1. General provisions
1.1. This Provision, in accordance with the requirements of Article 18.1. of Federal Law of the Russian Federation No. 152-FZ "On Personal Data" of 27.07.2006, defines the procedure for handling by Kamdesign Ltd. (hereinafter, the Company) of the personal data of its Clients (contractual counterparties), as well as Potential Clients who have left their personal data on the Company’s website.
1.2. The purpose of regulation of personal data handling is to ensure the observance of the duties and legal rights and interests of the Company and its employees in relation to the need for obtaining (collection), systematization (combining), storage and transmission of information that constitutes personal data when concluding agreements with its Clients and fulfilling its obligations under such agreements, as well as when Potential Clients provide their personal data on the website of the Company in order to receive further information about the services rendered by the Company.
1.3. The information about the personal data of the Clients is deemed to be confidential information constituting the Company's secret that is protected by the law.
1.4. The person responsible for personal data protection shall be approved by a relevant order of the head of the Company.
2. General definitions. Scope of the personal data of the Clients/Potential Clients
2.1. For the purposes of this Provision, the following general definitions shall be used:
Client shall mean a person who is a contractual counterparty and/or a customer of the Company.
Agreement shall mean an agreement concluded between the Company and the Client that constitutes the basis for creation of rights and obligations in relation to which it is necessary for the Company to process the personal data of a Client.
Potential Client shall mean a person who has an intention to obtain information about the Company’s services and has left their personal data on the Company’s website.
Personal Data shall mean any information directly or indirectly related to a physical person (personal data subject) being a Client, who is or can be identified based on such information, and required for the Company in relation to the contractual relations; or to a Potential Client and required for the Company in relation to the intention of such person to obtain information about the Company’s services. This information includes the following:
-last name, first name, patronymic;
-date and place of birth;
- address of residence (registration);
-information about the income, property and liabilities;
-any other similar information that makes it possible to unambiguously identify a personal data subject;
- any other information necessary for the Company to fulfill its obligations.
Processing of personal data shall mean any action (operation) or a set of actions (operations) performed on personal data with or without the use of automation tools, which include collection, recording, systematization, accumulation, storage, refinement (update or modification), extraction, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction of personal data;
Confidentiality of personal data shall mean a requirement, the observance of which is mandatory for the assigned responsible person who has been granted access to the personal data of the Clients/Potential Clients, to prevent its distribution without the consent of the said personal data subjects or other legal grounds;
Distribution of personal data shall mean any actions aimed at transfer of the personal data of the Clients/Potential Clients to a certain scope of persons (transfer or personal data) or access of an unlimited range of persons to the personal data, which includes publication of the personal data in the mass media, posting of it in information and telecommunication networks, or provision of access to the personal data of the Clients/Potential Clients in any other way;
Use of personal data shall mean any actions (operations) performed on personal data by an authorized official of the Company for the purpose of making decisions or performing any other actions that entail legal consequences in relation to the Clients/Potential Clients or affect their rights and freedoms, or the rights and freedoms of other persons, in any other way;
Blocking of personal data shall mean temporary ceasing of collection, systematization, accumulation, use, distribution of personal data, which includes its transfer;
Destruction of personal data shall mean any actions resulting in the impossibility of restoring the contents of personal data in the personal data information system of the Clients/Potential Clients or resulting in the destruction of the physical media containing personal data;
Anonymization of personal data shall mean any actions resulting in the impossibility of identifying a particular subject of personal data who the personal data belong to;
Publicly accessible personal data shall mean personal data the access to which is granted to an unlimited range of persons with the consent of the personal data subject, or to which the requirement to observe confidentiality does not apply in accordance with the federal laws;
Information shall mean any pieces of information (messages, data) irrespective of the format they are submitted in;
Documented information shall mean any information recorded on physical media by way of documenting with record details allowing for identifying such information or its physical media.
2.2. Any information provided by the Client when they conclude an Agreement with the Company bust be presented in a documented form. When concluding an Agreement, the person concluding it shall produce the following documents for identification purposes:
-passport or any other personal identification document;
-TIN certificate (in the event that the Client has one);
- individual insurance account number (SNILS) (in the event that the Client has one).
2.3. When registering a Client, the authorized department shall make paper and electronic copies of the documents specified in Clause 2.2 and of any other necessary documents.
2.4. After that, the aforesaid copies shall be transferred to the person responsible for personal data protection.
2.5. When a Potential Client leaves a request on the Company’s website for receiving information about the Company’s services, the Potential Client shall submit the following information: last name, first name, patronymic, contact telephone number, and email address.
2.6. By providing their personal data to the Company and expressing their consent to personal data processing, a Client or a Potential Client agrees to receive informational messages, which includes advertising messages, at the email address and cell phone number of the Client/Potential Client.
2.7. A Client/Potential Client shall be entitled to elect not to receive advertising and any other information without giving any reasons for that by way of informing the Company about their decision by phone at + 7 (495) 109-20-11 or by way of sending a corresponding application to the Company’s email address: firstname.lastname@example.org.
3. Processing of personal data
3.1. The source of information about all personal data shall be the Client or Potential Client themself. If it is possible to obtain personal data from a third party only, the Client or Potential Client must be notified about it in advance in writing, and their written consent must be obtained. The Company shall be obliged to notify them about the purposes, the intended sources and ways of obtaining personal data, as well as about the consequences of the Client/Potential Client’s refusal to give their written consent for obtaining such data.
3.2. The Company shall be entitled to process personal data of Clients and Potential Clients only with their consent.
3.3. The Client shall give the Company their written consent for personal data processing, which must include:
- last name, first name, patronymic, address, number of the main personal identification document, information about the date and issuing body of the said document;
- name and address of the operator obtaining the consent of the personal data subject;
- purpose of personal data processing;
- list of the personal data to the processing of which the consent of the personal data subject is given;
- list of the actions on the personal data to the performance of which the consent is given, general description of the methods of personal data processing that are used by the operator;
-signature of the personal data subject.
3.4. A Potential Client shall grant their consent to the Company for processing of their personal data when they fill in the section with the information about themselves and their contact data on the Company’s website and tick the box when automatically asked for their consent for personal data processing.
3.5. The Client’s consent is not necessary in the following cases:
- personal data processing is performed under a federal law that establishes its purpose, the conditions of obtaining personal data, and the range of subjects whose personal data is subject to processing, as well as a certain authority of the Company;
- personal data processing is performed for statistical or other research purposes on condition that anonymization of personal data is mandatory;
- personal data processing is necessary for protection of the Client’s rights and interests under the Agreement, if it is not possible to obtain their consent.
3.6. A Client or a Potential Client shall provide the Company with reliable information about themselves. The Company’s authorized department shall verify the reliability of the information.
3.7. When processing personal data, the Company abides by the following principles:
- the processing shall be performed lawfully and on equitable basis;
- the processing of personal data shall be limited to achieving specific, pre-defined, and lawful purposes;
- personal data processing that is inconsistent with the purposes of personal data collection must be prevented;
- personal data processing must be consistent with the purposes of its processing;
- the contents must be relevant.
4. Transfer of personal data
4.1. The Company must abide by the following requirements when transferring personal data of a Client/Potential Client:
4.1.1. Not to disclose personal data of a Client/Potential Client to a third party without a written consent of the Client/Potential Client, except for the cases when it is necessary due to any requirements of the law or for the purposes of the protection of their rights and lawful interests.
4.1.2. Not to disclose personal data of a Client/Potential Client for commercial purposes without their written consent. Processing of personal data of Clients/Potential Clients for the purposes of promotion of any products, works, or services in the market is allowed only with their prior consent.
4.1.3. To warn any persons who have received personal data of a Client/Potential Client that this data can only be used for the purposes that it has been provided for, and to demand that those persons confirm that the rule has been abided by. Any persons who have received personal data of a Client/Potential Client must abide by the confidentiality restrictions.
4.1.4. To transfer personal data of Clients/Potential Clients within the Company in accordance with the present Regulations.
4.1.5. To permit access to personal data of Clients/Potential Clients only to the Company’s employees, in this case the said persons must be entitled to receiving only the personal data which is necessary for them to perform particular functions.
4.1.6. To transfer personal data of a Client/Potential Client to their legally authorized representatives and to limit this information only to the personal data which is necessary for the said representatives to perform their functions.
4.2. Personal data of Clients/Potential Clients shall be processed and stored by the person responsible for personal data protection.
4.3. Personal data of Clients/Potential Clients may be received, undergo further processing, and be stored both on paper media and in electronic format (by means of a local area network).
4.4. In the event that personal data has not been received from a Client/Potential Client (except for the cases when such personal data is in the public domain) the Company must provide the Client/Potential Client with the following information prior to processing such personal data:
- name and address of the operator or its representative;
- the purpose of personal data processing and its legal grounds;
- the intended users of the personal data;
- the rights of a personal data subject established by the federal laws.
5. Access to personal data
5.1. The following persons shall have the right of access to the personal data of Clients/Potential Clients:
- the head of the Company;
- the person responsible for personal data protection;
- other employees of the Company as set forth in Clause 4.1.5 of these Regulations.
5.2. A Client/Potential Client of the Company shall be entitled to:
5.2.1. Have access to their personal data and get familiar with it, including the right to receiving a copy of any record containing their personal data free of charge.
5.2.2. Demand that the Company refines, excludes, or corrects any personal data that is incomplete, incorrect, out-of-date, unreliable, unlawfully obtained, or is not necessary for the Company,
5.2.3. To receive the following from the Company:
- confirmation of the fact of personal data processing by the Company;
- information about the persons who have access to personal data or may be granted such access;
- the list of personal data being processed and the source it was obtained from;
- the legal grounds and purposes of personal data processing;
- information about the methods of personal data processing applied by the Company;
- duration of personal data processing, which includes the duration of its storage;
- information about the legal consequences for a personal data subject that may be entailed by processing of their personal data;
- other information specified in Federal Law No. 152-FZ “On Personal Data” or other federal laws.
5.2.4. Demand that the Company notifies all the persons who had previously received incorrect or incomplete personal data about all the exclusions, modifications or amendments made to it.
5.2.5. File a complaint to the authorized body for the protection of rights of personal data subjects, or to court, on inappropriate action or inaction of the Company in relation to processing and protection of their personal data.
5.3. It is allowed to make copies and extracts of personal data of Clients/Potential Clients solely for business purposes after a written inquiry from the person responsible for personal data protection.
5.4. Information can be transferred to a third party only with a written consent of a Client/Potential Client.
6. Measures to ensure the security of personal data during its processing and responsibility for violation of the rules governing the processing of personal data
6.1. When processing personal data, the Company takes the necessary legal, managerial, and technical measures to protect personal data against unlawful or accidental access, destruction, alteration, blocking, copying, provision or distribution, as well as against any other inappropriate actions towards personal data.
6.2. Processing and ensuring the security of personal data in the Company shall be carried out in accordance with the requirements of the Constitution of the Russian Federation, Federal Law No. 152-FZ “On Personal Data”, subsidiary laws, and other federal laws of the Russian Federation establishing the circumstances and special aspects of personal data processing.
6.3. The employees of the Company found guilty of violation of the procedures for personal data handling shall be held liable in accordance with the current legislation of the Russian Federation.
6.4. Should a Client/Potential Client have any questions or claims they must contact the Company by telephone or by any other means available. 6.5. In the event that any provision of this Agreement is invalidated by a court, such invalidity shall not affect the other provisions.
7. Duration of storage and processing of personal data
7.1. Personal data of the Clients shall be processed in the Company within the entire validity period of the relevant Agreement, as well as stored for at least 5 years after its termination, with observance of all the requirements established by these Regulations and the current legislation. Upon the expiry of the said period of time the Company shall be entitled to make a decision about the destruction of a client’s personal data.
7.2. Personal data of Potential Clients shall be processed and stored in the Company for at least 5 years from the moment of its provision. Upon the expiry of the said period of time the Company shall be entitled to make a decision about the destruction of a Potential Client’s personal data.