Personal data processing policy
(hereinafter – the Policy)
1. General provisions
The Policy
The Policy establishes the rules of Sole Proprietor Nadezhda V. Fedotova (hereinafter – the Operator) regarding the processing of personal data and discloses information on the measures implemented by the Operator to ensure the security of personal data in order to protect the rights and freedoms of individuals and citizens in the processing of their personal data, as well as to protect the rights to personal and family privacy and the inviolability of private life.
The provisions of the Policy are mandatory for all employees of the Operator engaged in personal data processing, including those working in the Operator’s branches and separate subdivisions.
The provisions of the Policy serve as the basis for organizing the Operator’s work related to personal data processing and for developing internal local regulations governing the processing and protection of personal data by the Operator.
The Policy is a publicly accessible document. To ensure unrestricted access, the Policy is published on the Internet.
Regulatory Documents
Constitution of the Russian Federation;
Federal Law No. 160-FZ of December 19, 2005 “On the Ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data”;
Federal Law No. 152-FZ of July 27, 2006 “On Personal Data”.
If the provisions of this Policy conflict with the applicable personal data legislation, the provisions of the applicable legislation, including the above Regulatory Documents, shall apply.
Operator
Sole Proprietor Nadezhda V. Fedotova
Primary State Registration Number of the Individual Entrepreneur (OGRNIP) 320100100013842, Taxpayer Identification Number (INN) 100123054760
Mailing address: 119334, Moscow, Leninsky Prospekt, 43, Bldg. 9, Apt. 15
Email: info@nfarchstudio.com
Submitting Requests to the Operator
Requests from personal data subjects regarding the processing of their personal data by the Operator shall be accepted at the Operator’s address.
Personal data subjects may also submit their request, signed with an enhanced qualified electronic signature, to the Operator’s email address info@nfarchstudio.com (also used for receiving information, materials, and other notifications).
Operator’s Website
The official website of the Operator: https://nfarchstudio.com/
This Policy is a publicly accessible document. To ensure unrestricted access, the Policy is published on the Operator’s official website.
Personal Data (PD)
Any information relating directly or indirectly to an identified or identifiable individual (personal data subject).
Automated Processing of PD
Processing of personal data using computing technology.
Blocking of PD
Temporary suspension of the processing of personal data (except where processing is necessary for clarification of personal data).
Personal Data Information System
A set of personal data contained in databases and the information technologies and technical means ensuring their processing.
Depersonalization of PD
Actions that make it impossible, without the use of additional information, to determine whether personal data belong to a specific personal data subject.
Processing of PD
Any action (operation) or a set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data.
Personal Data Allowed by the Subject for Distribution
Personal data to which access is provided to an unlimited number of persons by the personal data subject by giving consent to the processing of personal data permitted by the subject for distribution in the manner prescribed.
Provision of Personal Data
Actions aimed at disclosing personal data to a specific person or a specific group of people.
Distribution of Personal Data
Actions aimed at disclosing personal data to an indefinite number of people (transfer of personal data) or at making personal data available to an unlimited number of persons, including publication of personal data in mass media, posting in information and telecommunication networks, or providing access to personal data by any other means.
Cross-Border Transfer of Personal Data
Transfer of personal data to the territory of a foreign state to the authority of a foreign state, a foreign individual, or a foreign legal entity.
Destruction of Personal Data
Actions resulting in the impossibility of restoring the content of personal data in the personal data information system and/or resulting in the destruction of physical media containing personal data.
2. Principles and Conditions of Personal Data Processing
Principles of Personal Data Processing:
legality and fairness;
limitation of personal data processing to the achievement of specific, pre-defined, and lawful purposes;
prohibition of personal data processing incompatible with the purposes for which the data were collected;
prohibition of combining databases containing personal data processed for purposes that are mutually incompatible;
processing only those personal data that correspond to the purposes of their processing;
ensuring that the content and volume of processed personal data correspond to the declared purposes of processing;
prohibition of processing personal data that are excessive in relation to the declared purposes of processing;
ensuring the accuracy, sufficiency, and relevance of personal data with respect to the purposes of processing;
destruction or depersonalization of personal data upon achievement of the purposes of processing or in case of loss of necessity for achieving such purposes, or if violations of personal data cannot be corrected by the Operator, unless otherwise provided by federal law.
Conditions of Personal Data Processing
The Operator processes personal data if at least one of the following conditions is met:
personal data processing is carried out with the consent of the personal data subject. The Operator processes personal data of the subject only if the data are provided through special forms located on the Operator’s website. By completing these forms, the personal data subject expresses consent to this Policy;
processing of personal data is necessary to achieve purposes provided by an international treaty of the Russian Federation or federal law, or for the performance of functions, powers, and obligations imposed on the Operator by the legislation of the Russian Federation;
processing of personal data is necessary for the administration of justice, execution of a judicial act, act of another authority or official, enforceable under the laws of the Russian Federation on enforcement proceedings;
processing of personal data is necessary for the execution of a contract to which the personal data subject is a party, beneficiary, or guarantor, or for concluding a contract at the initiative of the personal data subject, or a contract under which the subject will be a beneficiary or guarantor;
processing of personal data is necessary for the protection of the rights and legitimate interests of the Operator or third parties, or to achieve socially significant purposes, provided that the rights and freedoms of the personal data subject are not violated;
processing of personal data is necessary to protect the life, health, or other vital interests of the personal data subject or of other persons, and obtaining the subject’s consent is impossible;
processing of personal data is carried out when the personal data are made publicly available by the subject or at their request (hereinafter – publicly available personal data);
processing of personal data is carried out for publication or mandatory disclosure in accordance with legislation.
Confidentiality of Personal Data
The Operator and other people who have access to personal data shall not disclose or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by federal law.
Public Sources of Personal Data
For informational purposes, the Operator may create publicly accessible sources of personal data of personal data subjects, including directories and address books. With written consent of the personal data subject, publicly accessible sources may include their surname, first name, patronymic, date and place of birth, contact phone numbers, email address, and other personal data provided by the subject.
Information about a personal data subject shall be removed from publicly accessible sources at any time upon the request of the subject, an authorized personal data protection authority, or by court decision.
Special Categories of Personal Data
Processing by the Operator of special categories of personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, health status, or intimate life is allowed provided that:
the personal data subject has given written consent for the processing of their personal data as specified in this section;
the personal data have been made publicly available by the personal data subject;
processing is carried out in accordance with legislation on state social assistance, labor law, Russian legislation on state pensions, or labor pensions;
processing is necessary to protect life, health, or other vital interests of the personal data subject or other persons and obtaining consent is impossible;
processing is necessary for establishing or exercising the rights of the personal data subject or third parties, including in connection with the administration of justice;
processing is carried out in accordance with mandatory insurance legislation and insurance law.
Processing of special categories of personal data previously carried out under paragraph 4 of Article 10 of the Federal Law “On Personal Data” shall cease immediately once the reasons for processing are eliminated, unless otherwise provided by federal law.
Processing of personal data concerning criminal records may be carried out by the Operator only in cases and in the manner prescribed by federal laws.
Biometric Personal Data
Information characterizing the physiological and biological features of an individual, which allow establishing their identity – biometric personal data – may be processed by the Operator only with the written consent of the personal data subject.
Processing of Personal Data of Russian Citizens
The Operator ensures the collection, recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of personal data of Russian citizens using databases located within the territory of the Russian Federation, except in cases specified in paragraphs 2, 3, 4, and 8 of Part 1, Article 6 of the Federal Law “On Personal Data.”
Cross-Border Transfer of Personal Data
Before transferring personal data to a foreign country, the Operator ensures that the foreign state provides adequate protection of the rights of personal data subjects.
Cross-border transfer of personal data to foreign countries that do not provide adequate protection may only be carried out in the following cases:
with the written consent of the personal data subject for cross-border transfer of their personal data;
for the performance of a contract to which the personal data subject is a party.
3. Legal Status of the Operator and the Personal Data Subject
Rights of the Personal Data Subject:
to receive information regarding the processing of their personal data in the manner, form, and within the timeframes established by law;
to request clarification of their personal data, their blocking, or destruction;
to take measures provided by law to protect their rights;
to withdraw their consent to the processing of personal data;
other rights provided by the personal data legislation.
Rights of the Personal Data Operator:
to process the personal data of the subject in accordance with the declared purpose;
to require the personal data subject to provide accurate personal data necessary for the performance of a contract, identification of the personal data subject, and in other cases provided by law;
to restrict the personal data subject’s access to their personal data if such access violates the rights and legitimate interests of third parties, as well as in other cases provided by the legislation of the Russian Federation;
to process publicly available personal data of individuals;
to process personal data subject to publication or mandatory disclosure in accordance with the legislation of the Russian Federation;
to process personal data without the consent of the personal data subject in cases provided by law;
to delegate personal data processing to another party with the consent of the personal data subject;
other rights provided by the personal data legislation.
4. Purposes of Personal Data Processing and List of Processed Personal Data
The Operator processes the personal data of subjects (including, but not limited to, users of the Operator’s website, potential and existing clients of the Operator) for the purposes of conducting its activities in accordance with the legislation of the Russian Federation and the Operator’s constituent documents:
Purpose of Personal Data Processing | List of Processed Personal Data |
|---|---|
Conducting statistical and marketing research; | Last name, first name, patronymic, email address, phone number, as well as the name of the organization (if such data is provided by the personal data subject); |
Providing the personal data subject with access to the Operator’s services, information, and/or materials available on the Operator’s website, improving the website’s performance and user experience, and developing new services; | IP address, cookie data, information about the personal data subject’s browser, technical characteristics of the hardware and software used by the personal data subject, date and time of access to the Operator’s website, addresses of requested pages; |
Providing responses to requests, inquiries, claims, and complaints. | Last name, first name, patronymic, email address, as well as phone number and address (if such data is provided by the personal data subject). |
5. Collection and Processing of Anonymized Data on Visitors to the Operator’s Website
Processing of Anonymized Technical Data
The Operator’s website collects and processes anonymized data on visitors using web analytics services (Yandex.Metrica, and others). The anonymized data automatically transmitted to the Operator’s website during its use via the software installed on the personal data subject’s device include IP address, cookie data, browser information (or other software used to access the website), technical characteristics of the equipment and software used by the personal data subject, date and time of access to the Operator’s website, addresses of requested pages, and other similar information.
Purpose of Processing Anonymized Data
Web analytics services may be used to analyze personal data subjects’ cookies, collect and process statistical information on the use of the Operator’s services, and ensure the functionality of these services as a whole or of individual features. The technical parameters of the counters are determined by the Operator and may be changed without prior notice to the personal data subjects.
Consent of the Subject for Processing Anonymized Technical Data
The Operator processes anonymized data about the personal data subject if this is allowed in the user’s browser settings (cookie storage enabled and JavaScript technology used). Visitors to the Operator’s website acknowledge that the equipment and software they use to access websites on the Internet have the ability to block cookie operations (for all websites or for specific websites) and to delete previously received cookies.
Cookies
The structure, content, and technical parameters of cookies are determined by the Operator’s website and may be changed without prior notice to the personal data subject.
6. List of Actions with Personal Data and General Description of Methods Used for Personal Data Processing
The Operator collects, records, systematizes, accumulates, stores, updates (modifies, amends), extracts, uses, transfers (provides, grants access to) personal data to third parties (including organizations involved in the provision of services, state and municipal authorities in the manner established by law), anonymizes, blocks, deletes, and destroys personal data.
When performing these actions, the Operator processes personal data by entering them into an electronic database, including them in lists, registries, and reporting forms, using automation tools and without their use.
The transfer of personal data to an undefined circle of persons does not occur.
7. Termination of Personal Data Processing
Term of Personal Data Processing
The Operator processes personal data for the period for which consent to process personal data has been granted.
Withdrawal of Consent to Personal Data Processing
A personal data subject may withdraw their consent to the processing of personal data at any time by sending a written statement of withdrawal marked “Withdrawal of Consent to Personal Data Processing.” The statement must be sent to the Operator’s email address: info@nfarchstudio.com or by postal mail to: 119334, Moscow, Leninsky Prospekt, 43, building 9, apt. 15. The statement must include the subject’s full name, address, and passport details and must be signed.
Updating Personal Data
If inaccuracies are found in the personal data, the data subject may update them independently by sending a notification to the Operator’s email or postal address with the note “Personal Data Update.”
Timeframe for Termination of Personal Data Processing
The Operator will terminate the processing of personal data within the period required to complete mutual settlements between the parties for relationships arising prior to the withdrawal request. Upon termination of personal data processing, the personal data are destroyed by the Operator without the possibility of recovery.
Continuation of Personal Data Processing without Consent
In case of withdrawal of consent, the Operator has the right to continue processing personal data without the subject’s consent if there are grounds specified in paragraphs 2–11 of Part 1, Article 6; Part 2, Article 10; and Part 2, Article 11 of the Federal Law “On Personal Data.”
8. Ensuring the Fulfillment of the Operator’s Obligations and Measures for Personal Data Protection
The security of personal data processed by the Operator is ensured through the implementation of legal, organizational, and technical measures necessary to meet the requirements of federal legislation on personal data protection.
Organizational and Technical Measures Applied by the Operator to Prevent Unauthorized Access to Personal Data
Appointment of a person responsible for organizing personal data processing;
Appointment of a person responsible for ensuring measures to maintain the confidentiality of personal data and prevent unauthorized access;
Appointment of a person responsible for ensuring the security of personal data in information systems;
Restriction of the circle of persons allowed to process personal data;
Familiarization of data subjects with the requirements of federal legislation and the Operator’s regulatory documents on personal data processing and protection;
Organization of accounting, storage, and handling of media containing personal data;
Identification of threats to the security of personal data during processing and development of threat models based on them;
Development of personal data protection systems based on the threat model;
Verification of readiness and effectiveness of the use of information protection tools;
Differentiation of user access to information resources and hardware/software tools for information processing;
Registration and accounting of user actions in personal data information systems;
Use of antivirus tools and systems for restoring the personal data protection system;
Application, if necessary, of firewalls, intrusion detection systems, vulnerability analysis tools, and cryptographic protection tools;
Organization of controlled access to the Operator’s premises and security of facilities with technical means for personal data processing;
Other measures provided for by Articles 18.1 and 19 of the Federal Law “On Personal Data.”
9. Duration and Procedure of Storage. Destruction of Personal Data Upon Achievement of Processing Purposes
The Operator stores personal data in a form that allows the identification of the data subject no longer than required for the purposes of personal data processing, unless the storage period is established by federal law, or by a contract, of which the data subject is a party, beneficiary, or guarantor.
The termination of personal data processing may occur upon the achievement of the processing purposes, the expiration of the data subject’s consent, the withdrawal of consent by the data subject, or upon detection of unlawful personal data processing.
If personal data is processed in an automated manner, the Operator destroys it by erasing/deleting it from the database. If personal data is processed in a non-automated manner, it may be destroyed by the Operator through incineration, shredding (grinding), or chemical decomposition (to be determined by the Operator in each specific case).
10. Final Provisions
The purpose of personal data processing, the list of personal data for which the data subject gives consent, the list of actions with personal data for which consent is granted, a general description of the processing methods used by the Operator, the duration of the data subject’s consent, as well as the procedure for storage and destruction, are specified in the individual consents for personal data processing, which are posted on the Operator’s website:
Purpose of Personal Data Processing | Consent |
|---|---|
Conducting statistical and marketing research; | Consent to the processing of personal data for conducting research and surveys; |
Providing the personal data subject with access to the Operator’s website services, information, and/or materials, improving the quality of the Operator’s website, enhancing its usability for users, and developing new services and features; | Consent to the processing of personal data of the Website User and the use of cookies; |
Providing responses to requests, inquiries, claims, and complaints. |
Other rights and obligations of the Operator in connection with the processing of personal data are determined by the legislation of the Russian Federation on personal data.
The Personal Data Processing Policy comes into effect from the moment it is approved by the Operator.
The Operator has the right to make amendments to this Policy. When changes are made, the title of the Policy shall indicate the date of the latest revision. The new version of the Policy comes into effect from the moment it is published on the website, unless otherwise specified by the new version of the Policy.
The person responsible for monitoring compliance with the Policy is appointed by an order of the Operator.