1.1. This Personal Data Processing Policy of Volna Hotel LLC (hereinafter referred to as the “Operator”), INN (Taxpayer Identification Number) 5256043997, located at the address: 98, prospekt Lenina, Nizhny Novgorod, 603004, has been developed in accordance with the requirements of clause 2 of Part 1 of Article 18.1 of Federal Law dated 27 July 2006 No. 152-FZ “On Personal Data” (hereinafter referred to as the “Law on Personal Data”) in order to ensure the protection of human and civil rights and freedoms upon personal data processing, including protection of the right to personal and family privacy.
1.2. The Policy applies to all personal data processed by the Operator.
1.3. The Policy applies to relationships in the field of personal data processing that arose with the Operator both before and after the approval of this Policy.
1.4. In accordance with the requirements of Part 2 of Article 18.1 of the Law on Personal Data, this Policy is published in the public domain on the Internet information and telecommunications network on the Operator’s website www.volnahotel.ru.
1.5. The following main terms are used in the Policy:
personal data — any data related directly or indirectly to an identified or identifiable individual (data subject);
personal data operator (operator) — a government agency, municipal authority, legal entity or individual that independently or jointly with other persons organizes and/or performs processing of personal data, as well as defines the purposes of personal data processing, composition of personal data to be processed, actions (operations) to be performed with personal data;
personal data processing — any act (operation) or set of acts (operations) performed upon personal data, whether or not by automatic means. Personal data processing includes, inter alia:
- collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, removal, destruction of personal data.
automated personal data processing — personal data processing using means of computer technology;
distribution of personal data — actions aimed at disclosing personal data to an indefinite range of persons;
provision of personal data — actions aimed at disclosing personal data to a certain person or a certain scope of persons;
personal data blocking — suspension of personal data processing (except when such processing is required for the personal data rectification);
personal data destruction — actions making impossible the personal data recovery in the personal data information system and/or aimed at destruction of tangible media containing the personal data;
personal data anonymization — actions making impossible attribution of the personal data to particular data subject without the additional information;
personal data information system — an aggregate of personal data contained in databases and information technologies and hardware which allow for such personal data processing;
cross-border transfer of personal data — transfer of the personal data to the territory of a foreign state, to foreign government authority, foreign individual or foreign legal entity.
1.5 Basic rights and obligations of the Operator:
1.5.1. Volna Hotel LLC, as an operator of personal data, shall have the right to:
independently determine the composition and list of measures necessary and sufficient to ensure the performance of obligations provided for by the Law on Personal Data and regulatory legal acts adopted in accordance with it, unless otherwise provided for by the Law on Personal Data or other federal laws;
delegate processing of personal data to another person with the consent of the data subject, unless otherwise provided for by federal law, on the basis of an agreement entered into with such person. The person processing personal data on behalf of the Operator shall be obliged to comply with the principles and rules for processing personal data provided for by the Law on Personal Data, maintain the confidentiality of personal data, and take the necessary measures aimed at ensuring the performance of the obligations provided for by the Law on Personal Data;
in the event that the data subject withdraws consent to the processing of personal data, the Operator shall have the right to continue processing personal data without the consent of the data subject if there are grounds specified in the Law on Personal Data.
1.5.2. The Operator shall:
organize the processing of personal data in accordance with the requirements of the Law on Personal Data;
respond to the requests of data subjects and their legal representatives in accordance with the requirements of the Law on Personal Data;
report to the authorized body for the protection of the rights of data subjects (Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor)) at the request of this body the necessary information within 10 business days from the date of receipt of such a request. This period may be extended, but not more than by five business days. For this purpose, the Operator must send a reasoned notice to Roskomnadzor indicating the reasons for extending the deadline for providing the requested information;
in the manner determined by the federal executive body authorized in the field of security, ensure interaction with the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, including informing it about computer incidents that resulted in the unlawful transfer (provision, distribution, access) of personal data.
1.5.3 The Operator shall not take decisions that give rise to legal consequences in relation to the data subjects or otherwise affect their rights and legitimate interests, based on exclusively automated processing of their personal data.
1.6 Rights and obligations of data subjects
1.6.1 In order to protect its personal data stored in the Company, the data subject shall have the right to:
receive information regarding the processing of its personal data, except as otherwise provided for by federal laws. The information is provided to the data subject by the Operator in an accessible form, and it should not contain personal data related to other data subjects, unless there are legal grounds for disclosing such personal data. The list of information and the procedure for obtaining it is established by the Law on Personal Data;
require from the Operator to clarify its personal data, block or destroy them if they are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated processing purpose, and also take measures prescribed by law to protect its rights;
give prior consent to the processing of personal data in order to promote goods, works and services on the market;
appeal to Roskomnadzor or in court against illegal actions or inaction of the Operator when processing its personal data.
1.6.2 Obligations of the Operator’s employees regarding personal data:
in cases provided for by law or contract, transfer to the Company reliable documents containing personal data;
not provide false personal data, and in case of changes in personal data, errors or inaccuracies in them (surname, place of residence, etc.), immediately inform the Operator about it.
1.7. Control over compliance with the requirements of this Policy shall be carried out by an authorized person responsible for organizing the processing of personal data by the Operator.
1.8. Responsibility for violation of the requirements of the laws of the Russian Federation and regulations of Volna Hotel LLC in the field of processing and protection of personal data shall be determined in accordance with the laws of the Russian Federation.
2. PURPOSES OF PERSONAL DATA COLLECTION
2.1 The personal data processing shall be limited to certain predefined legal purposes. The personal data that is incompatible with the purposes of collecting personal data may not be processed.
2.2. Only personal data which serve the purposes of their processing may be processed.
2.3. Personal data shall be processed for the purposes of:
2.3.1. Carrying out activities in accordance with the Articles of Association of Volna Hotel LLC, including:
Carrying out activities of the hotel with the restaurant;
Identification of persons with whom an agreement for the provision of hotel services is concluded;
Registration of citizens at the place of stay at the hotel;
Compliance with the requirements of the laws of the Russian Federation in the field of migration registration.
Concluding and performing contracts with counterparties
2.3.2 enforcement of labour legislation within the framework of labour and other directly related relations, including: assistance to employees in finding employment, obtaining education and promotion, attracting and selecting candidates for work with the Operator, ensuring the personal safety of employees, monitoring the quantity and quality of work performed, ensuring the safety of property, maintaining personnel and accounting records, filling out and submitting the required reporting forms to the authorized bodies, organizing individual (personalized) registration of employees in the systems of compulsory pension insurance and compulsory social insurance;
2.3.3. Enforcing court orders, other authorities’ or officials’ orders subject to enforcement in accordance with the laws of the Russian Federation on enforcement proceedings;
2.4 The Operator shall process personal data of clients, Operator’s employees and other data subjects who are not in an employment relationship with the Operator in accordance with the following principles:
2.4.1 personal data shall be processed lawfully and equitably;
2.4.2 personal data processing shall be limited to certain predefined legal purposes. The personal data that is incompatible with the purposes of collecting personal data may not be processed;
2.4.3 databases containing personal data processed for incompatible purposes may not be integrated;
2.4.4 only personal data which serve the purposes of their processing can be processed;
2.4.5 the content and scope of the processed personal data correspond to the stated purposes of processing. The personal data subject to processing should not be redundant in relation to the stated purposes of their processing;
2.4.6 personal data processed shall be accurate, sufficient and, in specific cases, up-to-date as regards the processing purposes. The Company shall take the necessary measures or ensure their adoption to remove or clarify incomplete or inaccurate personal data;
2.4.7 personal data shall be stored so that a data subject is identified for the period necessary to achieve a personal data processing purpose, unless the period of their storage is stipulated by federal law or agreement a party to which or beneficiary or guarantor under which is the data subject;
2.4.8 processed personal data shall be destructed or depersonalized once a processing purpose has been achieved or if the processing is no longer required, unless otherwise stipulated by federal law.
2.5. The employees’ personal data processing may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts.2.5.员工个人数据的处理仅可用于确保遵守法律和其他监管法律行为的目的。
3. LEGAL GROUNDS FOR PERSONAL DATA PROCESSING
3.1 The Policy for processing personal data in the Company shall be determined in accordance with the following regulatory legal acts:
Constitution of the Russian Federation;
Labour Code of the Russian Federation;
Civil Code of the Russian Federation;
Tax Code of the Russian Federation,
Federal Law dated 06 December 2011 No. 402-FZ “On Accounting”;
Federal Law dated 18 July 2006 No. 109-FZ “On Migration Registration of Foreign Citizens and Stateless Persons in the Russian Federation”;
Federal Law “On Military Duty and Military Service” dated 28 March 1998 No. 53-FZ;
Federal Law No. 167-FZ dated 15 December 2001 “On Compulsory Pension Insurance in the Russian Federation”;
Decree of the Government of the Russian Federation dated 09 October 2015 No. 1085 “On Approval of the Rules for the Provision of Hotel Services in the Russian Federation”;
Federal Law dated 18 July 2006 No. 109-FZ “On Migration Registration of Foreign Citizens and Stateless Persons in the Russian Federation”;
Law of the Russian Federation dated 25 June 1993 No. 5242-1 “On the Right of Citizens of the Russian Federation to Freedom of Movement and Choice of Place of Stay and Residence Within the Russian Federation”;
Decree of the Government of the Russian Federation dated 10 May 2010 No. 310 “On Approval of the Rules for Transmitting Information on the Arrival at the Place of Stay and Departure from the Place of Stay of Foreign Citizens and Stateless Persons Using Communication means included in the telecommunication network”;
Decree of the Government of the Russian Federation dated 17 July 1995 No. 713 “On Approval of the Rules for Registration and Deregistration of Citizens at the Place of Stay and Place of Residence”;
Decree of the Government of the Russian Federation dated 15 January 2007 No. 9 “On Procedure for Migration Registration of Foreign Citizens and Stateless Persons in the Russian Federation”;
Personal data subject`s consent to their processing.
Articles of Association of Volna Hotel LLC
other regulatory legal acts of the Russian Federation and regulatory documents of authorized government bodies, as well as local regulatory acts of the Operator on the processing of personal data.
3.2 In order to implement the provisions of the Policy, the Company has developed relevant local regulations and other documents, including:
Regulation on Personal Data in Volna Hotel LLC;
Regulation on the Processing of Personal Data of Employees of Volna Hotel LLC;
Instruction on the Procedure for Registering Guests in Volna Hotel LLC by Employees of the Reception and Servicing Department;
Regulation on the Arrangement and Performance of Works to Ensure the Personal Data Security During Their Processing in ISPD;
- other local regulations and documents regulating the processing of personal data in the Company.
4. EXTENT AND CATEGORIES OF PERSONAL DATA SUBJECT TO PROCESSING, CATEGORIES OF DATA SUBJECTS
4.1 The extent of personal data processed in the Company shall be specified in accordance with the Russian Federation laws and local regulations of the Operator, taking into account the purpose of personal data processing specified in Section 2 of this Policy. The personal data subject to processing should not be redundant in relation to the stated purposes of their processing.
4.2 The Company shall not process special categories of personal data, related to race, ethnical identity, political opinions, religious or philosophic beliefs, intimacy. The Company shall not process biometric personal data.
4.3 The Company shall process personal data of the following categories of subjects:
Individuals (clients) when checking into the hotel, potential clients, website users;
candidates, employees, relatives of employees, persons who previously had an employment relationship with the Operator, persons in the Operator’s personnel reserve, individuals under civil contracts;
counterparties – individuals, representatives and employees of counterparties (legal entities).
4.3.1 The extent of personal data subject to processing of persons checking into the hotel:
Surname, name, patronymic, date, place of birth, sex, citizenship, address, identity document, telephone number. For foreign citizens, the type, series, issue number of the document determining the right to stay in the Russian Federation is filled in: visa, residence permit, registration of temporary stay, information from the migration card: series, number, checkpoint, purpose of arrival in the Russian Federation, duration of stay, date of border crossing and address of previous stay in the Russian Federation.
The purposes of processing personal data of persons checking into the hotel:
Carrying out activities of the hotel with the restaurant;
Identification of persons with whom an agreement for the provision of hotel services is concluded;
Registration of citizens at the place of stay;
Compliance with the requirements of the laws of the Russian Federation in the field of migration registration.
Upon check-in to the hotel, a “Contract – Registration Card” is concluded with the client, which contains provisions that the client consents to the processing of his/her personal data.
Processing methods: non-automated, combined.
Processing period: within three (3) years from the end of the guest’s stay, unless a different period is established by law.
Storage period: until destruction in accordance with clause 6.5. of this Policy.
Procedure for destruction: in accordance with clause 6.5. of this Policy.
The procedure for processing personal data of these subjects shall be determined in accordance with the internal regulatory documents of the Operator, regulating activities for the implementation of statutory objectives, and the legislation of the Russian Federation.
4.3.2. The extent and procedure for processing personal data of users of the hotel website: www.volnahotel.ru:
Reservations on the website www.volnahotel.ru are made using the online reservation software service (module on the website) “TravelLine”. When confirming the reservation, the Guest consents to the processing of his/her personal data, and also agrees with the user agreement and privacy policy of “TravelLine”.
Scope of processed personal data of the site client:
Surname, name, patronymic, telephone number, e-mail address, citizenship, dates for room reservation, time of check-in and check-out. When paying by bank card – bank card details.
When visiting the site, even if a reservation is not made, the Operator may collect certain information, such as the browser used, IP address number, operating system type, location, pages viewed. The information received is not associated with the data you leave on the Site. It is impossible to establish the user’s identity using automatically obtained data.
Purposes of personal data processing of the site users:
Reservation: The Operator collects and uses personal data to process the Guest’s requests, make a reservation, for quick and high-quality advice on clarifying or changing the reservation, for other actions directly related to the reservation and the exercise of the Guest’s right to hotel services.
Other services provided by the hotel the Operator, in addition to providing hotel services, shall provide a number of other services (catering, banquets, etc.).
Bonuses and suggestions. The information provided by the Guest can be used to create exclusive personal suggestions and accrue points for bonus programs.
Marketing. The Operator may use the provided contact information to send news, ongoing offers and special suggestions (with the Guest’s consent to receive such information). The website and the form of the contract – registration card provide for obtaining the Guest’s consent to send news, information on offers and special suggestions. Familiarization with the Policy does not constitute consent to the distribution of the above materials and is received by the hotel only if the Guest performs certain actions when reserving a room on the Site (check the box: “I agree to receive information on special suggestions and hotel news by e-mail and SMS” and/or when filling out the Contract – registration card issued to him/her upon check-in). If the Guest refuses to send newsletters or fails to tick this box, the Guest’s e-mail address will be immediately removed from the list of recipients (mailing list). These actions (removal from the mailing list) by the hotel shall be carried out immediately, on the basis of a written application received from the Guest with a request to stop processing his/her personal data from the date of receipt of such an application by the hotel, and the Guest shall have the right to refuse the hotel’s processing of his/her data in whole or in part. To select personalized advertising, automatically received data, cookies, as well as information that the Guest left on the website www.volnahotel.ru can be used.
Improving the quality of service in the hotel. After check-out, a letter may be sent to the Guest asking him/her to reflect on his/her impressions of the hotel.
Processing methods: non-automated, combined.
Processing period: during the validity period of the consent to processing.
Storage period: until destruction in accordance with clause 6.5. of this Policy.
Procedure for destruction: in accordance with clause 6.5. of this Policy.
The Guest’s bank card data is subject to unconditional deletion no later than 10 days from the date of check-out.
Employees of the Hotel’s Reception and Servicing Department and the Sales Office are allowed to process the personal data of site visitors.
4.3.3. Scope of processed personal data of the Operator’s employees:
The Company shall process the following categories of personal data of employees:
Date, month, year of birth; place of birth; sex; citizenship; INN; SNILS (Individual insurance account number); address (place of residence, place of registration), education, profession; subdivision; position; identification document details; military registration data; information on disability (yes/no); family status; information on family members (degree of relationship, full name, date of birth); income; employment history; payroll account number.
The purposes of processing personal data of the Operator’s employees:
personnel records; accounting of employees’ working hours; payroll of employees; tax accounting; military accounting; provision of regulated reporting to state bodies; mandatory and voluntary medical insurance for employees; reservations and payment of tickets and hotel rooms to employees; archival storage of data; assistance to the employee in employment, training, use of various benefits.
Receipt and processing of personal data of the Operator’s employee must be carried out exclusively for the above purposes.
The received personal data necessary to achieve the above purposes is reflected in the employee’s personal file in accordance with the requirements of labour legislation and the Operator’s internal regulations governing personnel records management and accounting.
Processing methods: non-automated, combined.
Processing time: in accordance with legal requirements.
Storage period: until destruction in accordance with clause 6.5. of this Policy.
Procedure for destruction: in accordance with clause 6.5. of this Policy.
4.3.4 Personal data of individuals under civil contracts, counterparties – individuals and representatives and employees of counterparties (legal entities).
surname, name, patronymic; date and place of birth; passport data; address of registration at the place of residence; contact details; position held; individual taxpayer number; settlement account number; other personal data provided by clients and counterparties (individuals) necessary for the conclusion and execution of contracts.
The purposes of processing personal data of these subjects:
implementation of the statutory objectives of the Operator;
carrying out transactions in accordance with the laws of the Russian Federation.
Processing methods: non-automated, combined.
Processing period: during the validity period of contracts and three (3) years from the date of termination, unless a different period is established by law.
Storage period: until destruction in accordance with clause 6.5. of this Policy.
Procedure for destruction: in accordance with clause 6.5. of this Policy.
4.4. The composition of personal data for each of the categories of subjects listed in clause 4.3. of this Policy shall be determined in accordance with the regulatory documents listed in section 3, as well as the regulatory documents of the Operator issued to ensure their implementation.
4.5. In cases provided for by applicable laws, the data subject makes a decision on provision of his/her personal data to the Company and provides a consent to processing thereof of own free will and volition and for his/her own benefit.
4.6. The Operator shall ensure that the content and volume of processed personal data correspond to the stated purposes of processing and, if necessary, take measures to eliminate their redundancy in relation to the stated purposes of processing.
4.7. The Processing by the Operator of biometric personal data (information that characterizes the physiological and biological characteristics of a person, on the basis of which his/her identity can be established) shall be carried out in accordance with the laws of the Russian Federation.
5. PROCEDURE AND CONDITIONS FOR PERSONAL DATA PROCESSING
5.1. Personal data shall be processed by the Operator in accordance with the requirements of the laws of the Russian Federation.
5.2. Personal data shall be processed with the consent of the data subjects for the processing of their personal data, as well as without it in cases provided for by the laws of the Russian Federation.
5.3. The Operator shall process personal data for each purpose of their processing in the following ways:
non-automated personal data processing;
automated personal data processing with or without transfer of the obtained information via information and telecommunications networks;
combined personal data processing.
5.4. Employees of the Operator whose job responsibilities include personal data processing shall be allowed to process personal data.
5.5. Personal data for each processing purpose specified in clause 2.3 of the Policy shall be processed by:
obtaining of personal data in oral or written form directly from the data subjects;
entering of personal data into logs, registers and information systems of the Operator;
using other methods of personal data processing.
5.6. Disclosure to third parties and dissemination of personal data without the consent of the data subject is not permitted, unless otherwise provided by federal law. Consent to the processing of personal data authorized by the data subject for distribution shall be issued separately from other consents of the data subject to the processing of his/her personal data.
Requirements for the content of consent to the processing of personal data authorized by the data subject for distribution are approved by Roskomnadzor Order No. 18 dated 24 February 2021.
5.7. The transfer of personal data to the bodies of inquiry and investigation, to the Federal Tax Service, the Social Fund of Russia and other authorized executive authorities and organizations shall be made in accordance with the requirements of the laws of the Russian Federation.
5.8. The Operator makes necessary legal arrangements, takes organizational measures and engineering controls to protect personal data against unauthorized or accidental access thereto, destruction, modification, blocking, distribution and other unauthorized actions, including:
identifies threats to the security of personal data during their processing;
adopts local regulations and other documents regulating relations in the field of processing and protection of personal data;
appoints persons responsible for ensuring the security of personal data in the structural divisions and information systems of the Operator;
creates the necessary conditions for working with personal data;
organizes recording of documents containing personal data;
organizes work with information systems in which personal data is processed;
stores personal data under conditions that ensure their safety and prevent unauthorized access to them;
organizes training for the Operator’s employees processing personal data.
5.9. The Operator shall store personal data in a form that allows identifying the data subject for no longer than required by each purpose for processing personal data, unless the storage period for personal data is established by federal law or agreement.
5.9.1. Personal data in hard copy form shall be stored at Volna Hotel LLC for the periods of storage of documents for which these periods are provided for by the legislation on archival affairs in the Russian Federation (Federal Law dated 22 October 2004 No. 125-FZ “On Archival Affairs in the Russian Federation”, List of standard management archival documents generated in the process of activities of state bodies, local governments and organizations, indicating their storage periods (approved by Order of the Federal Archival Agency of Russia dated 20 December 2019 No. 236)).
5.9.2. The storage period for personal data processed in personal data information systems corresponds to the storage period for personal data in hard copy form.
5.10. The Operator shall stop processing personal data in the following cases:
the fact of their illegal processing is revealed. Term – within three business days from the date of detection;
the purpose of their processing has been achieved;
the validity period has expired or the consent of the data subject to the processing of the specified data has been withdrawn, when, according to the Law on Personal Data, the processing of such data is allowed only with consent.
5.11. Once the personal data processing purposes have been achieved or data subject has withdrawn consent to personal data processing, the Operator stops processing this data, unless:
otherwise provided by the agreement a party to which or beneficiary or guarantor under which is a data subject;
the Operator is entitled to process personal data without a data subject`s consent, on the grounds stipulated by the Law on Personal Data or any other federal laws;
otherwise provided by any other agreement between the Operator and a data subject.
5.12. When a data subject applies to the Operator with a request to stop personal data processing within a period not exceeding 10 business days from the date the Operator receives the corresponding request, the personal data processing is terminated, except for cases provided for by the Law on Personal Data. This period may be extended, but not more than five business days. For this purpose, the Operator must send a reasoned notice to the data subject indicating the reasons for extending the deadline.
5.13. Upon personal data collection, including using the Internet, the Operator shall ensure recording, classification, accumulation, storage, rectification (updating, modification), extraction of personal data of the Russian Federation citizens using the databases located in the Russian Federation, except for cases specified in the Law on Personal Data.
6. UPDATE, CORRECTION, DELETION AND DESTRUCTION OF PERSONAL DATA, RESPONSES TO REQUESTS OF SUBJECTS FOR ACCESS TO PERSONAL DATA
6.1. Confirmation of the fact of personal data processing by the Operator, the legal grounds and purposes of personal data processing, as well as other information specified in Part 7 of Article 14 of the Law on Personal Data, shall be provided by the Operator to the data subject or his/her representative within 10 business days from the date of application or receipt of the request of the data subject or his/her representative. This period may be extended, but not more than by five business days. For this purpose, the Operator should send a reasoned notice to the data subject indicating the reasons for extending the deadline for providing the requested information.
The information provided does not include personal data related to other data subjects, except for the cases if there are legal grounds for disclosure of such personal data.
The request shall include:
number of the primary ID of the data subject or his/her representative, date of issue of the said document and issuing authority;
information confirming participation of the data subject in relations with the Operator (contract number, date of the contract, conditional verbal designation and (or) other information) or information otherwise confirming the fact of personal data processing by the Operator;
signature of the data subject or his/her representative.
The request may be sent in the form of electronic document and signed with electronic signature in accordance with the Russian Federation laws.
The Operator shall provide the information specified in Part 7 of Article 14 of the Law on Personal Data to the data subject or his/her representative in the form in which the relevant appeal or request was sent, unless otherwise specified in the appeal or request.
If the appeal (request) of the data subject does not reflect all the necessary information in accordance with the requirements of the Law on Personal Data, or the subject does not have the rights of access to the requested information, a substantiated refusal shall be sent to him/her.
The right of the data subject to access his/her personal data may be limited in accordance with Part 8 of Article 14 of the Law on Personal Data, including if the access of the data subject to his/her personal data violates the rights and legitimate interests of third parties.
6.2. If inaccurate personal data is detected when the data subject or his/her representative is appealed, or at their request or at the request of Roskomnadzor, the Operator shall block personal data related to this data subject from the moment of such appeal or receipt of such request for the verification period, if the blocking of personal data does not violate the rights and legitimate interests of the data subject or third parties.
If the fact of inaccuracy of personal data is confirmed, the Operator, based on the information provided by the data subject or his/her representative or Roskomnadzor, or other necessary documents, shall clarify the personal data within seven business days from the date of submission of such information and remove the blocking of personal data.
6.3. If unlawful processing of personal data is detected upon an appeal (request) from the data subject or his/her representative or Roskomnadzor, the Operator shall block unlawfully processed personal data relating to this data subject from the moment of such appeal or receipt of the request.
6.4. If the Operator, Roskomnadzor or another interested party identifies the fact of unlawful or accidental transfer (provision, distribution) of personal data (access to personal data), resulting in a violation of the rights of data subjects, the Operator:
within 24 hours – notifies Roskomnadzor of the incident, of the expected reasons, resulting in violation of the rights of data subjects, and the expected harm caused to the rights of data subjects, of the measures taken for elimination of the consequences of the incident, and also provides information on the person authorized by the Operator to interact with Roskomnadzor with regard to the issues related to the incident;
within 72 hours – notifies Roskomnadzor of the results of the internal investigation of the identified incident and provides information on the persons whose actions caused it (if any).
6.5. Procedure for Personal Data Destruction by the Operator.
6.5.1. Conditions and terms of destruction of personal data by the Operator:
achieving the purpose of processing personal data or losing the need to achieve this purpose – within 30 days;
achieving the maximum storage period for documents containing personal data – within 30 days;
provision by the data subject (his/her representative) of confirmation that personal data are illegally obtained or are not necessary for the stated purpose of processing – within seven business days;
withdrawal by the data subject of consent to the processing of his/her personal data, if their storage for the purpose of their processing is no longer required – within 30 days.
6.5.2. Once the personal data processing purposes have been achieved or data subject has withdrawn consent to personal data processing such data shall be destructed, unless:
otherwise provided by the agreement a party to which or beneficiary or guarantor under which is a data subject;
the Operator is entitled to process personal data without a subject`s consent, on the grounds stipulated by the Law on Personal Data or any other federal laws;
otherwise provided by any other agreement between the Operator and a data subject.
6.5.3. The destruction of personal data shall be carried out by a commission created by order of the general director of Volna Hotel LLC.
6.5.4. Methods for destroying personal data are established in the local regulations of the Operator.
6.6. If the Guest’s personal data held by Volna Hotel LLC is no longer effective, Volna Hotel LLC will update them at the Guest’s request. The Guest shall have the right to send such requests for updating, as well as requests for blocking and destruction of personal data to the hotel’s e-mail welcome@volnahotel.ru, or by Russian Post at the address: 98, prospekt Lenina, Nizhny Novgorod, 603004.
When sending an official request to Volna Hotel LLC, it is necessary to indicate:
∙ surname, name, patronymic;
∙ number of the primary ID of the data subject or his/her representative, date of issue of the said document and issuing authority;
∙ information confirming that the Guest used the Site or information otherwise confirming the fact of processing of personal data by Volna Hotel LLC (for example, when reserving a room directly at the hotel).
The request shall be signed by a citizen (or his/her legal representative). If the request is sent electronically, then it must be issued in the form of an electronic document in accordance with the requirements of the laws of the Russian Federation.
7. CONFIDENTIALITY OF GUESTS’ PERSONAL DATA
7.1. Information on the personal data of the guest (client) is confidential.
7.2. The Hotel shall ensure the confidentiality of personal data and shall be obliged to prevent their distribution by third parties without the consent of the guest or the presence of another legal basis.
7.3. Persons who have access to the personal data of guests shall be obliged to comply with the confidential treatment, they must be warned about the need for secrecy. In connection with non-disclosure requirements for personal information, appropriate security measures must be provided to protect data from accidental or unauthorized destruction, accidental loss, unauthorized access, modification or distribution.
7.4. All confidentiality measures in the collection, processing and storage of Clients’ personal data apply to all storage media, both paper and automated.
7.5. Non-disclosure requirement of personal data is lifted in cases of depersonalization or inclusion in publicly available sources of personal data, unless otherwise provided by law.
8. LIABILITY FOR VIOLATION OF RULES GOVERNING THE PERSONAL DATA PROCESSING
8.1. The Hotel shall be responsible for the personal information at its disposal and shall assign personal responsibility to employees for compliance with established non-disclosure requirements.
8.2. Each employee who receives for work a document containing the Client’s personal data shall bear sole responsibility for the safety of the confidential information media.
8.3. Any person may contact a Hotel employee with a complaint about a violation of this Policy. Complaints and statements regarding compliance with data processing requirements shall be considered within three days from the date of receipt.
8.4. Hotel employees shall be obliged to ensure that Clients’ requests, applications and complaints are considered at the proper level, as well as facilitate the fulfillment of the requirements of the competent authorities.
8.5 Persons guilty of violating the rules governing the receipt, processing and protection of Clients’ personal data shall bear disciplinary, administrative, civil or criminal liability in accordance with the laws of the Russian Federation.