PERSONAL DATA PROTECTION AND PROCESSING POLICY


1. GENERAL PROVISIONS


1.1. The purpose of the Personal Data Protection and Processing Policy (hereinafter referred to as the Policy) is to provide LLC «Rasario» (hereinafter referred to as the 'Company') the process of processing of personal data (hereinafter also ‘PD') in accordance with the norms and principles of the current federal legislation.

1.2. The Policy applies to all business processes of the Company and is mandatory for implementation by all employees of the Company.

1.3. The General Director of the Company is the person responsible for organizing the processing of personal data.


2. DEFINITIONS


2.1. Personal data - any information related directly or indirectly to a certain or determined individual (subject of personal data);

2.2. Operator - a state body, a municipal body, a legal entity or an individual, independently or jointly with other persons organizing and (or) implementing the personal data processing, as well as defining the purposes of personal data processing, the composition of the personal data that is to be processed, the actions (operations) performed with personal data;

2.3. Personal data processing - any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including gathering, recording, systematization, accumulation, storage, updating (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;

2.4. Automated personal data processing - processing of personal data by means of computer facilities;

2.5. Personal data dictribution - actions aimed at disclosing personal data to an undetermined number of persons;

2.6. Personal data provision - actions aimed at disclosing personal data to a specific person or a certain group of persons;

2.7. Personal data blocking - temporary termination of personal data processing (except for cases when processing is necessary for specification of personal data);

2.8. Personal data destruction - actions that result in the impossibility to restore the contents of data in the personal data information system and (or) as a result of which material data carriers of personal data are destroyed;

2.9. Personal data depersonalization - actions, as a result of which it becomes impossible to determine the belonging of personal data to a specific subject of personal data without using additional information;

2.10. Personal data information system - a set of personal data contained in databases and providing its processing of information technologies and technical means;

2.11. Machine carrier - a magnetic disk, a magnetic tape, a laser disk and other material carriers used for recording and storing information with the help of electronic computers.

 

3. PRINCIPLES AND CONDITIONS FOR PROCESSING PD


3.1. PD Processing in the Company is strictly performed in accordance with the following principles:

PD Processing is implemented on a legal and fair basis.

PD Processing is limited to the achievement of specific, pre-defined and legitimate purposes.

The content and volume of processed PD correspond to the stated processing objectives, the Company does not process excess personal data.

The processing ensures the accuracy of the PD, its sufficiency, and, if necessary, the relevance to the purposes of personal data processing.

Processed PD is destroyed upon achievement of processing objectives or in case of a loss of the need to achieve the objectives, unless otherwise provided by federal law.

3.2. The Company may include PD of persons in the publicly available sources of PD, in so doing the Company takes the written consent of the person to process his/her PD.

3.3. The company does not process PD related to race, nationality, political views, religious, philosophical and other beliefs, intimate life, membership in public associations, including trade unions.

3.4. Biometric PD (information that characterizes the physiological and biological characteristics of a person on the basis of which it is possible to identify the person and which are used by the operator to identify the PD subject) are not processed by the Company.

3.5. The company does not operate the cross-border transfer of PD.

3.6. In cases stipulated by the legislation of the Russian Federation, the Company has the right to transfer PD to third parties (the federal tax service, the state pension fund, other state bodies) in cases provided for by the legislation of the Russian Federation.

3.7. The Company has the right to entrust processing of PD of PD entities to third parties on the basis of a contract concluded with the persons.

3.8. Persons processing the PD on the basis of the contract concluded with the Company (instructions of the operator) are obliged to comply with the principles and rules of PD processing and protection, stipulated by the Law.

3.9. In order to fulfill the requirements of the current legislation of the Russian Federation and contractual obligations of the Company, the PD processing in the Company is performed both with and without use of automation facilities, i.e. mixed processing of PD.

3.10. Decisions that generate legal consequences on the basis of automated PD processing in the Company are not made. Otherwise, the consent of PD subjects is necessary.

3.11. The PDD processing in the Company should be implemented with the consent of the PD subject, unless such consent is required or on behalf of the Company, in cases when the Company is not the operator of the PD subjects.

3.12. The consent to the PD processing shall satisfy the following requirements:

- the consent of the subject must be obtained freely, according to the will of the subject and in his/her interests;

- the consent must be given by the subject of the PD in any form that allows to confirm the fact of its receipt.

3.13. Terms of PD processing (storage) are determined based on the objectives of PD processing, in accordance with the term of the agreement with the PD subject, the requirements of federal laws, the requirements of PD operators, on behalf of which the Company implements PD processing, the basic rules of archives of organizations, the limitation period.

3.14. PD, which period of processing (storage) has expired, must be destroyed, unless otherwise provided by the federal law. Storage of PD after the termination of its processing is allowed only after their depersonalization.

 

4. LEGAL GROUNDS AND OBJECTIVES FOR PD PROCESSING


4.1. The PD processing and securing safety in the Company is implemented in accordance with the requirements of the Constitution of the Russian Federation, the Law of Labor Code of the Russian Federation, by-laws and other federal laws of the Russian Federation defining cases and specifics of PD processing, guidelines and methodological documents of FSTEC of Russia and the FSS of Russia.

4.2. Subjects of PD processed by the Company are:

- candidates for vacant positions;

- employees of the Company, relatives of the employees of the Company, within the limits determined by the legislation of the Russian Federation, if information about them is provided by the employee;

- persons who are members of the Company's management bodies and who are not employees;

- individuals with whom the Company enters into civil law contracts;

- Representatives of legal entities - counterparties of the Company;

- participants of loyalty programs;

- customers - consumers, incl. visitors of the sites owned by the Company: rasarioatelier.com, (hereinafter referred to as the "Sites") including for the purpose of ordering and subsequent delivery to the customer;

- customers - subscribers to the newsletters.

4.3. The company implements the processing of PD of subjects for the following purposes:

implementation of functions, powers and duties imposed on the Company in accordance with the legislation of the Russian Federation, powers and duties in accordance with federal laws including but not limited to: the Civil Code of the Russian Federation, the Tax Code of the Russian Federation, the Labor Code of the Russian Federation, the Family Code of the Russian Federation, Federal Law dated April 1, 1996, No. 27-FL 'On Individual (Personalized) Accounting in the Mandatory Pension Insurance System', Federal Law No. 152-FL dated July 27, 2006 'On Personal Data' Federal Law No. 53-FL dated March 28, 1998 'On Military Duty and Military Service', Federal Law No. 31-FL dated February 26, 1997 'On Mobilization Preparation and Mobilization in the Russian Federation', Federal Law dated February 8, 1998 No. 14-FL 'On Limited Liability Companies', Federal Law No. 2300-1 dated February 7, 1992 'On Protection of Consumer Rights', Federal Law No. 129-FL dated November 21, 1996 'On accounting', the Federal Law dated November 29, 2010, № 326-FL 'On compulsory medical insurance in the Russian Federation', as well as PD operators, charter and local regulations of the Company.

Of employees for the following purposes:

Compliance with labor, tax and pension legislation of the Russian Federation, namely:

- assistance to employees in employment, training and promotion;

- payroll processing;

- organization of business trips of employees;

- registration of powers of attorney (including for representation of the Company's interests in front of third parties);

- ensuring personal safety of employees;

- control of the quantity and quality of work;

- maintenance of property safety;

- compliance with the access regime in the premises of the Company;

- accounting of working hours;

of candidates for vacant positions for the following purposes:

- making a decision on the possibility of concluding an employment contract with persons applying for vacancies;

Persons who are members of the Company's management bodies that are not employees, with a view to:

- fulfillment of requirements provided for by legislation, incl. mandatory disclosure of information, audit, verification of the possibility of making transactions, including transactions with interest and/or major transactions.

Counterparties-individuals for the following purposes:

- conclusion and implementation of a contract, one of which parties is a physical person;

- consideration of opportunities for further cooperation.

Representatives of legal entities-counterparties of the Company for the following purposes:

- negotiation, conclusion and implementation of contracts that provide the PD of employees of such a legal entity for the purposes of implementing the agreement in various areas of the Company's economic activities.

Participants of bonus loyalty programs for the following purposes:

- providing information on goods, ongoing actions, the state of the personal account;

- Identification of the participant in the loyalty program; ensuring the procedure for accounting of the accumulation and use of bonuses;

- fulfillment by the Company of its obligations under the loyalty program.

Customers-consumers for the following purposes:

- providing information on goods/services, ongoing actions and special offers;

- analysis of the quality of the services provided by the Company and improvement of the quality of service to the Company's customers;

- informing about the status of the order;

- implementation of the contract, incl. contract of sale, incl. concluded remotely on Sites, paid services provision;

- delivery of the ordered goods to the customer who made an order on the Sites, return of the goods.

Customers subscribers of the online magazine aizeMag for the following purposes:

- subscriptions to the newsletters.

4.4. The company can process personal data of customers received online - on the Internet (Sites, mobile applications, social networks, e-mail), offline stores (boutiques), points of sale, events (by filling in registration forms), as well as when calling in call centers (customer support centers).

 

5. RIGHTS AND DUTIES OF PD SUBJECTS


5.1. The entity whose PD is processed by the Company has the following rights:

- receive information from the Company concerning the processing of their PD (including the confirmation of the fact of the PD processing, legal grounds, purposes of processing, terms of processing, storage time, name and address of the person processing the PD on behalf of the Company, if the processing is entrusted or will be entrusted to such person, other information provided for by Federal Law No. 152-FL dated July 27, 2006 'On Personal Data');

- require the Company to clarify their PD, its blocking or destruction if the PD is incomplete, obsolete, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, and also take legal measures to protect their rights;

- withdraw their consent to the PD processing at any time.

5.2. The information is provided to the subject of PD on the basis of the request. The request should contain the number of the main identity document of the PD or their representative, information on the date of issue of the document and the body that issued it, information confirming the participation of the subject of the PD in relations with the Company, or information otherwise confirming the fact that the PD was processed by the Customer, the signature of the subject or their representative.

5.3. The request can be sent to the address of the company's location: Russian Federation, 127051, Moscow, Petrovka st.,16, room 45, in the form of an electronic document and signed by an electronic signature in accordance with the legislation of the Russian Federation.

 

6. RIGHTS AND OBLIGATIONS OF THE COMPANY


6.1. The company during the PD processing is obliged:

- to provide the subject of PD, at his request, with information regarding of his/her PD processing, or legally provide a refusal within thirty days from the date of receipt of the request of the subject of PD or his/her representative;

- take the necessary legal, organizational and technical measures or ensure their adoption to protect the PD from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of the PD, as well as other illegal actions against the PD;

- publish on the Internet and provide unrestricted access using the Internet to the document that defines its policy regarding the PD processing, to information on the current requirements for the PD protection;

- give to the subject of PD and/or their representatives the opportunity to get acquainted with the Data when applying with the request within 30 days from the date of receipt of such request;

- to block illegaly processed PD related to the PD subject, or block them (if the processing of the PD is performed by another person acting on behalf of the Company) from the time of application or receipt of the request for the verification period, in case an illegal PD processing is detected when the PD subject applies or his/her representative, or on request, to a PD subject or his representative, or an authorized body for the protection of the rights of PD entities;

- clarify the PD, or ensure their clarification (if the processing of the PD is implemented by another person acting on behalf of the Company) within 7 working days from the date of submission of information and to remove the PD blocking, in case of confirmation of the inaccuracy of the PD on the basis of the information submitted by the PD subject or his/her representative;

- to terminate improper PD processing or ensure that the person who acts on behalf of the Company stops the improper PD processing in case an improper PD processing by the Company or a person acting on the basis of an agreement with the Company is detected, within a period not exceeding 3 business days from the date of such detection;

- to terminate the PD processing or ensure its termination (if the PD processing is performed by another person acting on the basis of an agreement with the Company) and destroy the PD or ensure its destruction (if the PD processing is performed by another person acting on the basis of an agreement with the Company) when the objectives of the PD processing are achieved, unless otherwise provided by an agreement, to which the PD subject is a party, the beneficiary or guarantor, in case of achieving the objectives of the PD processing;

- to terminate the PD processing or ensure its termination and destroy PD or ensure its destruction in case the subject of PD withdraws consent to the PD processing, if the Company is not entitled to process PD without the consent of the subject of PD;

- to keep a register of records of PD subjects' requests, in which the requests of the PD subjects to receive PD should be recorded, as well as the facts of submitting the PD for these requests.

 

7. ENSURING THE SAFETY OF PD DURING ITS PROCESSING


7.1. When processing the PD, the Company takes the necessary legal, organizational and technical measures to protect the PD from unauthorized and/or accidental access, destruction, changing, blocking, copying, providing, distributing of the PD, as well as from other illegal actions against the PD.

7.2. Such measures in accordance with the Law, in particular, include:

- the appointment of a person responsible for the organization of the PD processing and the person responsible for ensuring the safety of the PD;

- the development and approval of local acts on the issues of the PD processing and protection;

- the applying of legal, organizational and technical measures to ensure PD safety:

- identification of threats to the safety of PD while its processing in the information systems of personal PD;

- the applying of organizational and technical measures to ensure the safety of PD while its processing in PD information systems required to fulfill the requirements for PD protection, the implementation of which is ensured by the levels of security of the PD established by the Government of the Russian Federation;

- the use of information protection means that have undergone the procedure of conformity assessment;

- the evaluation of the effectiveness of the measures taken to ensure the PD safety before the commissioning of the PD information system;

- the registration of PD machine carriers, if the PD is stored on machine carriers;

- the detection of the facts of unauthorized access to Data and taking measures to prevent similar incidents in the future;

- the restoration of PD, modified or destroyed due to unauthorized access to it;

- the establishment of rules for accessing Data processed in the PD information system, as well as ensuring registration and recording of all actions performed with Data in the PD information system;

- the control over the measures taken to ensure the PD safety and the level of security of PD information systems;

- the assessment of the harm that can be caused to PD subjects in case of violation of the requirements of the Law, the ratio of the harm and measures taken by the Company aimed at ensuring the fulfillment of the duties stipulated by the Law;

- the compliance with conditions that preclude unauthorized access to PD material carriers and ensure the safety of the PDN;

- the familiarize employees of the Company directly processing the PD with the provisions of the legislation of the Russian Federation on PD, including requirements for the PD protection, local acts on the PD processing and protection, and training employees of the Company.

7.3. Requirements for PD processing on material carriers:

Employees performing PD processing on material carriers must be informed about PD categories, features and rules for PD processing before processing.

An employee of the Company is responsible for storing and destroying material carriers with PDDs with which he works.

PD processed on material carriers, should be stored separately from other information.

Storage of material carries with PD is implemented only if there is a valid consent of the PD subject to the processing of the PD or the current agreement to which the PD subject is a party.

The Company maintains CVs and questionnaires for candidates for vacant positions, regardless of whether the candidate is employed or not. The storage of CVs and questionnaires can only be implemented with the consent of the candidate to process his/her PD, with the indicating the validity of the consent. In cases of expiration of the PD processing period or the PD subject requirement for PD destruction, CVs and questionnaires are destroyed using a shredder.

Storage of material carries with PD in open access in the work premises of the Company's divisions and on the tables of employees is allowed only during the working day, under the personal responsibility of the employee. At the end of work with the material carrier, the employee must remove the material carrier in the lockable cabinet assigned to the employee, or in the cabinet of the direct supervisor. Access to the cabinets should be limited to a list of persons with access to the PD.

In case the term of the PD processing expires, the employee performs the destruction of PD paper carriers using a shredder without issuing an act of destruction.

7.4. The audit is performed independently by each employee in relation to the material carriers of the PD with which he works. During the audit, should be identified PD paper carriers, which are not required for employees to continue their work duties.

7.5. Employees of the Company gain access to the PD only in the extent necessary to fulfill their duties.

 

8. RESPONSIBILITY FOR VIOLATIONS OF THE RULES GOVERNING THE PD PROCESSING


8.1. Ensuring the confidentiality of PD processed by the Company is a mandatory requirement for all employees who have become aware of PD, due to both work activities, and by accident or error.

8.2. Employees are personally responsible for compliance with the requirements for PD processing and safety established in the Company.

8.3. In cases of violation of the established procedure for processing and ensuring the safety of PD, unauthorized access to PD, disclosure of PD and the infliction of material or other damage to the company, its employees, customers and counteragents, the responsible persons are liable under the current legislation of the Russian Federation.

 

9. FINAL PROVISIONS


9.1. The Policy is a local regulatory act of the Company. The Policy is public. The general availability of the Policy is ensured by publishing it on the Sites, placing it in stores (boutiques) and on a network drive accessible to all employees of the Company.

9.2. The Policy may be revised due to a change in the provisions of the current legislation or by decision of the Company.