Personal Data Processing Policy (hereinafter the Policy)
The Policy defines the rules of the Individual Entrepreneur Fedotova Nadezhda Valerievna (hereinafter the Operator) regarding the personal data processing and discloses information on the measures to ensure the security of personal information in order to protect the rights and freedoms of a person, as well as the rights on personal privacy.
The Policy provisions are binding on all employees of the Operator who process personal data, including those who work in the branches and separate subdivisions of the Operator.
The Policy provisions are the basis for organizing work on the personal data processing by the Operator and for the development internal policies and procedures regulating the processing and protection of personal data by the Operator.
The Policy is a document with unrestricted access. To ensure the unrestricted access, the Policy is published on the Internet.
The Policy provisions are binding on all employees of the Operator who process personal data, including those who work in the branches and separate subdivisions of the Operator.
The Policy provisions are the basis for organizing work on the personal data processing by the Operator and for the development internal policies and procedures regulating the processing and protection of personal data by the Operator.
The Policy is a document with unrestricted access. To ensure the unrestricted access, the Policy is published on the Internet.
The Policy
The purpose of personal data processing
Conducting statistical and marketing research
Granting access to the data subject to the services, information and/or materials on the Operator's website, improving the quality of the Operator's website, its ease of use for website users, developing new services
Providing answers to inquiries, questions, claims, complaints
Conducting statistical and marketing research
Granting access to the data subject to the services, information and/or materials on the Operator's website, improving the quality of the Operator's website, its ease of use for website users, developing new services
Providing answers to inquiries, questions, claims, complaints
Regulatory documentation
— the Constitution of the Russian Federation;
— the Federal law "On Ratification of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" as of 19.12.2005 No. 160-FZ
— the Law of the Russian Federation "On Personal Data" as of 27.07.2006 No. 152-FZ
If the Policy provisions contradict the current legislation on personal data, the provisions of the current legislation, including the Regulatory Documents, apply.
— the Federal law "On Ratification of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" as of 19.12.2005 No. 160-FZ
— the Law of the Russian Federation "On Personal Data" as of 27.07.2006 No. 152-FZ
If the Policy provisions contradict the current legislation on personal data, the provisions of the current legislation, including the Regulatory Documents, apply.
The list of processed personal data
last name, first name, patronymic name, e-mail address, telephone number, the name of the organization (if such data is provided by the data subject)
IP address, cookie data, information about the browser of the data subject, technical characteristics of the hardware and software used by the data subject, date and time of access to the Operator's website, addresses of the requested pages
last name, first name, patronymic name, e-mail address, telephone number, address (if such data is provided by the data subject)
last name, first name, patronymic name, e-mail address, telephone number, the name of the organization (if such data is provided by the data subject)
IP address, cookie data, information about the browser of the data subject, technical characteristics of the hardware and software used by the data subject, date and time of access to the Operator's website, addresses of the requested pages
last name, first name, patronymic name, e-mail address, telephone number, address (if such data is provided by the data subject)
Purposes of anonymized data processing
Internet statistics services can be used to analyze cookies of personal data subjects, to collect and process statistical information about the use of the Operator's services and also to ensure their operability in general or individual functions in particular. Technical parameters of the counters are determined by the Operator and may change without prior notification to the subjects of personal data
1. General provisions
The Operator
Individual entrepreneur Fedotova Nadezhda Valerievna
OGRNIP (Primary State Registration Number of the Sole Proprietor) 320100100013842, TIN 100123054760
Address for correspondence: 119334, Moscow, 43/9 Leninsky Prospekt, apt. 15.
Email: info@nfarchstudio.com
OGRNIP (Primary State Registration Number of the Sole Proprietor) 320100100013842, TIN 100123054760
Address for correspondence: 119334, Moscow, 43/9 Leninsky Prospekt, apt. 15.
Email: info@nfarchstudio.com
Requests to the Operator
Requests from data subjects regarding the processing of their personal data by the Operator are accepted at the address of the Operator.
Data subjects can send their request, signed with a qualified electronic signature, to the Operator's email address info@nfarchstudio.com (which can also be used to send information, materials and other notifications).
Data subjects can send their request, signed with a qualified electronic signature, to the Operator's email address info@nfarchstudio.com (which can also be used to send information, materials and other notifications).
Website of the Operator
Personal data
Operator's official website is https://nfarchstudio.com/ This Policy is a document with unlimited access. To ensure the unlimited access, the Policy is published on the Operator's official website.
any information directly or indirectly related to an identifiable person (data subject).
Automated personal data processing
Personal data processing using computer technology
Personal data blocking
A temporary cessation of personal data processing (unless the processing is required to update personal data)
Personal data information system
A collection of personal data stored in the databases as well as hardware and software used for its processing
Depersonalization of the personal data
Actions that make it impossible to determine whether personal data belongs to a specific User or other personal data subject without using additional information
Personal data processing
Any operations performed on the personal data (whether those operations are automated or not). Common types of personal data processing include (but are not limited to) collecting, recording, organizing, structuring, storing, modifying, consulting, using, publishing, combining, erasing, and destroying data.
Personal data allowed for the distribution by the subject
Personal data, access of an unlimited number of persons to which is granted by the data subject by giving their consent to the personal data processing.
Personal data provision
Actions aimed at revealing personal data to a certain person or persons.
Distribution of personal data
Actions aimed at disclosure of personal data to an indefinite circle of persons, including disclosure of personal data in the media, distribution in information and telecommunication networks or providing access to personal data in any other way.
Cross-border transfer of personal data
Transfer of the personal data to a foreign state, to an authority of a foreign state, to a foreign individual or a foreign legal entity.
Destruction of personal data
The process of making personal data inaccessible, non-retrievable and re-useable in any way as a result of which software and hardware of personal data are destroyed.
— lawfulness and fairness of processing
— limiting the processing of personal data by achieving specified, explicit and legitimate purposes;
— not further processing in a manner that is incompatible with those purposes;
— not merging of databases containing personal data, the processing of which is carried out for purposes that are incompatible;
— processing only personal data that meet the purposes;
— compliance of the content and volume of the processed personal data with the declared purposes of processing;
— preventing the processing of personal data that is excessive to the stated purposes of processing;
— ensuring the accuracy, sufficiency and relevance of personal data in relation to the purposes of processing personal data;
— destruction or depersonalization of personal data upon reaching the goals of its processing or in no need to achieve these goals, if the Operator cannot eliminate the committed violations of personal data, unless otherwise provided by federal law.
— limiting the processing of personal data by achieving specified, explicit and legitimate purposes;
— not further processing in a manner that is incompatible with those purposes;
— not merging of databases containing personal data, the processing of which is carried out for purposes that are incompatible;
— processing only personal data that meet the purposes;
— compliance of the content and volume of the processed personal data with the declared purposes of processing;
— preventing the processing of personal data that is excessive to the stated purposes of processing;
— ensuring the accuracy, sufficiency and relevance of personal data in relation to the purposes of processing personal data;
— destruction or depersonalization of personal data upon reaching the goals of its processing or in no need to achieve these goals, if the Operator cannot eliminate the committed violations of personal data, unless otherwise provided by federal law.
Principles of personal data processing
2. Principles and conditions of the processing of personal data
The Operator can process personal data in at least one of the following conditions:
— processing of personal data is possible only with the consent of the data subject to the processing of his or her personal data. The Operator processes the personal data of the data subject only filled out through special forms on the Operator's website. By filling out the forms, the data subject expresses the consent to this Policy;
— the processing of personal data is necessary to achieve the goals by an international treaty of the Russian Federation or the law, to fulfill the functions and responsibilities assigned to the Operator by the legislation of the Russian Federation;
— the processing of personal data is necessary for the administration of justice, the execution of a judicial act, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;
— personal data processing is necessary for the performance of an agreement, the party of which is the data subject who is also either the beneficiary or the guarantor;
— personal data processing is necessary to represent legitimate interests of the Operator or third parties or to achieve socially significant goals, provided that the rights and freedoms of the data subject are not violated;
— processing of personal data to protect the life, health or other vital interests of the data subject or the life, health or other vital interests of other persons and obtaining the consent of the data subject is not possible;
— processing of personal data is carried out by an unlimited circle of persons to whom the data subject granted permission (hereinafter publicly available personal data);
— processing of personal data subject to publication or mandatory disclosure in accordance with the law.
— processing of personal data is possible only with the consent of the data subject to the processing of his or her personal data. The Operator processes the personal data of the data subject only filled out through special forms on the Operator's website. By filling out the forms, the data subject expresses the consent to this Policy;
— the processing of personal data is necessary to achieve the goals by an international treaty of the Russian Federation or the law, to fulfill the functions and responsibilities assigned to the Operator by the legislation of the Russian Federation;
— the processing of personal data is necessary for the administration of justice, the execution of a judicial act, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;
— personal data processing is necessary for the performance of an agreement, the party of which is the data subject who is also either the beneficiary or the guarantor;
— personal data processing is necessary to represent legitimate interests of the Operator or third parties or to achieve socially significant goals, provided that the rights and freedoms of the data subject are not violated;
— processing of personal data to protect the life, health or other vital interests of the data subject or the life, health or other vital interests of other persons and obtaining the consent of the data subject is not possible;
— processing of personal data is carried out by an unlimited circle of persons to whom the data subject granted permission (hereinafter publicly available personal data);
— processing of personal data subject to publication or mandatory disclosure in accordance with the law.
Conditions for personal data processing
The Operator and other persons who have gained access to personal data do not disclose it to third parties and do not distribute personal data without the consent of the data subject, unless otherwise not provided for by federal law.
Confidentiality of personal data
For the purpose of information supply, the Operator may create publicly available sources of personal data, including address books.
Publicly available sources of personal data, with the written consent of the data subject, may include his or her last name, first name, patronymic name, date and place of birth, contact phone numbers, e-mail address and other personal data shared by the data subject.
Information about the data subject is excluded from public sources of personal data any time at the request of the data subject, the authorized body for the protection of the rights of data subjects, or by a judicial decision.
Publicly available sources of personal data, with the written consent of the data subject, may include his or her last name, first name, patronymic name, date and place of birth, contact phone numbers, e-mail address and other personal data shared by the data subject.
Information about the data subject is excluded from public sources of personal data any time at the request of the data subject, the authorized body for the protection of the rights of data subjects, or by a judicial decision.
Public sources of personal data
The Operator processes special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life on the following conditions:
— the data subject has consented in writing to the processing of his or her personal data;
— personal data is made publicly available by data subjects;
— personal data is processed in accordance with the law on state social assistance, labor legislation, legislation of the Russian Federation on state pension provision;
— the personal data processing is necessary to protect the life, health or other vital interests of the data subject or the life, health or other vital interests of other persons and it is impossible to obtain the consent of the data subject;
— the personal data processing is necessary to establish the rights of the data subject or the third parties, and to administer justice;
— personal data is processed in accordance with the law on compulsory types of insurance and insurance legislation;
Special categories of personal data are processed in cases provided for in paragraph 4 of Art. 10 of the Federal Law "On Personal Data", and terminates immediately if the reasons due to which they were processed have been eliminated, unless otherwise provided by federal laws;
Personal data on criminal record can be processed by the Operator exclusively in cases and in the manner determined in accordance with federal laws.
— the data subject has consented in writing to the processing of his or her personal data;
— personal data is made publicly available by data subjects;
— personal data is processed in accordance with the law on state social assistance, labor legislation, legislation of the Russian Federation on state pension provision;
— the personal data processing is necessary to protect the life, health or other vital interests of the data subject or the life, health or other vital interests of other persons and it is impossible to obtain the consent of the data subject;
— the personal data processing is necessary to establish the rights of the data subject or the third parties, and to administer justice;
— personal data is processed in accordance with the law on compulsory types of insurance and insurance legislation;
Special categories of personal data are processed in cases provided for in paragraph 4 of Art. 10 of the Federal Law "On Personal Data", and terminates immediately if the reasons due to which they were processed have been eliminated, unless otherwise provided by federal laws;
Personal data on criminal record can be processed by the Operator exclusively in cases and in the manner determined in accordance with federal laws.
Special categories of personal data
Personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a person, which allow or confirm the unique identification of that person, can be processed by the Operator only with the written consent of the data subject.
Biometric personal data
The operator ensures the collection, recording, systematization, accumulation, storage, clarification (updating, changing), retrieval of personal data of the Russian Federation citizens using databases located on the territory of the Russian Federation, except for the cases specified in paragraphs. 2, 3, 4, 8 Сhapter 1 Article 6 of the Federal Law "On Personal Data".
Processing of personal data of the Russian Federation citizens
The operator is convinced that the foreign state where the transfer of personal data is transfered, provides adequate protection of the rights of the data subjects.
Cross-border transfer of personal data on the territory of foreign states,
that do not provide adequate protection of the rights of the data subjects, may be proceeded in the following cases:
— availability of a written consent of the data subject to the cross-border transfer of his or her personal data; performance of an agreement to which the subject of personal data is a party.
Cross-border transfer of personal data on the territory of foreign states,
that do not provide adequate protection of the rights of the data subjects, may be proceeded in the following cases:
— availability of a written consent of the data subject to the cross-border transfer of his or her personal data; performance of an agreement to which the subject of personal data is a party.
Cross-border transfer of personal data
— receive information regarding the processing of his or her personal data in the manner, form and terms established by law;
— request clarification of their personal data, its blocking or destruction;
— take measures provided by law to protect their rights;
— withdraw the consent to the personal data processing;
— other rights provided by the legislation on personal data.
— request clarification of their personal data, its blocking or destruction;
— take measures provided by law to protect their rights;
— withdraw the consent to the personal data processing;
— other rights provided by the legislation on personal data.
The rights of the data subject
3. Legal status of the Operator and the data subject
— process the personal data of the data subject in accordance with the stated purpose;
— request the data subject to provide reliable personal data necessary for the execution of the contract, identification of the data subject, as well as in other cases under the Law;
— limit the access of the data subject to his or her personal data if the access violates the rights and legitimate interests of the third parties, as well as in other cases under the legislation of the Russian Federation;
— process publicly available personal data of individuals;
— process personal data subject to publication or mandatory disclosure in accordance with the legislation of the Russian Federation;
— process personal data without the consent of the data subject in cases under the Law;
— entrust the processing of personal data to another person with the consent of the data subject;
— other rights provided by the legislation on personal data.
— request the data subject to provide reliable personal data necessary for the execution of the contract, identification of the data subject, as well as in other cases under the Law;
— limit the access of the data subject to his or her personal data if the access violates the rights and legitimate interests of the third parties, as well as in other cases under the legislation of the Russian Federation;
— process publicly available personal data of individuals;
— process personal data subject to publication or mandatory disclosure in accordance with the legislation of the Russian Federation;
— process personal data without the consent of the data subject in cases under the Law;
— entrust the processing of personal data to another person with the consent of the data subject;
— other rights provided by the legislation on personal data.
The rights of the Operator
The Operator processes the personal data of subjects (including, but not limited to the users of the Operator's website, potential and actual clients of the Operator) in order to conduct its activities in accordance with the legislation of the Russian Federation and the constituent documents of the Operator:
4. Purposes of personal data processing and the list of processed personal data
5. Collection and processing of anonymized data about the Operator's website visitors
The Operator's website collects and processes anonymized data about visitors of the website using Internet statistics services (Yandex Metrics, Google Analytics and others). Anonymous data that is automatically transmitted to the Operator's website in the process of their use with the help of the software installed on the device of the data subject includes an IP address, cookie data, browser information (or other program with which access to the site), technical characteristics of the hardware and software, the date and time of access to the Operator's website, the addresses of the requested pages and other similar information.
Processing of anonymized technical data
Subject's consent to the anonymized technical data processing
The operator processes anonymized data about the data subject if it is allowed in the user's browser settings (saving cookies and use of JavaScript technology is enabled). The data subject of the Operator's website is aware that the equipment and software used to visit sites on the Internet have the function of prohibiting operations with cookies (for any sites or for certain sites), as well as deleting previously received cookies.
Cookie files
The structure of the cookie file, its content and technical parameters are determined by the Operator's website and may change without prior notice to the data subject.
6. List of actions with personal data and a general description of the methods used for personal data processing
The Operator collects, records, systematizes, accumulates, stores, clarifies (updates, changes), extracts, uses, transfers (provides accesses) to the third parties (including organizations involved in the process of providing services to the state and municipal authorities under the law), depersonalizes, blocks, deletes, destructs personal data.
When carrying out these actions, the Operator processes personal data by entering it into an electronic database, including it in the lists, registers and reporting forms, both by using automation tools and without using them.
Personal data is not distributed to an indefinite circle of persons.
When carrying out these actions, the Operator processes personal data by entering it into an electronic database, including it in the lists, registers and reporting forms, both by using automation tools and without using them.
Personal data is not distributed to an indefinite circle of persons.
7. Termination of personal data processing
The Operator processes personal data for the period for which the consent is granted.
Duration of personal data processing
Withdrawal of the consent to the processing of personal data by the data subject is possible at any time by sending a written application marked "Withdrawal of the consent to the processing of personal data". The application must be sent to the Operator's email address info@nfarchstudio.com or by postal address: 119334, Moscow, 43/9 Leninsky Prospect, apt. 15. In the application the data subject must indicate last name, first name, patronymic name, address, passport details. The application must be signed.
Withdrawal of the consent for the personal data processing
The data subject may update inaccuracies in personal data by sending a notification marked "Updating personal data" to the Operator by e-mail address or postal address.
Personal data update
The operator will stop processing personal data during the period of time necessary to complete mutual settlements between the parties upon the receipt of the withdrawal application. Upon termination of the personal data processing, personal data is destroyed by the Operator without the possibility of its recovery.
Termination of the personal data processing
In case of withdrawal of the consent, the Operator has the right to continue processing personal data without the consent of the data subject if there are grounds specified in subparagraphs 2-11 of part 1 of article 6, part 2 of article 10 and part 2 of article 11 of the Federal Law "On personal data".
Continuation of the personal data processing without consent
8. Ensuring the fulfillment of the Operator's obligations for the protection of personal data
The Operator stores personal data in a form that allows determining the data subject no longer than required by the purposes of personal data processing, if the period for personal data storage is not established by federal law, an agreement to which the data subject is a party, a beneficiary or a guarantor.
The condition for the personal data processing termination can be the the achievement of the purposes of personal data processing, the expiration or withdrawal of the consent by the data subject, as well as the exposure of the unlawful personal data processing.
If personal data is processed in an automated way, the Operator destroys it by erasing from the database. If personal data is processed in a non-automated way, it can be destroyed by burning, grinding, chemical decomposition (by the choice of the Operator in each specific case).
The condition for the personal data processing termination can be the the achievement of the purposes of personal data processing, the expiration or withdrawal of the consent by the data subject, as well as the exposure of the unlawful personal data processing.
If personal data is processed in an automated way, the Operator destroys it by erasing from the database. If personal data is processed in a non-automated way, it can be destroyed by burning, grinding, chemical decomposition (by the choice of the Operator in each specific case).
— appointing a person responsible for organizing of the personal data processing;
— appointing a person responsible for ensuring measures for the safety of personal data and the exclusion of unauthorized access to it;
— appointing a person responsible for ensuring the security of personal data in information systems;
— limiting the number of persons who process personal data;
— familiarization of data subjects with the requirements of federal legislation and regulatory documents of the Operator for the personal data processing and protection;
— arrangement of accounting, storage and circulation of the devices containing information with personal data; — determination of the threats to the security of personal data during its processing, the formation of threat models based on it;
— development of a personal data protection system based on the threat model;
— verification of the readiness and effectiveness of the information security tools;
— delimitation of a user access to information resources, software and hardware means of information processing;
— registration and accounting of the actions by the users of information systems of personal data;
— use of anti-virus tools and means of restoring the personal data protection system;
— application, if necessary, of firewalls, intrusion detection, security analysis and cryptographic information protection;
— organization of access control to the Operator's territory, protection of premises with technical means for personal data processing;
— other measures under the Articles 18.1 and 19 of the Federal Law "On Personal Data".
— appointing a person responsible for ensuring measures for the safety of personal data and the exclusion of unauthorized access to it;
— appointing a person responsible for ensuring the security of personal data in information systems;
— limiting the number of persons who process personal data;
— familiarization of data subjects with the requirements of federal legislation and regulatory documents of the Operator for the personal data processing and protection;
— arrangement of accounting, storage and circulation of the devices containing information with personal data; — determination of the threats to the security of personal data during its processing, the formation of threat models based on it;
— development of a personal data protection system based on the threat model;
— verification of the readiness and effectiveness of the information security tools;
— delimitation of a user access to information resources, software and hardware means of information processing;
— registration and accounting of the actions by the users of information systems of personal data;
— use of anti-virus tools and means of restoring the personal data protection system;
— application, if necessary, of firewalls, intrusion detection, security analysis and cryptographic information protection;
— organization of access control to the Operator's territory, protection of premises with technical means for personal data processing;
— other measures under the Articles 18.1 and 19 of the Federal Law "On Personal Data".
Duration of personal data processing
9. Period and order of storage. Destruction of personal data when the purposes of its processing are achieved.
The security of personal data processed by the Operator is ensured by the implementation of legal, organizational and technical measures necessary to meet the requirements of federal legislation on personal data protection.
The purpose of the personal data processing, the list of personal data and the list of actions with personal data that the data subject gives consent to, a general description of the methods used by the Operator for personal data processing, the period during which the consent is valid, the procedure for storage and destruction are specified in the specific consents published on the Operator's website.
10. Final provisions
The purpose of personal data processing
Conducting statistical and marketing research
Providing access to the services information and / or materials on the Operator's website to the personal data owner, improving the quality of the Operator's website, the using convenience of the website for its users, developing new services
Providing answers to requests, claims and complaints
Conducting statistical and marketing research
Providing access to the services information and / or materials on the Operator's website to the personal data owner, improving the quality of the Operator's website, the using convenience of the website for its users, developing new services
Providing answers to requests, claims and complaints
Other rights and obligations of the Operator on the personal data processing are determined by the legislation of the Russian Federation in the personal data field.
The policy regarding the personal data processing comes into force from the moment it is approved by the Operator.
The Operator has the right to revise this Policy. When making changes the heading of the Policy indicates the date of the last revision. The new version of the Policy comes into force from the moment it is published on the website, unless otherwise is provided by the new version of the Policy.
The Operator's order specifies the person responsible for the implementation of the Policy.
The policy regarding the personal data processing comes into force from the moment it is approved by the Operator.
The Operator has the right to revise this Policy. When making changes the heading of the Policy indicates the date of the last revision. The new version of the Policy comes into force from the moment it is published on the website, unless otherwise is provided by the new version of the Policy.
The Operator's order specifies the person responsible for the implementation of the Policy.