REGULATION
on the Procedure of Storage and Security of Personal Data of the Website Users of
COLORNILE LLC
(revised on 1 January 2018)
TERMS AND DEFINITIONS
Website – is the complex of hardware and software ensuring the publication of information and data for public viewing, united by a common designed use, through technical means applied for communications between computers on the Internet. The Website is available on the Internet at: http://colornile.ru/
Operator – the organization, which alone or jointly with other persons organizes the processing of personal data, as well as determines the processing purposes of personal data which are subject to processing, the actions (operations), conducted with personal data. The Operator is COLORNILE Limited Liability Company, located at the address: 141603, Moscow Region, Klin district, the city of Klin, Leningradskoe shosse, 88 km, bldg.6.
User – the user of the Internet, in particular of the Website.
Personal data – any data referring directly or indirectly to a particular or definable individual (personal data subject).
Processingofpersonaldata – any action (operation) or set of actions (operations), conducted with personal data using the automation aids, or without the use of such aids, including collection, recording, systematization, accumulation, storage, modification (updating, changing), extraction, use, transfer (distribution, provision and access), depersonalization, blocking, removing, destruction of personal data.
Blockingof personal data – the temporary suspension of personal data processing (except for the cases, when the processing is necessary for improvement of personal data).
Depersonalizationof personal data – actions, as a result of which it is impossible to determine the belonging of personal data to a specific subject of personal data without the use of additional information.
Provision of personal data - actions aimed at the disclosure of personal data to a certain group of persons in cases provided for by law.
Distributionof personal data - actions aimed at the disclosure of personal data to a certain group of persons upon prior consent in cases provided for by law.
Destruction of personal data – actions making it impossible to restore the contents of personal data in the information system of personal data and (or) as a result of which tangible media of personal data will be destroyed.
Personal data, which are made available to the general public by the personal data subject – personal data, which are made available to the general public by the personal data subject or upon his request.
Information system of personal data – the complex of personal data contained in databases, as well as information technologies and technical aids ensuring data processing.
Federal law - the Federal law No. 152-FZ “On Personal Data” dated July 27, 2006.
2. General Provisions
2.1. The Regulation on the procedure of storage and security of personal data of the Website Users (hereinafter the “Regulation”) was developed to meet the requirements of the legislation of the Russian Federation contained personal data and identifications of the Website Users.
2.2. The Regulation is developed in accordance with the Constitution of the Russian Federation, Civil Code of the Russian Federation, current legislation of the Russian Federation in the area of personal data protection. The Operator insures protection of the processed personal data against unauthorized access and disclosure, unlawful use or loss according to the requirements of the Federal law No. 152-FZ “On Personal Data” dated July 27, 2006.
2.3. The Regulation sets the processing procedure of personal data of the Website Users: actions on collection, systematization, accumulation, storage, modification (updating, changing) destruction of personal data.
2.4. The Regulation sets general requirements and rules, binding upon the Operator’s employees, involved in the maintenance of the Website, for the work with all kinds of media contained the personal data of the Users of the Website.
2.5. The Regulation does not consider the issues of the security of personal data, which are classified in accordance with the established procedure as a State secret of the Russian Federation.
2.6. Purposes of the Regulation are:
- to ensure the protection of the rights and freedoms of a human or citizen at the processing of personal data, including protection of the rights to the inviolability of his (her) private life, personal and family privacy;
- exclusion of unauthorized actions of the Operator’s staff or any third parties on collection, systematization, accumulation, storage, modification (updating, changing), destruction of personal data, other forms of an illegal interference in the information resources and local computer network of the Operator; ensuring the legal and normative regime of confidentiality of undocumented information of the Website Users; protection of constitutional rights of citizens to a personal secret, confidentiality of the data making personal data, and prevention of possible security threats of the Website Users.
2.7. Principles for the personal data processing:
- processing of personal data shall be performed on a legal and fair basis;
- processing of personal data shall be limited by achievement of specific and legal purposes, determined in advance. The processing of personal data, which is not compatible to the purposes of collection of personal data, is not allowed;
- it is not permitted to merge databases contained personal data, which processing is carried out for the purposes incompatible with each other;
- only those personal data that respond to the purposes of their processing are subject to processing;
- content and volume of the processed personal data shall comply with the specified purposes of the processing. The processed personal data shall be not excessive in respect to the specified purposes of the processing;
- processing of personal data shall be provided with the accuracy of personal data, their sufficiency and, if necessary, relevance in relation to the purposes of the personal data processing;
- storage of personal data shall be carried out not longer, than it is required by the purposes of personal data processing, provided that the time periods of personal data storage are not established by the Federal law or by the contract, in which the User is one of the parties;
- the processed personal data are subject to destruction or depersonalization after the purposes of processing are achieved or in cases, where achievement of these purposes is no longer required, unless otherwise provided by the Federal law.
2.8. Conditions for the personal data processing.
2.8.1. The processing of personal data of the Website Users is carried out on the basis of the Constitution of the Russian Federation, Civil Code of the Russian Federation, current legislation of the Russian Federation in the area of personal data protection.
2.8.2. The processing of personal data on the Website is carried out with respect to the principles and rules, specified in the Regulation and by the legislation of the Russian Federation.
2.9. Purposes for the personal data processing.
2.9.1. The processing of personal data on the Website is carried out only for the purpose of provision of an opportunity to the User to interact with the Website.
2.10. Sources of origin of personal data of Users.
2.10.1. The information source of all personal data of the User shall be directly the User.
2.10.2. The information source of personal data of the User is the information received by means of entering data into registration forms by the User.
2.10.3. Personal data of Users belong to confidential information of limited access.
2.10.4. It is not required to ensure confidentiality of personal data in case of their depersonalization, as well as with regard to personal data open to general use.
2.10.5. The Operator performs an anonymised processing of the following parameters:
-source of login to the Website and information of search query or promotional request;
-data on the User’s device (among others admission, version and other attributes specifying the User’s device);
- User’s clicking, viewing pages, filling in fields, banner and video screenings and views;
-data, characterizing audience segments;
-session parameters;
-User ID stored in a cookie-file.
2.10.6. The Operator has no right to collect and process personal data of the User about his/her race or ethnic origin, political views, religious and philosophic beliefs, private life, except for the cases provided by the Federal law of the Russian Federation.
2.10.7. The Operator has no right to collect and process personal data of the User about his/her membership in public associations or trade-union activities, except for the cases provided by the Federal law.
2.11. Methods of processing of personal data.
2.11.1. Personal data of the Website Users are processed exclusively with use of automation aids.
2.12. Right of personal data subjects (Users).
2.12.1. The User has the right to obtain data about the Operator, his location, availability of the personal data, which refer to the specified subject (User) of the personal data, as well as the right to get familiar with such personal data except for the cases provided by the part 8 of the art. 14 of the Federal law “On Personal Data”.
2.12.2. The User has the right to obtain the information from the Operator in case of a form of address made personally or upon receipt a User’s written request by the Operator concerning the processing of his/her personal data including the following:
- confirmation of the fact of personal data processing by the Operator and also purpose of such processing;
- legal grounds and purposes of personal data processing;
- purposes and methods of processing of personal data applied by the Operator;
- name and location of the Operator, the information about persons (except for employees of the Operator) who have access to personal data or to whom personal data can be disclosed in accordance with the contract concluded with the Operator or under the Federal law;
- the processed personal data relating to an appropriate subject of personal data, a source of their receiving, unless otherwise provided by the Federal law;
- periods of processing of personal data, including periods of their storage;
- the procedure for exercising the rights provided by the Federal law by the subject of personal data;
-the information on performed or assumed transborder transfer of personal data;
- denomination or surname, name, middle name and the address of the person, who performs processing of personal data on behalf of the Operator, if the processing is or will be charged to such person;
- other data stipulated by the applicable Federal law or other regulations for the protection of personal data;
- to require changing, improvement, destruction of information about himself/herself;
- to appeal to the court against illegal actions or omissions during processing of personal data and to require an appropriate compensation;
- addition of personal data of evaluation nature by the statement expressing his/her own point of view;
- to determine representatives for the protection of personal data;
- to require from the Operator the notification about all changes made by him in the personal data or exceptions of them.
2.12.3. The User has the right to appeal to the authorized body on protection of the rights of personal data subjects or to the court against acts or omissions of the Operator, if he/she considers that the Operator performs processing of his/her personal data with violation of requirements of the Federal law “On Personal Data” or otherwise violates his/her rights or freedoms.
2.12.4. The User of personal data has the right to protection of his rights and legitimate interests, including to recovery of damages and (or) compensation of moral harm in a judicial procedure.
2.13. Liabilities of the Operator.
2.13.1. Upon a personal appeal or receipt of a written request of the subject of personal data, or his representative, the Operator, if there is reason, is obliged to submit information to the extent prescribed by the Federal law within 30 days from the date of appeal or receipt of a written request. Such information should be presented to the subject of personal data in accessible form, and it should not contain personal data relating to other subjects of personal data, except if there are legal reasons for such disclosure of personal data.
2.13.2. All appeals of the subjects of personal data or their representatives should be registered in the Logbook of citizens’ (subjects’ of personal data) communications on issues of personal data processing.
2.13.3. In case of refusal to provide the subject of personal data or his representative upon an appeal or receipt of a written request with information on availability of personal data concerning the appropriate subject thereof the Operator is obliged to give the written reasoned response contained the reference to the Part 8 of Article 14 of the Federal law “On Personal Data” or other Federal law which is the basis for such refusal, within a period not exceeding 30 days from the date of appeal of the subject of personal data or his representative or from the date of receipt of a request of the subject of personal data or his representative.
2.13.4. In case of receiving a request from an authorized body on protection of the rights of the data subjects about provision of the information necessary for implementation of activities of the specified body the Operator is obliged to report such information to an authorized body within 30 days from the date of receipt of such request.
2.13.5. In case of detection of illegal processing of personal data the Operator is obliged to carry out blocking of illegally processed personal data concerning the subject of personal data upon appeal or request of this subject of personal data or his representative or authorized body on protection of the rights of the data subjects from the moment of such appeal or receipt of the request for the check-out period.
2.13.6. In case of detection of the illegal processing of personal data carried out by the Operator, the last-named is obliged to stop illegal processing of personal data within a period not exceeding three working days from the date of this detection. The Operator is obliged to report about elimination of the committed violations to the subject of personal data or his representative and, in case if an appeal of the subject of personal data or his representative or a request of an authorized body on protection of the rights of data subjects are submitted by an authorized body on protection of the rights of data subjects, - also to the mentioned body.
2.13.7. In case of achievement of the goal of personal data processing the Operator is obliged to stop the processing of personal data and to destroy personal data within a period not exceeding 30 working days from the date of achievement of the goal of personal data processing, unless otherwise provided by the contract, to which the subject of personal data is a party.
2.13.8. It is forbidden to make decisions based solely on automated processing of personal data, which produce legal consequences concerning the subject of personal data or otherwise affecting his/her rights and legitimate interests.
2.14. Confidential regime of personal data.
2.14.1. The Operator ensures the confidentiality and security of personal data during their processing according to the requirements of the law of the Russian Federation.
2.14.2. The Operator neither discloses nor distributes personal data to the third parties without the consent of the personal data subject, unless otherwise provided by the Federal law.
2.14.3. According to the list of personal data, which are to be processed at the Website, the User’s personal data are confidential.
2.14.4. The persons carrying out the processing of personal data are obliged to comply with the requirements of regulatory documents of the Operator with regard to ensuring the confidentiality and security of personal data.
3. PERSONAL DATA PROCESSING
3.1. The list of the processed personal data of Users:
- surname
- name
- father’s name
- title
- company
- sector
- region
- mobile phone
3.2. Obtaining personal data.
3.2.1. All personal data are to be obtained from the User. When the consent to personal data processing is obtained from the User’s representative, his/her authority to give such consent shall be checked by the Operator.
3.3. Persons, who have the right to access to personal data.
3.3.1. Only the persons having the respective powers according to their official duties may have access to personal data of subjects.
3.3.2. The list of persons entitled to receive personal data is approved by the General Director of the Operator.
3.4. Procedure and periods of storage of personal data on the Website.
3.4.1. The Operator provides only the storage of personal data of the User on the Website.
3.4.2. Periods of storage of personal data: from the moment of data provision by the User till the User notifies about his/her wish to delete his/her personal data from the Website.
3.4.3. The Operator does not fulfill the processing of Users’ personal data on paper storage media.
3.5. Blocking of personal data.
3.5.1. Blocking of personal data means temporary suspension of personal data processing by the Operator upon the demand of the User, if the User detects incompliance of processed data or if the actions relating to his/her data are deemed by the personal data subject as illegal.
3.5.2. The Operator does not transfer personal data to the third parties and does not trust the third parties and organizations with processing of personal data. Personal data of the Users of the Website are processed only by Operator’s staff authorized to processing of personal data of Users in accordance with the established procedure.
3.5.3. Blocking of personal data on the Website is carried out upon the written request of the personal data subject.
3.6. Destruction of personal data.
3.6.1. Destruction of personal data means the actions making it impossible to restore the contents of personal data on the Website and (or) as a result of which tangible media of personal data will be destroyed.
3.6.2. The subject of personal data has the right to require in writing the destruction of his/her personal data if such data are incomplete, outdated, doubtful, illegally received or are not necessary for a stated purpose of processing.
3.6.3. In case of impossibility of destruction of personal data the Operator carries out blocking of such personal data.
3.6.4. Destruction of personal data is carried out by erasing of information with use of the certified software with the guaranteed destruction (according to the set characteristics for installed software with the guaranteed destruction).
4. PERSONAL DATA PROTECTION SYSTEM
4.1. Measures to ensure personal data protection during their processing.
4.1.1. During processing of personal data the Operator shall take the necessary legal, organizational and technical measures or ensure their taking to protect personal data of the User against illegal or accidental access, destruction, changing, blocking, copying, distribution and also other illegal actions with respect to personal data.
4.1.2. Assurance of personal data security can be provided for, in particular, by:
- defining security risks of personal data during their processing in the information systems of personal data;
- taking organizational and technical measures to protect personal data during their processing in the information systems of personal data necessary for the execution of requirements of personal data security;
- registering personal data media;
- detecting the facts of illegal access to personal data and taking appropriate measures;
- restoring the personal data modified or destroyed as a result of illegal access to them;
- establishing the rules of access to the personal data processed in the information system of personal data and also ensuring the registration and recording of all actions made with personal data in the information system of personal data;
- monitoring over the taken measures to ensure protection of personal data and level of security of information systems of personal data;
- assignment of the person responsible for the processing of personal data;
- setting of personal access passwords for employees to an information system according to their responsibilities;
- using of the certified antivirus software;
- training of the Operator’s staff, who directly carries out the processing of personal data, by provisions of the legislation of the Russian Federation on personal data, including requirements to the protection of personal data.
4.2. Protected information on the subject of personal data.
4.2.1. Data enabling to identifythe subject of personal data and/or to obtain additional information on this subject provided by the legislation of the Russian Federation and by this Regulation refer to the protected information on the subject of personal data on the Website.
4.3. Protected objects of personal data.
4.3.1. The following refers to theprotected objects of personal data on the Website:
- objects of computerization and technical aids of automated processing of information contained personal data;
-the information resources (databases, files, etc.) contained data on information and telecommunication systems, in which personal data are circulating, on the events, which happened to managed objects, on plans of business continuity and procedures of transition to management in emergency conditions;
- information channels, which are used for transmission of personal data in the form of the informative electrical signals and physical fields;
- the alienated information media on magnetic, magnetic and optical and other basis used to the processing of personal data.
4.3.2. Technical data on information systems and elements of system of protection the personal data to be protected includes:
- data on an access control system on computerization objects on which the processing of personal data is carried out;
- management data (configuration files, routing tables, settings of protection system, etc.);
- technical data of means of access to management systems (authentication information, keys and attributes of access, etc.);
- characteristics of information channels which are used for transmission of personal data in the form of the informative electrical signals and physical fields;
- information on means of protection of personal data, their composition and structure, principles and technical solutions of protection;
- service data (metadata) appeared when operating the software, messages and protocols of network interconnection as a result of processing of personal data.
4.4. Requirements to the protection system of personal data.
4.4.1. The system of personal data protection shall conform to the requirements established by the Decree No. 1119 of the Government of the Russian Federation “On the Approving the Requirements to Protection of Personal Data when Processing in Information Systems” dated 01 November 2012.
4.4.2. Protection system of personal data shall ensure:
- timely detection and preventing of illegal access to personal data and (or) their transmissions to persons who have not access rights to such information;
- prevention of impact on technical means of automated processing of personal data, as a result of which their functioning can be broken;
- possibility of immediate restoration of the personal data modified or destroyed due to illegal access to them;
- constant control over provision of security level of personal data.
4.5. Responsibility.
4.5.1. All employees of the Operator, who carry out the processing of personal data, are obliged to keep a secret about personal data according to the Regulation and the requirements of the legislation of the Russian Federation.
4.5.2. The persons guilty in violation of requirements of the Regulation shall bear the responsibility established by the legislation of the Russian Federation.
4.5.3. The responsible persons for personal data processing shall be responsible for the observance of the personal data regime in relation to the personal data, which are in databases of the Website.
5. FINAL PROVISIONS
5.1. In case of change of the applicable legislation of the Russian Federation or amendments to the regulatory documents on protection of personal data the present Regulation shall have effect in part not contradicting to the applicable legislation until it is brought into conformity.
5.2. The terms of the present Regulation shall be established, changed and cancelled by the Operator unilaterally without prior notice of the User. From the moment of placement on the Website of new edition of the Regulation the previous edition shall be deemed expired.
5.3. If the User does not agree with the terms of the present Regulation, then the User shall delete immediately his/her profile from the Website, otherwise continued use of this Website by the User shall constitute his/her consent to the terms of the present Regulation.
Download presentation and
learn more about us!