personal data information system and/or as a result of which the physical carriers of personal data are destroyed.
Cross-border Personal Data Transfer - the transfer of personal data to the territory of a foreign state to a government authority of a foreign state, a foreign physical person, or a foreign legal entity.
2.2. The processing of personal data in the Organization is carried out with or without the use of automation tools and includes the collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (dissemination, provision, access), anonymization, blocking, deletion, and destruction of personal data of personal data subjects whose personal data is processed in the Organization.
2.3. Personal data processing without the use of automation tools can be carried out in the form of documents on paper carriers and in electronic form (files, databases) on electronic information carriers.
2.4. Categories of personal data subjects that the Operator processes:
2.4.1.
Employees - physical persons, job candidates, employees, their family members, former employees, as well as other persons whose personal data the Organization is obligated to process in accordance with labor legislation.
2.4.2.
Clients - physical persons, customers of tourist products and/or individual tourist services, or other physical persons who intend to order or purchase or are ordering, purchasing tourist services on behalf of the consumer (tourist), including legal representatives of a minor consumer (tourist).
2.4.3.
Clients - physical persons, tourists who use tourist products and services exclusively for personal and other needs not related to entrepreneurial activity.
2.4.4.
Contractors - physical persons (personal data subjects) who are entering or intending to enter into a civil law contract with the Operator.
2.4.5.
- Users - physical persons, users of the Organization's Website on the Internet - physical persons who want to receive information about the services provided by the Organization or enter into a contract for the sale of a tourist product and/or tourist services.
3. Purposes of Personal Data Processing and Corresponding Lists of Processed Personal Data
3.1. The personal data of the personal data subjects specified in subparagraph 2.4.1 of clause 2 of this Policy are processed for the purposes of:
● ensuring the Operator's compliance with labor legislation;
● assisting employees in employment;
● obtaining education and career advancement;
● ensuring the personal safety of employees;
● monitoring the quantity and quality of work performed;
● ensuring the safety of property;
● ensuring the labor conditions, guarantees, and compensations established by the legislation of the Russian Federation.
3.1.1. The personal data of employees processed by the Organization for the purposes specified in clause 3.1:
● last name, first name, patronymic (if any) (including previous last names, first names, and/or patronymics (if any), in case of their change);
● date and place of birth;
● citizenship information;
● type, series, number of the document proving the identity of a citizen of the Russian Federation, name of the authority, code of the unit that issued it, date of issue;
● type, series, number of the document proving the identity of a citizen of the Russian Federation outside the Russian Federation, name of the authority that issued it, date of issue;
● address of residence, date of registration at the place of residence (place of stay);
● phone number, email address;
● information contained in the compulsory pension insurance certificate or a document confirming registration in the individual (personalized) accounting system;
● taxpayer identification number;
● details of the compulsory health insurance policy;
● details of the civil status registration certificate;
● information about marital status, family composition;
● information about labor activity, including part-time work, entrepreneurial and other activities, military service;
● attitude to military duty, information about military registration and details of military registration documents (series, number, date of issue of military registration documents, names of the authorities that issued them);
● information about education with the name of the educational organization, the year of its completion, qualifications, specialty, and/or field of study, name and details of the education document;
● information about knowledge of foreign languages and languages of the peoples of the Russian Federation;
● information about the presence or absence of a disease that prevents the performance of labor functions;
● photograph;
● bank account number;
● bank card number;
● other information that the personal data subject wished to provide about themselves and which meets the purposes of personal data processing specified in clause 3.2 of this Policy.
3.1.2. The Organization's documents that contain personal data of employees are:
● sets of documents accompanying the process of formalizing labor relations upon hiring, transfer, and dismissal;
● sets of materials for questionnaires, tests, interviews with a job candidate;
● originals and copies of orders (directives) for personnel;
● personal files, labor books, information about employees' labor activity;
● files containing materials for employee certifications;
● files containing materials for internal investigations;
● a reference information database for personnel (card files, journals);
● copies of reports sent to state regulatory bodies.
3.2. The personal data of the personal data subjects specified in subparagraph 2.4.2 of clause 2 of this Policy are processed for the purpose of:
● carrying out civil law relations, including those related to the preparation, conclusion, and execution of obligations within the framework of contracts for the sale of a tourist product and/or tourist services, ensuring the provision of services included in the tourist product and/or services.
3.2.1. The personal data of clients processed by the Organization for the purposes specified in clause 3.2:
● last name, first name, patronymic (if any);
● type, series, number of the document proving the identity of a citizen of the Russian Federation, name of the authority, code of the unit that issued it, date of issue;
● address of residence, date of registration at the place of residence (place of stay);
● actual address of residence;
● phone number, email address;
● postal address.
3.2.2. The Organization's documents that contain the personal data of clients specified in subparagraph 2.4.2 of clause 2 of this Policy are:
● a copy of a passport or other identity document;
● a contract for the sale of a tourist product and/or individual services;
● other documents confirming the right of clients to receive tourist services included in the tourist product (voucher, travel ticket, airline and/or railway ticket, insurance policy, etc.).
3.3. The personal data of the personal data subjects specified in subparagraph 2.4.3 of clause 2 of this Policy are processed for the purpose of:
● carrying out civil law relations related to the execution of obligations under contracts for the sale of a tourist product and/or tourist services, including: booking tourist services, processing documents necessary for consuming services, providing and/or ensuring the provision of services included in the tourist product.
3.3.1. The personal data of clients processed by the Organization for the purposes specified in clause 3.3:
● last name, first name, patronymic (if any) in Russian;
● last name, first name in Latin transcription, as they are specified in the foreign passport;
● year, month, and day of the client's birth;
● place of birth;
● current citizenship (if necessary - citizenship at birth);
● gender;
● data from the general civil passport of the Russian Federation (series and number of the general Russian passport, its date of issue, the name of the authority that issued the passport, the validity period of the general Russian passport or birth certificate);
● data from the foreign passport of the Russian Federation (series and number of the foreign passport, its date of issue, the name of the authority that issued the passport, validity period);
● birth certificate data (for minor citizens);
● registration address;
● actual address of residence;
● email address;
● home and contact (mobile) phone numbers;
● additional information provided voluntarily by the tourist.
Additional information requested by the consular services of the embassy of the country of planned visit when it is necessary to obtain a visa on behalf of the client at the embassy of the country of planned stay (p.p. 5, p. 1; p. 4, art. 6 of the Federal Law "On Personal Data"), or by insurance companies for the purpose of concluding a contract where the client is the beneficiary, which may include:
● last name, first name of the father; last name, first name of the mother;
● data about the employer and work (name, address, and phone number of the employer, current position, salary amount);
● data about the educational institution - for schoolchildren and students (name, address, and phone number of the educational institution);
● image (photograph) of the client;
● information about receiving a pension and who pays for the trip for a pensioner (for pensioners);
● dates of past trips to the country of planned visit or to a group of specific countries;
● information about past deportations from the country of planned visit or other violations of the legislation of foreign states;
● copies of claims and lawsuits related to clients;
● other required information determined by the consular services of the embassy of the country of planned visit.
3.3.2. The Organization's documents that contain the personal data of clients specified in subparagraph 2.4.3 of clause 2 of this Policy are:
● a copy of a passport or other identity document;
● a passport proving the identity of a citizen outside the territory of the Russian Federation;
● a birth certificate;
● sets of documents accompanying the visa application process;
● a contract for the sale of a tourist product and/or individual services;
● other documents confirming the right of clients to receive tourist services included in the tourist product (voucher, travel ticket, airline and/or railway ticket, insurance policy, etc.).
3.4. The personal data of the personal data subjects specified in subparagraph 2.4.4 of clause 2 of this Policy are processed for the purpose of:
● preparing, concluding, and executing civil law contracts.
3.4.1. The personal data of contractors processed by the Organization for the purposes specified in clause 3.4:
● last name, first name, patronymic (if any);
● type, series, number of the document proving the identity of a citizen of the Russian Federation, name of the authority, code of the unit that issued it, date of issue;
● information about the taxpayer identification number;
● address of residence, date of registration at the place of residence (place of stay);
● actual address of residence;
● information about employment and general work experience;
● phone number, email address;
● postal address;
● additional information provided voluntarily by the personal data subject (contractor).
3.4.2. The Organization's documents that contain the personal data of contractors specified in subparagraph 2.4.4 of clause 2 of this Policy are:
● a copy of a passport or other identity document;
● a copy of a power of attorney;
● statutory documents;
● extracts from the Unified State Register of Individual Entrepreneurs, Unified State Register of Legal Entities;
● copies of permits (patents, licenses, certificates, permits, etc.);
● data contained in state registries;
● contracts concluded between the Organization and contractors;
● other documents provided by contractors for the purpose of preparing, concluding, and executing civil law contracts.
3.5. The personal data of the personal data subjects specified in subparagraphs 2.4.2, 2.4.3, 2.4.4 of clause 2 of this Policy are processed for the purpose of:
● establishing feedback with personal data subjects by making direct contacts, providing advisory, organizational, technical, and customer support.
3.5.1. The personal data of clients and contractors processed by the Organization for the purposes specified in clause 3.5:
● last name, first name, patronymic (if any);
● phone number, email address;
● postal address.
3.5.2. The Organization's documents that contain the personal data of clients and contractors used for the purposes established by clause 3.5 of this Policy are:
● contracts/copies of contracts concluded by clients and contractors with the Organization;
● electronic databases created by the Organization.
3.6. The personal data of the personal data subjects specified in subparagraphs 2.4.2, 2.4.3, 2.4.4 of clause 2 of this Policy are processed for the purpose of:
● forming a contractor database for the conclusion and execution of contracts.
3.6.1. The personal data of clients and contractors processed by the Organization for the purposes specified in clause 3.6:
● last name, first name, patronymic (if any);
● phone number, email address.
3.6.2. The Organization's documents that contain the personal data of clients and contractors used for the purposes established by clause 3.6 of this Policy are:
● contracts/copies of contracts concluded by clients and contractors with the Organization;
● electronic databases created by the Organization.
3.7. The personal data of the personal data subjects specified in subparagraphs 2.4.2, 2.4.3 of clause 2 of this Policy are processed for the purpose of:
● promoting the Organization's services on the market, including by publishing reviews to increase the awareness of Website visitors about the Organization's services, studying opinions about the services, and controlling the quality of services.
3.7.1. The personal data of clients processed by the Organization for the purposes specified in clause 3.7:
● last name, first name, patronymic (if any);
● photo image, video image;
● phone number, email address.
3.7.2. The Organization's documents that contain the personal data of clients used for the purposes established by clause 3.7 of this Policy are:
● contracts/copies of contracts concluded by clients and contractors with the Organization;
● electronic databases created by the Organization;
● photo and video images provided by clients or taken by the Organization or its representatives during the provision of services by the Organization.
3.8. The confidential personal information of the personal data subjects specified in subparagraph 2.4.5 of clause 2 of this Policy is processed for the purpose of:
● collecting statistical information about the actions and functions that are most interesting to Website users to provide a better and more personalized experience, studying demand, improving service quality, and organizing access to information about the Organization's activities posted on the Website on the Internet.
3.8.1. The confidential personal information of users processed by the Organization for the purposes specified in clause 3.8:
● data that is automatically transmitted to the website's services during their use with the help of software installed on the user's device;
● IP address;
● cookie data;
● parameters and settings of internet browsers (or other programs used to access the website's services);
● log files, technical characteristics of the hardware and software used by the user;
● date and time of access to the Website's services;
● addresses of requested pages;
● order history;
● information about subscriptions and messages to customer support;
● other similar information.
3.8.2. The confidential personal information of users used for the purposes established by clause 3.8 of this Policy is contained in:
● text files that the website saves on the user's computer using a browser.
3.1. The personal data of the personal data subjects specified in subparagraph 2.4.1 of clause 2 of this Policy are processed for the purposes of:
● ensuring the Operator's compliance with labor legislation;
● assisting employees in employment;
● obtaining education and career advancement;
● ensuring the personal safety of employees;
● monitoring the quantity and quality of work performed;
● ensuring the safety of property;
● ensuring the labor conditions, guarantees, and compensations established by the legislation of the Russian Federation.
3.1.1. The personal data of employees processed by the Organization for the purposes specified in clause 3.1:
● last name, first name, patronymic (if any) (including previous last names, first names, and/or patronymics (if any), in case of their change);
● date and place of birth;
● citizenship information;
● type, series, number of the document proving the identity of a citizen of the Russian Federation, name of the authority, code of the unit that issued it, date of issue;
● type, series, number of the document proving the identity of a citizen of the Russian Federation outside the Russian Federation, name of the authority that issued it, date of issue;
● address of residence, date of registration at the place of residence (place of stay);
● phone number, email address;
● information contained in the compulsory pension insurance certificate or a document confirming registration in the individual (personalized) accounting system;
● taxpayer identification number;
● details of the compulsory health insurance policy;
● details of the civil status registration certificate;
● information about marital status, family composition;
● information about labor activity, including part-time work, entrepreneurial and other activities, military service;
● attitude to military duty, information about military registration and details of military registration documents (series, number, date of issue of military registration documents, names of the authorities that issued them);
● information about education with the name of the educational organization, the year of its completion, qualifications, specialty, and/or field of study, name and details of the education document;
● information about knowledge of foreign languages and languages of the peoples of the Russian Federation;
● information about the presence or absence of a disease that prevents the performance of labor functions;
● photograph;
● bank account number;
● bank card number;
● other information that the personal data subject wished to provide about themselves and which meets the purposes of personal data processing specified in clause 3.2 of this Policy.
3.1.2. The Organization's documents that contain personal data of employees are:
● sets of documents accompanying the process of formalizing labor relations upon hiring, transfer, and dismissal;
● sets of materials for questionnaires, tests, interviews with a job candidate;
● originals and copies of orders (directives) for personnel;
● personal files, labor books, information about employees' labor activity;
● files containing materials for employee certifications;
● files containing materials for internal investigations;
● a reference information database for personnel (card files, journals);
● copies of reports sent to state regulatory bodies.
3.2. The personal data of the personal data subjects specified in subparagraph 2.4.2 of clause 2 of this Policy are processed for the purpose of:
● carrying out civil law relations, including those related to the preparation, conclusion, and execution of obligations within the framework of contracts for the sale of a tourist product and/or tourist services, ensuring the provision of services included in the tourist product and/or services.
3.2.1. The personal data of clients processed by the Organization for the purposes specified in clause 3.2:
● last name, first name, patronymic (if any);
● type, series, number of the document proving the identity of a citizen of the Russian Federation, name of the authority, code of the unit that issued it, date of issue;
● address of residence, date of registration at the place of residence (place of stay);
● actual address of residence;
● phone number, email address;
● postal address.
3.2.2. The Organization's documents that contain the personal data of clients specified in subparagraph 2.4.2 of clause 2 of this Policy are:
● a copy of a passport or other identity document;
● a contract for the sale of a tourist product and/or individual services;
● other documents confirming the right of clients to receive tourist services included in the tourist product (voucher, travel ticket, airline and/or railway ticket, insurance policy, etc.).
3.3. The personal data of the personal data subjects specified in subparagraph 2.4.3 of clause 2 of this Policy are processed for the purpose of:
● carrying out civil law relations related to the execution of obligations under contracts for the sale of a tourist product and/or tourist services, including: booking tourist services, processing documents necessary for consuming services, providing and/or ensuring the provision of services included in the tourist product.
3.3.1. The personal data of clients processed by the Organization for the purposes specified in clause 3.3:
● last name, first name, patronymic (if any) in Russian;
● last name, first name in Latin transcription, as they are specified in the foreign passport;
● year, month, and day of the client's birth;
● place of birth;
● current citizenship (if necessary - citizenship at birth);
● gender;
● data from the general civil passport of the Russian Federation (series and number of the general Russian passport, its date of issue, the name of the authority that issued the passport, the validity period of the general Russian passport or birth certificate);
● data from the foreign passport of the Russian Federation (series and number of the foreign passport, its date of issue, the name of the authority that issued the passport, validity period);
● birth certificate data (for minor citizens);
● registration address;
● actual address of residence;
● email address;
● home and contact (mobile) phone numbers;
● additional information provided voluntarily by the tourist.
Additional information requested by the consular services of the embassy of the country of planned visit when it is necessary to obtain a visa on behalf of the client at the embassy of the country of planned stay (p.p. 5, p. 1; p. 4, art. 6 of the Federal Law "On Personal Data"), or by insurance companies for the purpose of concluding a contract where the client is the beneficiary, which may include:
● last name, first name of the father; last name, first name of the mother;
● data about the employer and work (name, address, and phone number of the employer, current position, salary amount);
● data about the educational institution - for schoolchildren and students (name, address, and phone number of the educational institution);
● image (photograph) of the client;
● information about receiving a pension and who pays for the trip for a pensioner (for pensioners);
● dates of past trips to the country of planned visit or to a group of specific countries;
● information about past deportations from the country of planned visit or other violations of the legislation of foreign states;
● copies of claims and lawsuits related to clients;
● other required information determined by the consular services of the embassy of the country of planned visit.
3.3.2. The Organization's documents that contain the personal data of clients specified in subparagraph 2.4.3 of clause 2 of this Policy are:
● a copy of a passport or other identity document;
● a passport proving the identity of a citizen outside the territory of the Russian Federation;
● a birth certificate;
● sets of documents accompanying the visa application process;
● a contract for the sale of a tourist product and/or individual services;
● other documents confirming the right of clients to receive tourist services included in the tourist product (voucher, travel ticket, airline and/or railway ticket, insurance policy, etc.).
3.4. The personal data of the personal data subjects specified in subparagraph 2.4.4 of clause 2 of this Policy are processed for the purpose of:
● preparing, concluding, and executing civil law contracts.
3.4.1. The personal data of contractors processed by the Organization for the purposes specified in clause 3.4:
● last name, first name, patronymic (if any);
● type, series, number of the document proving the identity of a citizen of the Russian Federation, name of the authority, code of the unit that issued it, date of issue;
● information about the taxpayer identification number;
● address of residence, date of registration at the place of residence (place of stay);
● actual address of residence;
● information about employment and general work experience;
● phone number, email address;
● postal address;
● additional information provided voluntarily by the personal data subject (contractor).
3.4.2. The Organization's documents that contain the personal data of contractors specified in subparagraph 2.4.4 of clause 2 of this Policy are:
● a copy of a passport or other identity document;
● a copy of a power of attorney;
● statutory documents;
● extracts from the Unified State Register of Individual Entrepreneurs, Unified State Register of Legal Entities;
● copies of permits (patents, licenses, certificates, permits, etc.);
● data contained in state registries;
● contracts concluded between the Organization and contractors;
● other documents provided by contractors for the purpose of preparing, concluding, and executing civil law contracts.
3.5. The personal data of the personal data subjects specified in subparagraphs 2.4.2, 2.4.3, 2.4.4 of clause 2 of this Policy are processed for the purpose of:
● establishing feedback with personal data subjects by making direct contacts, providing advisory, organizational, technical, and customer support.
3.5.1. The personal data of clients and contractors processed by the Organization for the purposes specified in clause 3.5:
● last name, first name, patronymic (if any);
● phone number, email address;
● postal address.
3.5.2. The Organization's documents that contain the personal data of clients and contractors used for the purposes established by clause 3.5 of this Policy are:
● contracts/copies of contracts concluded by clients and contractors with the Organization;
● electronic databases created by the Organization.
3.6. The personal data of the personal data subjects specified in subparagraphs 2.4.2, 2.4.3, 2.4.4 of clause 2 of this Policy are processed for the purpose of:
● forming a contractor database for the conclusion and execution of contracts.
3.6.1. The personal data of clients and contractors processed by the Organization for the purposes specified in clause 3.6:
● last name, first name, patronymic (if any);
● phone number, email address.
3.6.2. The Organization's documents that contain the personal data of clients and contractors used for the purposes established by clause 3.6 of this Policy are:
● contracts/copies of contracts concluded by clients and contractors with the Organization;
● electronic databases created by the Organization.
3.7. The personal data of the personal data subjects specified in subparagraphs 2.4.2, 2.4.3 of clause 2 of this Policy are processed for the purpose of:
● promoting the Organization's services on the market, including by publishing reviews to increase the awareness of Website visitors about the Organization's services, studying opinions about the services, and controlling the quality of services.
3.7.1. The personal data of clients processed by the Organization for the purposes specified in clause 3.7:
● last name, first name, patronymic (if any);
● photo image, video image;
● phone number, email address.
3.7.2. The Organization's documents that contain the personal data of clients used for the purposes established by clause 3.7 of this Policy are:
● contracts/copies of contracts concluded by clients and contractors with the Organization;
● electronic databases created by the Organization;
● photo and video images provided by clients or taken by the Organization or its representatives during the provision of services by the Organization.
3.8. The confidential personal information of the personal data subjects specified in subparagraph 2.4.5 of clause 2 of this Policy is processed for the purpose of:
● collecting statistical information about the actions and functions that are most interesting to Website users to provide a better and more personalized experience, studying demand, improving service quality, and organizing access to information about the Organization's activities posted on the Website on the Internet.
3.8.1. The confidential personal information of users processed by the Organization for the purposes specified in clause 3.8:
● data that is automatically transmitted to the website's services during their use with the help of software installed on the user's device;
● IP address;
● cookie data;
● parameters and settings of internet browsers (or other programs used to access the website's services);
● log files, technical characteristics of the hardware and software used by the user;
● date and time of access to the Website's services;
● addresses of requested pages;
● order history;
● information about subscriptions and messages to customer support;
● other similar information.
3.8.2. The confidential personal information of users used for the purposes established by clause 3.8 of this Policy is contained in:
● text files that the website saves on the user's computer using a browser.
4. Obtaining and Processing Personal Data of Employees
4.1.
Obtaining Personal Data
4.1.1. The Operator obtains personal data, with the exception of publicly available personal data, directly from the personal data subjects, or from persons who have duly formalized authority to represent the interests of the personal data subjects when transferring personal data to the Operator.
4.1.2. If a personal data subject's data can only be obtained from a third party, the subject is notified of this in advance and must provide written consent. The Organization informs the personal data subject about the purposes, intended sources, and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the subject's refusal to give written consent for their receipt.
4.1.3. The Organization does not have the right to obtain and process information about the personal data subject that, in accordance with the legislation of the Russian Federation in the field of personal data, belongs to special categories of personal data, except in cases provided for by the Labor Code and other federal laws.
4.1.4. When obtaining personal data, the Operator is obligated to inform the personal data subject about:
● the purposes for which the Operator obtains personal data;
● the list of personal data requested by the Operator;
● the list of actions that the Operator intends to perform with the personal data;
● the period during which the personal data subject's consent to personal data processing is valid;
● the procedure for withdrawing consent to personal data processing;
● the consequences of the personal data subject's refusal to provide the Operator with consent for the receipt and processing of personal data.
4.1.5. Confidential personal information is collected automatically using metric programs in connection with the user's activity on the Website. When visiting the website, all account logins are recorded. Other information about user traffic is not processed or stored. Yandex Metrica service codes are installed on some pages of the Website. This service can receive and process information exclusively about the user's visit to the page and other information that is transmitted by the user's browser. The use of this service is necessary for the Operator to promptly analyze website visits, conduct internal and external assessment of website traffic, depth of views, and user activity. The data received from this service are not stored or processed.
4.2.
Personal Data Processing
4.2.1. Personal data is processed by the Operator in compliance with the principles and rules provided for by Federal Law 152-FZ "On Personal Data" of July 27, 2006, in the following cases:
● with the consent of the personal data subject to the processing of their personal data. Consent to personal data processing is considered to have been received by the Operator from the moment the personal data subject provides written consent to personal data processing or from the moment a special mark is placed in the corresponding field of the personal data collection form posted on the Website, and in cases established by law - exclusively from the moment a separate written consent to personal data processing is provided;
● personal data processing is necessary for the preparation, conclusion, and execution of a civil law contract, to which the personal data subject is a party, or a beneficiary, or a guarantor;
● in cases where personal data processing is necessary for the Operator to carry out and fulfill the functions, powers, and duties assigned by the legislation of the Russian Federation;
● personal data processing is necessary to protect the life, health, or other vital interests of the personal data subject if obtaining the personal data subject's consent is impossible;
● the collection and processing of personal information using cookies is carried out with the consent of the Website user.
4.2.2. Only personal data that meets the purposes of processing specified in clause 3 of this Policy are subject to processing. Personal data is not subject to processing if its nature and volume do not correspond to the stated purposes.
4.2.3. If, to achieve the goals specified in clause 3 of this Policy, the Operator needs biometric personal data or data concerning health status, such processing is carried out only on the basis of the personal data subject's written consent in accordance with the law. The processing of special categories of personal data must be immediately stopped if the reasons for which it was carried out have been eliminated.
4.2.4. The Operator also has the right to ask the personal data subject to provide additional consent if it is necessary to use personal data and personal information for purposes not specified in this Policy.
4.3. The personal data subject's written consent to personal data processing must include, in particular, the information specified in Article 9 of Federal Law No. 152-FZ of July 27, 2006.
4.4. Consent to personal data processing can be withdrawn by the personal data subject. In case of withdrawal of consent to personal data processing, the Organization has the right to continue processing personal data without the personal data subject's consent if there are grounds specified in clauses 2–11 of part 1 of Article 6, part 2 of Article 10, and part 2 of Article 11 of Federal Law No. 152-FZ of July 27, 2006.
4.5. If, for any reason, the user does not want the services installed on the Website to have access to their personal information, the user can voluntarily "log out" (exit their account) and clear "cookies" (through their browser).
4.1.
Obtaining Personal Data
4.1.1. The Operator obtains personal data, with the exception of publicly available personal data, directly from the personal data subjects, or from persons who have duly formalized authority to represent the interests of the personal data subjects when transferring personal data to the Operator.
4.1.2. If a personal data subject's data can only be obtained from a third party, the subject is notified of this in advance and must provide written consent. The Organization informs the personal data subject about the purposes, intended sources, and methods of obtaining personal data, as well as the nature of the personal data to be obtained and the consequences of the subject's refusal to give written consent for their receipt.
4.1.3. The Organization does not have the right to obtain and process information about the personal data subject that, in accordance with the legislation of the Russian Federation in the field of personal data, belongs to special categories of personal data, except in cases provided for by the Labor Code and other federal laws.
4.1.4. When obtaining personal data, the Operator is obligated to inform the personal data subject about:
● the purposes for which the Operator obtains personal data;
● the list of personal data requested by the Operator;
● the list of actions that the Operator intends to perform with the personal data;
● the period during which the personal data subject's consent to personal data processing is valid;
● the procedure for withdrawing consent to personal data processing;
● the consequences of the personal data subject's refusal to provide the Operator with consent for the receipt and processing of personal data.
4.1.5. Confidential personal information is collected automatically using metric programs in connection with the user's activity on the Website. When visiting the website, all account logins are recorded. Other information about user traffic is not processed or stored. Yandex Metrica service codes are installed on some pages of the Website. This service can receive and process information exclusively about the user's visit to the page and other information that is transmitted by the user's browser. The use of this service is necessary for the Operator to promptly analyze website visits, conduct internal and external assessment of website traffic, depth of views, and user activity. The data received from this service are not stored or processed.
4.2.
Personal Data Processing
4.2.1. Personal data is processed by the Operator in compliance with the principles and rules provided for by Federal Law 152-FZ "On Personal Data" of July 27, 2006, in the following cases:
● with the consent of the personal data subject to the processing of their personal data. Consent to personal data processing is considered to have been received by the Operator from the moment the personal data subject provides written consent to personal data processing or from the moment a special mark is placed in the corresponding field of the personal data collection form posted on the Website, and in cases established by law - exclusively from the moment a separate written consent to personal data processing is provided;
● personal data processing is necessary for the preparation, conclusion, and execution of a civil law contract, to which the personal data subject is a party, or a beneficiary, or a guarantor;
● in cases where personal data processing is necessary for the Operator to carry out and fulfill the functions, powers, and duties assigned by the legislation of the Russian Federation;
● personal data processing is necessary to protect the life, health, or other vital interests of the personal data subject if obtaining the personal data subject's consent is impossible;
● the collection and processing of personal information using cookies is carried out with the consent of the Website user.
4.2.2. Only personal data that meets the purposes of processing specified in clause 3 of this Policy are subject to processing. Personal data is not subject to processing if its nature and volume do not correspond to the stated purposes.
4.2.3. If, to achieve the goals specified in clause 3 of this Policy, the Operator needs biometric personal data or data concerning health status, such processing is carried out only on the basis of the personal data subject's written consent in accordance with the law. The processing of special categories of personal data must be immediately stopped if the reasons for which it was carried out have been eliminated.
4.2.4. The Operator also has the right to ask the personal data subject to provide additional consent if it is necessary to use personal data and personal information for purposes not specified in this Policy.
4.3. The personal data subject's written consent to personal data processing must include, in particular, the information specified in Article 9 of Federal Law No. 152-FZ of July 27, 2006.
4.4. Consent to personal data processing can be withdrawn by the personal data subject. In case of withdrawal of consent to personal data processing, the Organization has the right to continue processing personal data without the personal data subject's consent if there are grounds specified in clauses 2–11 of part 1 of Article 6, part 2 of Article 10, and part 2 of Article 11 of Federal Law No. 152-FZ of July 27, 2006.
4.5. If, for any reason, the user does not want the services installed on the Website to have access to their personal information, the user can voluntarily "log out" (exit their account) and clear "cookies" (through their browser).
5. Conditions and Procedure for Processing Personal Data of Personal Data Subjects in Information Systems
5.1. Before starting personal data processing, the Organization is obligated to notify Roskomnadzor of its intention to carry out personal data processing.
5.2. The legal basis for personal data processing is:
5.2.1. For the processing of employee personal data (clause 2.4.1 of the Policy) - the Labor Code of the Russian Federation, other regulatory legal acts containing labor law norms, Federal Law No. 152-FZ of July 27, 2006 "On Personal Data", Law of the Russian Federation No. 1032-1 of April 19, 1991 "On Employment of the Population in the Russian Federation", Federal Law No. 402-FZ of December 6, 2011 "On Accounting", Decree of the Government of the Russian Federation No. 719 of November 27, 2006 "On Approval of the Regulations on Military Registration", consent to personal data processing (in cases not directly provided for by the legislation of the Russian Federation, but corresponding to the operator's powers);
5.2.2. For the processing of client personal data (clauses 2.4.2, 2.4.3 of the Policy) - contracts for the sale of a tourist product and/or individual tourist services concluded between the Operator (its representative) and the client (its representative), clause 19 of the Decree of the Government of the Russian Federation No. 1852 of November 18, 2020 "On Approval of the Rules for the Provision of Services for the Sale of a Tourist Product", part 4 of Article 16 of Federal Law No. 2300-1 of February 7, 1992 "On Protection of Consumer Rights", Federal Law No. 152-FZ of July 27, 2006 "On Personal Data", consent to personal data processing (in cases not directly provided for by the legislation of the Russian Federation, but corresponding to the operator's powers);
5.2.3. For the processing of contractor personal data (clause 2.4.4 of the Policy) - the operator's statutory documents, civil law contracts concluded between the operator and the personal data subject, Federal Law No. 152-FZ of July 27, 2006 "On Personal Data", the Civil Code, consent to personal data processing (in cases not directly provided for by the legislation of the Russian Federation, but corresponding to the operator's powers);
5.2.4. For the processing of Website user personal data (clause 2.4.5 of the Policy) - the legitimate interests of the Organization aimed at the technical support of the internet resource (Website) and providing the user with the necessary level of service (e.g., website navigation and similar), user agreement, user's consent to the use of cookie files, processing of information using metric programs, Federal Law No. 152-FZ of July 27, 2006 "On Personal Data".
5.3. Personal data processing in the Organization is carried out by the following methods:
● non-automated personal data processing;
● automated personal data processing with or without the transfer of the received information via information and telecommunication networks;
● mixed personal data processing.
5.4. The collection, recording, systematization, accumulation, and clarification (updating, changing) of personal data in the Organization are carried out by means of:
● obtaining original documents or their copies;
● copying original documents;
● entering information into accounting forms on paper and electronic media;
● entering information into registration and other collection forms;
● creating documents containing personal data on paper and electronic media;
● entering personal data into personal data information systems;
● obtaining information about personal data by phone or email;
● metric programs.
5.5. The following information systems are used in the Organization:
● corporate email;
● electronic document management system;
● user workplace support system;
● regulatory and reference information system;
● personnel management system;
● remote access control system;
● information portal;
● metric programs.
5.6. Employees and representatives of the Operator who have the right to process personal data in information systems are provided with a unique login and password to access the corresponding information system, in accordance with the functions provided for in job regulations.
5.7. The security of personal data processed in information systems is achieved by excluding unauthorized, including accidental, access to personal data.
5.8. Access of Operator employees to personal data contained in the Operator's personal data information systems requires the mandatory completion of an identification and authentication procedure.
5.9. The exchange of personal data during their processing in the Operator's personal data information systems is carried out via communication channels, the protection of which is ensured by the implementation of appropriate organizational measures and the use of software and technical means in accordance with Article 19 of the Federal Law "On Personal Data".
5.10. In case of detection of violations of the personal data processing procedure in the Operator's personal data information systems, authorized responsible employees take measures to establish the causes of the violations and eliminate them from the moment such violations are discovered.
5.11. Employees and their representatives must be familiarized with the Operator's documents establishing the procedure for personal data processing, as well as their rights and obligations in this area, under signature.
5.1. Before starting personal data processing, the Organization is obligated to notify Roskomnadzor of its intention to carry out personal data processing.
5.2. The legal basis for personal data processing is:
5.2.1. For the processing of employee personal data (clause 2.4.1 of the Policy) - the Labor Code of the Russian Federation, other regulatory legal acts containing labor law norms, Federal Law No. 152-FZ of July 27, 2006 "On Personal Data", Law of the Russian Federation No. 1032-1 of April 19, 1991 "On Employment of the Population in the Russian Federation", Federal Law No. 402-FZ of December 6, 2011 "On Accounting", Decree of the Government of the Russian Federation No. 719 of November 27, 2006 "On Approval of the Regulations on Military Registration", consent to personal data processing (in cases not directly provided for by the legislation of the Russian Federation, but corresponding to the operator's powers);
5.2.2. For the processing of client personal data (clauses 2.4.2, 2.4.3 of the Policy) - contracts for the sale of a tourist product and/or individual tourist services concluded between the Operator (its representative) and the client (its representative), clause 19 of the Decree of the Government of the Russian Federation No. 1852 of November 18, 2020 "On Approval of the Rules for the Provision of Services for the Sale of a Tourist Product", part 4 of Article 16 of Federal Law No. 2300-1 of February 7, 1992 "On Protection of Consumer Rights", Federal Law No. 152-FZ of July 27, 2006 "On Personal Data", consent to personal data processing (in cases not directly provided for by the legislation of the Russian Federation, but corresponding to the operator's powers);
5.2.3. For the processing of contractor personal data (clause 2.4.4 of the Policy) - the operator's statutory documents, civil law contracts concluded between the operator and the personal data subject, Federal Law No. 152-FZ of July 27, 2006 "On Personal Data", the Civil Code, consent to personal data processing (in cases not directly provided for by the legislation of the Russian Federation, but corresponding to the operator's powers);
5.2.4. For the processing of Website user personal data (clause 2.4.5 of the Policy) - the legitimate interests of the Organization aimed at the technical support of the internet resource (Website) and providing the user with the necessary level of service (e.g., website navigation and similar), user agreement, user's consent to the use of cookie files, processing of information using metric programs, Federal Law No. 152-FZ of July 27, 2006 "On Personal Data".
5.3. Personal data processing in the Organization is carried out by the following methods:
● non-automated personal data processing;
● automated personal data processing with or without the transfer of the received information via information and telecommunication networks;
● mixed personal data processing.
5.4. The collection, recording, systematization, accumulation, and clarification (updating, changing) of personal data in the Organization are carried out by means of:
● obtaining original documents or their copies;
● copying original documents;
● entering information into accounting forms on paper and electronic media;
● entering information into registration and other collection forms;
● creating documents containing personal data on paper and electronic media;
● entering personal data into personal data information systems;
● obtaining information about personal data by phone or email;
● metric programs.
5.5. The following information systems are used in the Organization:
● corporate email;
● electronic document management system;
● user workplace support system;
● regulatory and reference information system;
● personnel management system;
● remote access control system;
● information portal;
● metric programs.
5.6. Employees and representatives of the Operator who have the right to process personal data in information systems are provided with a unique login and password to access the corresponding information system, in accordance with the functions provided for in job regulations.
5.7. The security of personal data processed in information systems is achieved by excluding unauthorized, including accidental, access to personal data.
5.8. Access of Operator employees to personal data contained in the Operator's personal data information systems requires the mandatory completion of an identification and authentication procedure.
5.9. The exchange of personal data during their processing in the Operator's personal data information systems is carried out via communication channels, the protection of which is ensured by the implementation of appropriate organizational measures and the use of software and technical means in accordance with Article 19 of the Federal Law "On Personal Data".
5.10. In case of detection of violations of the personal data processing procedure in the Operator's personal data information systems, authorized responsible employees take measures to establish the causes of the violations and eliminate them from the moment such violations are discovered.
5.11. Employees and their representatives must be familiarized with the Operator's documents establishing the procedure for personal data processing, as well as their rights and obligations in this area, under signature.
6. Transfer and Dissemination of Personal Data
6.1. When the Organization transfers personal data, the personal data subject must give consent for this in written or electronic form. If an employee has formalized consent for the transfer of personal data in electronic form, they must sign the consent with an enhanced electronic digital signature.
6.2. The Organization has the right to transfer information that relates to the personal data of an employee, client, or contractor without their consent if such information needs to be transferred at the request of state bodies, in the manner established by law.
6.3. The Organization is not entitled to provide personal data to a third party without the written consent of the personal data subject, except in cases where it is necessary to prevent a threat to the life and health of the employee, as well as in cases established by law.
6.4. If the person who made the request is not authorized by federal law to receive information related to the personal data of the personal data subject, the Organization is obligated to refuse to provide the information to that person. The person who made the request is given a notice of refusal to provide the information.
6.5. An employee's personal data may be transferred to employee representatives in the manner established by the Labor Code, to the extent necessary for those representatives to perform their functions.
6.6. Consent to the processing of personal data permitted by the personal data subject for dissemination is formalized separately from other consents of the personal data subject to the processing of their personal data.
6.7. The Organization is obligated to provide the personal data subject with the opportunity to determine a list of personal data for each category of personal data specified in the consent for personal data dissemination.
6.8. If it does not follow from the consent to personal data dissemination provided by the personal data subject that the personal data subject has consented to the dissemination of personal data, such personal data is processed by the Organization without the right to disseminate.
6.9. If it does not follow from the consent to personal data transfer provided by the personal data subject that the personal data subject has not established prohibitions and conditions for personal data processing or has not specified the categories and list of personal data for the processing of which the personal data subject establishes conditions and prohibitions, the Organization processes such personal data without the possibility of transfer (dissemination, provision, access) to an unlimited number of persons.
6.10. The personal data subject's consent to personal data dissemination can be provided to the Operator:
● directly;
● using the information system of the authorized body for the protection of the rights of personal data subjects.
6.11. In the consent for personal data dissemination, the personal data subject has the right to establish prohibitions on the transfer (except for providing access) of this personal data by the Organization to an unlimited number of people, as well as prohibitions on the processing or conditions for processing (except for obtaining access) of this personal data by an unlimited number of people. The Organization's refusal to allow the personal data subject to establish prohibitions and conditions is not permitted.
6.12. The Organization is obligated to publish information about the conditions of processing and the existence of prohibitions and conditions for the processing of a subject's personal data for dissemination by an unlimited number of people no later than three working days from the moment of receiving the personal data subject's consent to dissemination.
6.13. The transfer (dissemination, provision, access) of personal data that the personal data subject has permitted for dissemination must be stopped at any time upon their request. This request must include the last name, first name, patronymic (if any), contact information (phone number, email address, or postal address) of the personal data subject, as well as a list of the personal data for which processing should be stopped.
6.14. The personal data subject's consent to personal data dissemination ceases to be valid from the moment the Organization receives the request specified in clause 6.13 of this Policy.
6.15. The personal data subject has the right to demand that any person processing their personal data stop the transfer (dissemination, provision, access) of their personal data previously permitted for dissemination, in case of non-compliance with the provisions of Federal Law No. 152-FZ of July 27, 2006, or to apply to a court with such a demand.
6.16. The Organization or a third party is obligated to stop the transfer (dissemination, provision, access) of personal data within three working days from the moment the employee's request is received or within the period specified in a court decision that has entered into force. If such a period is not specified in the court decision, the Organization or a third party is obligated to stop the transfer of the employee's personal data within three working days from the moment the court decision enters into legal force.
6.17. Access to the personal data of personal data subjects is allowed only to specially authorized persons, and these persons must have the right to receive only the personal data that is necessary for the performance of a specific function.
6.1. When the Organization transfers personal data, the personal data subject must give consent for this in written or electronic form. If an employee has formalized consent for the transfer of personal data in electronic form, they must sign the consent with an enhanced electronic digital signature.
6.2. The Organization has the right to transfer information that relates to the personal data of an employee, client, or contractor without their consent if such information needs to be transferred at the request of state bodies, in the manner established by law.
6.3. The Organization is not entitled to provide personal data to a third party without the written consent of the personal data subject, except in cases where it is necessary to prevent a threat to the life and health of the employee, as well as in cases established by law.
6.4. If the person who made the request is not authorized by federal law to receive information related to the personal data of the personal data subject, the Organization is obligated to refuse to provide the information to that person. The person who made the request is given a notice of refusal to provide the information.
6.5. An employee's personal data may be transferred to employee representatives in the manner established by the Labor Code, to the extent necessary for those representatives to perform their functions.
6.6. Consent to the processing of personal data permitted by the personal data subject for dissemination is formalized separately from other consents of the personal data subject to the processing of their personal data.
6.7. The Organization is obligated to provide the personal data subject with the opportunity to determine a list of personal data for each category of personal data specified in the consent for personal data dissemination.
6.8. If it does not follow from the consent to personal data dissemination provided by the personal data subject that the personal data subject has consented to the dissemination of personal data, such personal data is processed by the Organization without the right to disseminate.
6.9. If it does not follow from the consent to personal data transfer provided by the personal data subject that the personal data subject has not established prohibitions and conditions for personal data processing or has not specified the categories and list of personal data for the processing of which the personal data subject establishes conditions and prohibitions, the Organization processes such personal data without the possibility of transfer (dissemination, provision, access) to an unlimited number of persons.
6.10. The personal data subject's consent to personal data dissemination can be provided to the Operator:
● directly;
● using the information system of the authorized body for the protection of the rights of personal data subjects.
6.11. In the consent for personal data dissemination, the personal data subject has the right to establish prohibitions on the transfer (except for providing access) of this personal data by the Organization to an unlimited number of people, as well as prohibitions on the processing or conditions for processing (except for obtaining access) of this personal data by an unlimited number of people. The Organization's refusal to allow the personal data subject to establish prohibitions and conditions is not permitted.
6.12. The Organization is obligated to publish information about the conditions of processing and the existence of prohibitions and conditions for the processing of a subject's personal data for dissemination by an unlimited number of people no later than three working days from the moment of receiving the personal data subject's consent to dissemination.
6.13. The transfer (dissemination, provision, access) of personal data that the personal data subject has permitted for dissemination must be stopped at any time upon their request. This request must include the last name, first name, patronymic (if any), contact information (phone number, email address, or postal address) of the personal data subject, as well as a list of the personal data for which processing should be stopped.
6.14. The personal data subject's consent to personal data dissemination ceases to be valid from the moment the Organization receives the request specified in clause 6.13 of this Policy.
6.15. The personal data subject has the right to demand that any person processing their personal data stop the transfer (dissemination, provision, access) of their personal data previously permitted for dissemination, in case of non-compliance with the provisions of Federal Law No. 152-FZ of July 27, 2006, or to apply to a court with such a demand.
6.16. The Organization or a third party is obligated to stop the transfer (dissemination, provision, access) of personal data within three working days from the moment the employee's request is received or within the period specified in a court decision that has entered into force. If such a period is not specified in the court decision, the Organization or a third party is obligated to stop the transfer of the employee's personal data within three working days from the moment the court decision enters into legal force.
6.17. Access to the personal data of personal data subjects is allowed only to specially authorized persons, and these persons must have the right to receive only the personal data that is necessary for the performance of a specific function.
7. Terms of Processing and Storage of Personal Data
7.1. The Organization ensures the protection of personal data of personal data subjects from unlawful use or loss.
7.2. Documents containing personal data of subjects are stored on paper in folders, bound and numbered by pages, in a specially designated cabinet that provides protection from unauthorized access.
7.3. Personal data can also be stored in electronic form on a local computer network. Access to electronic databases containing personal data is provided by a two-level password system: at the local computer network level and at the database level.
7.4. Copying and making extracts from personal data is allowed exclusively for official purposes with the written permission of the General Manager of the Organization or their deputy.
7.5. Personal data processing in the Organization is terminated in the following cases:
● upon detection of a fact of unlawful personal data processing. The processing must be stopped within three working days from the date of detection of such a fact;
● upon achievement of the purposes of their processing (with some exceptions);
● upon expiration of the validity period or withdrawal of the personal data subject's consent to the processing of their personal data (with some exceptions), if, in accordance with the Law on Personal Data, their processing is allowed only with consent;
● upon the personal data subject's request to the Organization to terminate personal data processing (except for cases provided for in part 5.1 of Article 21 of the Law on Personal Data). The processing must be stopped within no more than 10 working days from the date the request is received (with the possibility of extension for no more than five working days, if a notification of the reason for the extension is sent).
7.6. Personal data is stored in a form that allows the personal data subject to be identified, no longer than required for the purposes of its processing. The exception is in cases where the personal data storage period is established by federal law, a contract, to which the personal data subject is a party (beneficiary or guarantor).
7.7. Personal data on paper carriers is stored in the Organization for the storage periods of documents for which these periods are provided for by the legislation on archival affairs in the Russian Federation (Federal Law No. 125-FZ of October 22, 2004 "On Archival Affairs in the Russian Federation", List of Typical Administrative Archival Documents Generated during the Activities of State Bodies, Local Self-Government Bodies and Organizations, with Indication of their Storage Periods (approved by Order of Rosarkhiv No. 236 of December 20, 2019)).
7.8. The storage period for personal data processed in personal data information systems corresponds to the storage period for personal data on paper carriers.
7.1. The Organization ensures the protection of personal data of personal data subjects from unlawful use or loss.
7.2. Documents containing personal data of subjects are stored on paper in folders, bound and numbered by pages, in a specially designated cabinet that provides protection from unauthorized access.
7.3. Personal data can also be stored in electronic form on a local computer network. Access to electronic databases containing personal data is provided by a two-level password system: at the local computer network level and at the database level.
7.4. Copying and making extracts from personal data is allowed exclusively for official purposes with the written permission of the General Manager of the Organization or their deputy.
7.5. Personal data processing in the Organization is terminated in the following cases:
● upon detection of a fact of unlawful personal data processing. The processing must be stopped within three working days from the date of detection of such a fact;
● upon achievement of the purposes of their processing (with some exceptions);
● upon expiration of the validity period or withdrawal of the personal data subject's consent to the processing of their personal data (with some exceptions), if, in accordance with the Law on Personal Data, their processing is allowed only with consent;
● upon the personal data subject's request to the Organization to terminate personal data processing (except for cases provided for in part 5.1 of Article 21 of the Law on Personal Data). The processing must be stopped within no more than 10 working days from the date the request is received (with the possibility of extension for no more than five working days, if a notification of the reason for the extension is sent).
7.6. Personal data is stored in a form that allows the personal data subject to be identified, no longer than required for the purposes of its processing. The exception is in cases where the personal data storage period is established by federal law, a contract, to which the personal data subject is a party (beneficiary or guarantor).
7.7. Personal data on paper carriers is stored in the Organization for the storage periods of documents for which these periods are provided for by the legislation on archival affairs in the Russian Federation (Federal Law No. 125-FZ of October 22, 2004 "On Archival Affairs in the Russian Federation", List of Typical Administrative Archival Documents Generated during the Activities of State Bodies, Local Self-Government Bodies and Organizations, with Indication of their Storage Periods (approved by Order of Rosarkhiv No. 236 of December 20, 2019)).
7.8. The storage period for personal data processed in personal data information systems corresponds to the storage period for personal data on paper carriers.
8. Procedure for Blocking and Destroying Personal Data
8.1. The Organization blocks personal data in the manner and under the conditions provided for by personal data legislation.
8.2. Upon achievement of the purposes of personal data processing or in case the need to achieve these purposes is lost, personal data is destroyed or anonymized. An exception may be provided by federal law.
8.3. Personal data obtained as a result of anonymization can be processed with and without the use of automation tools and are not subject to disclosure.
8.4. Personal data obtained as a result of anonymization is not subject to provision to third parties who process personal data using additional information that allows a specific physical person to be directly or indirectly identified.
8.5. When processing personal data obtained as a result of anonymization without the use of automation tools, the safety of the physical carriers containing them and the procedure for access of Organization Employees to the premises where they are stored are ensured, with the aim of excluding unauthorized access to anonymized personal data, the possibility of their unauthorized destruction, modification, blocking, copying, dissemination, as well as other unlawful actions.
8.6. When processing personal data obtained as a result of anonymization in personal data information systems, compliance with the password protection of personal data information systems, antivirus policy, rules for working with removable media (if used), backup rules, and rules for accessing the premises where the elements of the personal data information systems are located are ensured.
8.7. When storing personal data obtained as a result of anonymization, separate storage of personal data obtained as a result of anonymization and information about the chosen method of personal data anonymization and the parameters of the personal data anonymization procedure is ensured.
8.8. The destruction of personal data is carried out by a commission created by order of the General Manager.
8.9. The commission draws up a list indicating the documents, other physical carriers, and/or information in information systems that contain personal data to be destroyed.
8.10. Personal data on paper carriers is destroyed using a shredder. Personal data on electronic carriers is destroyed by mechanically disrupting the integrity of the carrier, making it impossible to read or restore the personal data, as well as by deleting data from electronic carriers using methods and means of guaranteed residual information deletion.
8.11. The commission confirms the destruction of personal data in accordance with the Requirements for Confirmation of Personal Data Destruction, approved by Order of Roskomnadzor No. 179 of October 28, 2022, namely:
● an act of personal data destruction - if the data is processed without the use of automation tools;
● an act of personal data destruction and an extract from the event log in the personal data information system - if the data is processed using automation tools or simultaneously with and without the use of such tools.
The act can be drawn up on a paper carrier or in electronic form, signed with electronic signatures. The forms of the act and the extract from the log, taking into account the information that must be contained in these documents, are approved by the order of the general manager.
8.1. The Organization blocks personal data in the manner and under the conditions provided for by personal data legislation.
8.2. Upon achievement of the purposes of personal data processing or in case the need to achieve these purposes is lost, personal data is destroyed or anonymized. An exception may be provided by federal law.
8.3. Personal data obtained as a result of anonymization can be processed with and without the use of automation tools and are not subject to disclosure.
8.4. Personal data obtained as a result of anonymization is not subject to provision to third parties who process personal data using additional information that allows a specific physical person to be directly or indirectly identified.
8.5. When processing personal data obtained as a result of anonymization without the use of automation tools, the safety of the physical carriers containing them and the procedure for access of Organization Employees to the premises where they are stored are ensured, with the aim of excluding unauthorized access to anonymized personal data, the possibility of their unauthorized destruction, modification, blocking, copying, dissemination, as well as other unlawful actions.
8.6. When processing personal data obtained as a result of anonymization in personal data information systems, compliance with the password protection of personal data information systems, antivirus policy, rules for working with removable media (if used), backup rules, and rules for accessing the premises where the elements of the personal data information systems are located are ensured.
8.7. When storing personal data obtained as a result of anonymization, separate storage of personal data obtained as a result of anonymization and information about the chosen method of personal data anonymization and the parameters of the personal data anonymization procedure is ensured.
8.8. The destruction of personal data is carried out by a commission created by order of the General Manager.
8.9. The commission draws up a list indicating the documents, other physical carriers, and/or information in information systems that contain personal data to be destroyed.
8.10. Personal data on paper carriers is destroyed using a shredder. Personal data on electronic carriers is destroyed by mechanically disrupting the integrity of the carrier, making it impossible to read or restore the personal data, as well as by deleting data from electronic carriers using methods and means of guaranteed residual information deletion.
8.11. The commission confirms the destruction of personal data in accordance with the Requirements for Confirmation of Personal Data Destruction, approved by Order of Roskomnadzor No. 179 of October 28, 2022, namely:
● an act of personal data destruction - if the data is processed without the use of automation tools;
● an act of personal data destruction and an extract from the event log in the personal data information system - if the data is processed using automation tools or simultaneously with and without the use of such tools.
The act can be drawn up on a paper carrier or in electronic form, signed with electronic signatures. The forms of the act and the extract from the log, taking into account the information that must be contained in these documents, are approved by the order of the general manager.
- 8.12. After drawing up the act of personal data destruction and the extract from the event log in the personal data information system, the commission transfers them to the general department for subsequent storage. The acts and extracts from the log are stored for three years from the moment the personal data is destroyed.
9. Personal Data Protection
9.1. In accordance with the requirements of regulatory documents, the Operator has created a personal data protection system, consisting of legal, organizational, and technical protection subsystems.
9.2. The legal protection subsystem is a set of legal, organizational, and regulatory documents that ensure the creation, functioning, and improvement of personal data protection systems.
9.3. The organizational protection subsystem includes the organization of the management structure of personal data protection systems, a permissive system, and information protection when working with employees, partners, and third parties.
9.4. The technical protection subsystem includes a set of technical, software, and hardware tools that ensure the protection of personal data.
9.5. The main measures for personal data protection used by the Operator are:
● appointment of a person responsible for personal data processing, who organizes the processing of personal data, training and instruction, and internal control over the compliance of the institution and its employees with the requirements for personal data protection;
● identification of current threats to the security of personal data during their processing in personal data information systems and the development of measures and activities for personal data protection;
● establishment of rules for access to personal data processed in personal data information systems, as well as ensuring the registration and accounting of all actions performed with personal data in personal data information systems;
● establishment of individual passwords for employees to access the information system in accordance with their job duties;
● application of information protection tools that have passed the conformity assessment procedure in the established manner;
● certified antivirus software with regularly updated databases;
● compliance with conditions that ensure the safety of personal data and exclude unauthorized access to it;
● detection of facts of unauthorized access to personal data and taking measures;
● restoration of personal data modified or destroyed due to unauthorized access to it;
● training of Operator employees who directly process personal data on the provisions of the legislation of the Russian Federation on personal data, including the requirements for personal data protection, and familiarization with documents defining the Operator's policy regarding personal data processing and local acts on personal data processing issues;
● to ensure the security of the software, scanning services and applications for vulnerabilities using a combination of static source code analysis and dynamic testing;
● encryption of all user data during transport using TLS;
● conducting an annual independent penetration test of the Website;
● carrying out internal control and audit.
9.1. In accordance with the requirements of regulatory documents, the Operator has created a personal data protection system, consisting of legal, organizational, and technical protection subsystems.
9.2. The legal protection subsystem is a set of legal, organizational, and regulatory documents that ensure the creation, functioning, and improvement of personal data protection systems.
9.3. The organizational protection subsystem includes the organization of the management structure of personal data protection systems, a permissive system, and information protection when working with employees, partners, and third parties.
9.4. The technical protection subsystem includes a set of technical, software, and hardware tools that ensure the protection of personal data.
9.5. The main measures for personal data protection used by the Operator are:
● appointment of a person responsible for personal data processing, who organizes the processing of personal data, training and instruction, and internal control over the compliance of the institution and its employees with the requirements for personal data protection;
● identification of current threats to the security of personal data during their processing in personal data information systems and the development of measures and activities for personal data protection;
● establishment of rules for access to personal data processed in personal data information systems, as well as ensuring the registration and accounting of all actions performed with personal data in personal data information systems;
● establishment of individual passwords for employees to access the information system in accordance with their job duties;
● application of information protection tools that have passed the conformity assessment procedure in the established manner;
● certified antivirus software with regularly updated databases;
● compliance with conditions that ensure the safety of personal data and exclude unauthorized access to it;
● detection of facts of unauthorized access to personal data and taking measures;
● restoration of personal data modified or destroyed due to unauthorized access to it;
● training of Operator employees who directly process personal data on the provisions of the legislation of the Russian Federation on personal data, including the requirements for personal data protection, and familiarization with documents defining the Operator's policy regarding personal data processing and local acts on personal data processing issues;
● to ensure the security of the software, scanning services and applications for vulnerabilities using a combination of static source code analysis and dynamic testing;
● encryption of all user data during transport using TLS;
● conducting an annual independent penetration test of the Website;
● carrying out internal control and audit.
10. Main Rights of the Personal Data Subject and Obligations of the Operator. Consideration of Personal Data Subject Requests
10.1.
Main Rights of the Personal Data Subject
10.1.1. The personal data subject has the right to receive information regarding the processing of their personal data, including information containing:
1) confirmation of the fact of personal data processing by the operator;
2) legal grounds and purposes of personal data processing;
3) the purposes and methods of personal data processing used by the operator;
4) the name and location of the operator, information about the persons (except for the operator's employees) who have access to personal data or to whom personal data may be disclosed based on a contract with the operator or on the basis of federal law;
5) the processed personal data related to the respective personal data subject, the source of their receipt, unless a different procedure for providing such data is provided for by federal law;
6) the terms of personal data processing, including their storage periods;
7) the procedure for exercising the rights of the personal data subject provided for by this Federal Law;
8) information about an already carried out or an intended cross-border data transfer;
9) the name or last name, first name, patronymic, and address of the person who processes personal data on behalf of the operator, if the processing is entrusted or will be entrusted to such a person;
10) other information provided for by this Federal Law or other federal laws.
This information must be provided to the personal data subject by the Operator in an accessible form, and it must not contain personal data related to other personal data subjects, except in cases where there are legal grounds for disclosing such personal data. This information is provided to the personal data subject or their representative by an authorized person of the Operator who processes the relevant personal data, within ten working days from the moment of the request or receipt of the request from the personal data subject or their representative. This period may be extended, but for no more than five working days, if the operator sends a motivated notification to the personal data subject with an indication of the reasons for extending the period for providing the requested information. The request must contain: the number of the main document proving the identity of the personal data subject or their representative, information about the date of issue of the specified document and the authority that issued it, information confirming the personal data subject's participation in relations with the operator (contract number, date of contract conclusion, conditional verbal designation and/or other information) or information otherwise confirming the fact of personal data processing by the operator, and the signature of the personal data subject or their representative.
10.1.2. Personal data subjects have the right to demand that the Operator clarify their personal data, block it, or destroy it if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing, and also to take measures to protect their rights as provided by law.
10.1.3.
Operator's Obligations
The Operator is obligated to:
1) provide information about personal data processing upon the personal data subject's request;
2) in cases where personal data was not obtained from the personal data subject, notify the personal data subject of the fact that the Operator obtained personal data;
3) in case of refusal to provide personal data, explain the consequences of such refusal to the personal data subject;
4) publish or otherwise ensure unlimited access to the document defining the Operator's policy regarding personal data processing;
5) take or ensure the taking of necessary legal, organizational, and technical measures to protect personal data from unlawful or accidental access to it, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other unlawful actions with respect to personal data;
6) respond to requests and appeals from personal data subjects, their representatives, and the authorized body for the protection of the rights of personal data subjects;
7) refuse the personal data subject's request to provide the information specified in clause 5.1.1 if the request does not comply with the conditions provided for in clause 5.1.1 or other requirements of the law. Such a refusal must be reasoned.
8) in case a fact of unlawful or accidental transfer (provision, dissemination, access) of personal data is established that resulted in a violation of the rights of personal data subjects, notify the authorized body for the protection of the rights of personal data subjects about this within the periods established by part 3.1 of Article 21 of Federal Law No. 152-FZ "On Personal Data".
10.1.
Main Rights of the Personal Data Subject
10.1.1. The personal data subject has the right to receive information regarding the processing of their personal data, including information containing:
1) confirmation of the fact of personal data processing by the operator;
2) legal grounds and purposes of personal data processing;
3) the purposes and methods of personal data processing used by the operator;
4) the name and location of the operator, information about the persons (except for the operator's employees) who have access to personal data or to whom personal data may be disclosed based on a contract with the operator or on the basis of federal law;
5) the processed personal data related to the respective personal data subject, the source of their receipt, unless a different procedure for providing such data is provided for by federal law;
6) the terms of personal data processing, including their storage periods;
7) the procedure for exercising the rights of the personal data subject provided for by this Federal Law;
8) information about an already carried out or an intended cross-border data transfer;
9) the name or last name, first name, patronymic, and address of the person who processes personal data on behalf of the operator, if the processing is entrusted or will be entrusted to such a person;
10) other information provided for by this Federal Law or other federal laws.
This information must be provided to the personal data subject by the Operator in an accessible form, and it must not contain personal data related to other personal data subjects, except in cases where there are legal grounds for disclosing such personal data. This information is provided to the personal data subject or their representative by an authorized person of the Operator who processes the relevant personal data, within ten working days from the moment of the request or receipt of the request from the personal data subject or their representative. This period may be extended, but for no more than five working days, if the operator sends a motivated notification to the personal data subject with an indication of the reasons for extending the period for providing the requested information. The request must contain: the number of the main document proving the identity of the personal data subject or their representative, information about the date of issue of the specified document and the authority that issued it, information confirming the personal data subject's participation in relations with the operator (contract number, date of contract conclusion, conditional verbal designation and/or other information) or information otherwise confirming the fact of personal data processing by the operator, and the signature of the personal data subject or their representative.
10.1.2. Personal data subjects have the right to demand that the Operator clarify their personal data, block it, or destroy it if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing, and also to take measures to protect their rights as provided by law.
10.1.3.
Operator's Obligations
The Operator is obligated to:
1) provide information about personal data processing upon the personal data subject's request;
2) in cases where personal data was not obtained from the personal data subject, notify the personal data subject of the fact that the Operator obtained personal data;
3) in case of refusal to provide personal data, explain the consequences of such refusal to the personal data subject;
4) publish or otherwise ensure unlimited access to the document defining the Operator's policy regarding personal data processing;
5) take or ensure the taking of necessary legal, organizational, and technical measures to protect personal data from unlawful or accidental access to it, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other unlawful actions with respect to personal data;
6) respond to requests and appeals from personal data subjects, their representatives, and the authorized body for the protection of the rights of personal data subjects;
7) refuse the personal data subject's request to provide the information specified in clause 5.1.1 if the request does not comply with the conditions provided for in clause 5.1.1 or other requirements of the law. Such a refusal must be reasoned.
8) in case a fact of unlawful or accidental transfer (provision, dissemination, access) of personal data is established that resulted in a violation of the rights of personal data subjects, notify the authorized body for the protection of the rights of personal data subjects about this within the periods established by part 3.1 of Article 21 of Federal Law No. 152-FZ "On Personal Data".
11. Withdrawal of Consent to Personal Data Processing
11.1. The validity period of the personal data subject's consent is unlimited; however, the personal data subject has the right to withdraw consent to the Operator's processing of personal data at any time in cases established by law, by sending a written notification to the Operator's address or to the email address: mits@mits.ru with the subject line "Withdrawal of consent to personal data processing".
11.2. The withdrawal of consent to personal data processing entails the deletion of the user's account from the Website, as well as the destruction of records containing personal data on paper carriers and in the personal data processing information systems of the Operator and third parties within a period not exceeding 10 working days from the moment of receipt.
11.1. The validity period of the personal data subject's consent is unlimited; however, the personal data subject has the right to withdraw consent to the Operator's processing of personal data at any time in cases established by law, by sending a written notification to the Operator's address or to the email address: mits@mits.ru with the subject line "Withdrawal of consent to personal data processing".
11.2. The withdrawal of consent to personal data processing entails the deletion of the user's account from the Website, as well as the destruction of records containing personal data on paper carriers and in the personal data processing information systems of the Operator and third parties within a period not exceeding 10 working days from the moment of receipt.