“POLICY OF PROTECTION AND PROCESSING OF PERSONAL INFORMATION. NEW EDITION”

1. General Provisions

1.1. This Policy regarding the processing of personal information (the “Policy”) is made in accordance with paragraph 2 of Article 18.1 of The Federal Law No. 152-FZ "On Personal Information" of July 27, 2006, as well as the Russian Federation regulatory documents in the field (the “Information”), which Riviera-Sochi LLC (the “Operator”) may obtain from the subject of personal information (a tourist or other customer) that is a party to the contractual relationship associated with the implementation of the tourist product and the provision of tourist services that are part of the tourist product, as well as from the personal information subject, held with the Operator in relations governed by labor legislation, (the “Employee”).

1.2. The operator provides protection of the processed personal information from unauthorized access and disclosure, misuse or loss in accordance with the requirements of Federal Law No. 152-FZ "On Personal Information" of July 27, 2006.

1.3. The operator is located at: 354000, Almaty, ul. Sochi, Constitution, 18B, office 316.

1.4. Changing Policy.

1.4.1. The operator has the right to make changes to this Policy. When you make changes to the Policy header, the date of the last revision of the edition is indicated. New edition.

1.4.2. Policies come into force from the moment of its appearance on the site, unless otherwise provided by the new edition of the Policy.

2. Terms and accepted abbreviations

Personal information - any information related to a direct or indirect definition or to an individual (a subject of personal information). Such information, in particular, is the surname, name, patronymic, year, month, date of birth, address, marital status, social status, property status, education, profession, income, and other information relating to the subject of personal information.

The operator is a legal entity or an individual, alone or together with other persons processing personal information, as well as defining the purposes of processing personal information, the composition of personal information subject to processing, the actions performed with personal information.

Personal information processing - any action (operation) or set of actions, including collection, recording, systematization, accumulation, storage, updating (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, Destruction of personal information.

Automated processing of personal information - processing of personal information by means of computer facilities.

Information system of personal information - a set of personal information contained in information bases and providing their processing of information technology and technical means.

Automated processing of personal information - processing of personal information by means of computer facilities.

Information system of personal information - a set of personal information contained in information bases and providing their processing of information technology and technical means.

Publicly available personal information - personal information placed by a personal information subject in publicly available personal information sources (including directories, address books), access to which is provided to an unlimited number of persons, or personal information placed in publicly available personal information sources on the basis of the written consent of the subject of personal Information.

Provision of personal information - actions aimed at disclosing personal information to a specific person or a certain circle of persons.

Blocking of personal information - temporary termination of processing of personal information (except for cases when processing is necessary for specification of personal information).

Destruction of personal information is an action that makes it impossible to restore the contents of personal information in the personal information system and (or) as a result of which material information carriers of personal information are destroyed.

Cross-border transfer of personal information - the transfer of personal information to the territory of a foreign state to the authority of a foreign state, to a foreign individual or to a foreign legal entity.

3. Processing of personal information

3.1. Obtaining personal information.

3.1.1. The receipt of personal information, except for public personal information, is carried out by the Operator directly from the subjects of personal information, or persons having duly formalized powers to represent the interests of personal information subjects with personal information to the Operator. If the personal information of the subject can only be obtained from a third party, then the subject must be notified of this or a written consent must be obtained from him.

3.1.2. When receiving personal information, the Operator is obliged to inform the subject of personal information:

- On the purposes of obtaining personal information by the Operator;

- About the list of personal information requested by the Operator;

- About the list of actions that the Operator intends to perform with personal information;

- About the period during which the consent of the subject of personal information acts on the processing of personal information;

- About the procedure for withdrawal of consent to the processing of personal information;

- On the consequences of the refusal of the personal information subject to provide the Operator with consent to receive and process personal information.

3.1.3. Documents containing personal information are created by:

- copying of the original documents (passport of a citizen of the Russian Federation, a document on education, TIN certificates, pension certificates, SNILS, etc.);

- entering information into accounting forms;

- Obtaining originals of necessary documents (passport of a citizen of the Russian Federation, certificates of income, work record book, medical report, characteristics, etc.).

3.2. Processing of PD.- personal information placed by a personal information subject in publicly available personal information sources (including directories, address books), access to which is provided to an unlimited number of persons, or personal information placed in publicly available personal information sources on the basis of the written consent of the subject of personal Information.

Provision of personal information - actions aimed at disclosing personal information to a specific person or a certain circle of persons.

Blocking of personal information - temporary termination of processing of personal information (except for cases when processing is necessary for specification of personal information).

Destruction of personal information is an action that makes it impossible to restore the contents of personal information in the personal information system and (or) as a result of which material information carriers of personal information are destroyed.

Cross-border transfer of personal information - the transfer of personal information to the territory of a foreign state to the authority of a foreign state, to a foreign individual or to a foreign legal entity.

3. Processing of personal information

3.1. Obtaining personal information.

3.1.1. The receipt of personal information, except for public personal information, is carried out by the Operator directly from the subjects of personal information, or persons having duly formalized powers to represent the interests of personal information subjects with personal information to the Operator. If the personal information of the subject can only be obtained from a third party, then the subject must be notified of this or a written consent must be obtained from him.

3.1.2. When receiving personal information, the Operator is obliged to inform the subject of personal information:

- On the purposes of obtaining personal information by the Operator;

- About the list of personal information requested by the Operator;

- About the list of actions that the Operator intends to perform with personal information;

- About the period during which the consent of the subject of personal information acts on the processing of personal information;

- About the procedure for withdrawal of consent to the processing of personal information;

- On the consequences of the refusal of the personal information subject to provide the Operator with consent to receive and process personal information.

3.1.3. Documents containing personal information are created by:

- copying of the original documents (passport of a citizen of the Russian Federation, a document on education, TIN certificates, pension certificates, SNILS, etc.);

- entering information into accounting forms;

- Obtaining originals of necessary documents (passport of a citizen of the Russian Federation, certificates of income, work record book, medical report, characteristics, etc.).

3.2. Processing of PD.

3.2.1. The processing of personal information is carried out by the Operator in compliance with the principles and rules provided by 152-FZ "On Personal Information" of July 27, 2006, in the following cases:

- With the consent of the subject of personal information to the processing of his personal information;

- processing of personal information is necessary for the performance of a contract for the sale of a tourist product, of which the subject of personal information is a party or a beneficiary or guarantor for which;

- in cases where the processing of personal information is necessary for the Operator to implement and perform the functions, powers and duties imposed by the legislation of the Russian Federation;

- processing of personal information is necessary to protect the life, health or other vital interests of the subject of personal information, if obtaining the consent of the subject of personal information is impossible.

3.2.2. Purposes of personal information processing:

- implementation of civil and legal relations, including those related to the fulfillment of obligations under contracts for the sale of a tourist product, and ensuring the provision of services that are part of the tourism product being sold;

- implementation of labor relations.

3.2.3. Categories of subjects of personal information whose personal information are processed by the Operator:

- Customers of the tourist product - a tourist or other person ordering a tourist product on behalf of a tourist, including a legal representative of a minor tourist;

- tourist - an individual who visits the country (place) of temporary stay in medical and recreational, recreational, cognitive, physical culture, sports, business, religious and other purposes without engaging in activities related to obtaining income from sources in the country (place) of the temporary Stay for a period of 24 hours to 6 months in a row or carry out at least one overnight stay in the country (place) of temporary stay;

- passenger - an individual to whom the carrier, on the basis of documents issued by the Operator, undertook to provide transportation services;

- individuals who are with the Company in labor relations;

- individuals who have resigned from the Company;

- individuals who are candidates for work;

- individuals who are with the Company in civil law relations.

3.2.4. Personal information processed by the Operator:

- Personal information of customers and tourists in the amount necessary to book tourist services included in the tourist product sold under contracts for the sale of a tourist product;

- Personal information of tourists in the amount necessary for registration of tourist documents confirming the right of tourists to receive tourist services included in the tourist product sold under contracts for the sale of tourist products;

- Personal information received within the framework of performance of obligations under employment contracts;

- Personal information received for the purpose of selecting candidates for work;

- Personal information obtained during the conclusion of civil law contracts and used in the performance of obligations under concluded contracts.

3.2.5. Processing of personal information is conducted:

- using automation tools;

- without the use of automation.

3.3. Storage of personal information.

3.3.1. Personal information of subjects of personal information can be obtained, processed further and transferred to storage, both on paper and in electronic form.

3.3.2. Personal information of subjects of personal information recorded on paper carriers are stored in lockable cabinets or in lockable rooms with limited access rights.

3.3.3. Personal information of subjects of personal information processed using automation tools are processed and stored in compliance with the requirements established by RF Government Decree No. 1119 "On Approving the Requirements for the Protection of Personal Information when Processing in Personal Information Systems" dated 01.11.2012.

3.3.4. It is not allowed to store and place documents containing personal information in open electronic catalogs (file sharing) in information systems of personal information.

3.3.5. The storage of personal information in a form that allows to determine the subject of personal information is carried out no longer than required by the purpose of processing, and they are subject to destruction upon achievement of processing purposes or in case of loss of the need to achieve them.

3.4. Destruction of personal information.

3.4.1. Destruction of documents (carriers) containing personal information is carried out by burning, crushing (crushing), chemical decomposition, transformation into a shapeless mass or powder. For the destruction of paper documents, a shredder is allowed.

3.4.2. Personal information on electronic media is destroyed by erasing or formatting the media.

3.4.3. The fact of destruction of personal information is documented by an act of destruction of carriers.

3.5. Transfer of personal information.

3.5.1. The operator transfers personal information to third parties in the following cases:

- the subject of personal information has received a written consent from the subject for such actions;

- the transfer is provided by Russian or other applicable legislation within the framework of the procedure established by law.

3.5.2. List of persons to whom personal information is transferred.

3.5.2.1. Third parties to whom personal information are transferred in the framework of fulfillment of obligations associated with the implementation and execution of tourist services included in the tourist product:

- tour operators, forming a tourist product;

- direct executors of tourist services that are part of the tourist product, or providing individual tourist services (accommodation facilities, carriers, insurance companies, consulates and embassies of foreign countries, issuing visas, excursion bureaus, etc.).

Cross-border transfer of personal information is carried out taking into account the requirements established by Article 12 of the Federal Law No. 152-FZ "On Personal Information" of July 27, 2006.

3.5.2.2. Third parties to whom personal information are transferred in the framework of performance of obligations related to labor relations:

- Pension Fund of the Russian Federation for accounting (legally);

- tax authorities of the Russian Federation (legally);

- The Social Insurance Fund of the Russian Federation (legally);

- Territorial fund of compulsory medical insurance (legally);

- insurance medical organizations for compulsory and voluntary medical insurance (legally);

- Banks for the calculation of wages (on the basis of the contract);

- bodies of the Ministry of Internal Affairs of Russia in the cases established by the legislation.

4. Protection of personal information

4.1. In accordance with the requirements of regulatory documents, the Operator created a personal information protection system consisting of legal, organizational and technical protection subsystems.

4.2. The legal protection subsystem is a set of legal, organizational, regulatory and regulatory documents that ensure the creation, functioning and improvement of personal information protection systems.

4.3. The organizational security subsystem includes the organization of the structure of management of personal information protection systems, the permitting system, information protection when working with employees, partners and third parties.

4.4. The subsystem of technical protection includes a set of technical, software, software and hardware that protects personal information.

4.5. The main measures for protecting personal information used by the Operator are:

4.5.1. Appointment of the person responsible for the processing of personal information, which organizes the processing of personal information, training and instruction, internal control over the compliance of the institution and its employees with the requirements for the protection of personal information.

4.5.2. Identification of actual security threats to personal information when processing them in personal information systems and development of measures and measures to protect personal information.

4.5.3. Development of a policy for the processing of personal information.

4.5.4. Establishment of rules for access to personal information processed in personal information systems, as well as ensuring registration and recording of all actions performed with personal information in personal information information systems.

4.5.5. Establish individual passwords for employees to access the information system in accordance with their production responsibilities.

4.5.6. Application of the procedure for assessing the compliance of information security means that passed in accordance with the established procedure.

4.5.7. Certified antivirus software with regularly updated information bases.

4.5.8. Observance of the conditions ensuring the safety of personal information and excluding unauthorized access to them.

4.5.9. Detection of the facts of unauthorized access to personal information and taking measures.

4.5.10. Recovering personal information, modified or destroyed due to unauthorized access to them.

4.5.11. Training of the Operator's employees who directly process personal information, the provisions of the legislation of the Russian Federation on personal information, including the requirements for the protection of personal information, documents defining the operator's policy regarding the processing of personal information, local acts on the processing of personal information.

4.5.12. Implementation of internal control and audit.

5. Basic rights of the subject of personal information and duties of the Operator

5.1. Basic rights of the subject of personal information.

The subject of personal information has the right to receive information concerning the processing of his personal information, including:

1) confirmation of the fact of personal information processing by the operator;

2) the legal grounds and purposes for the processing of personal information;

3) the purposes and methods of processing personal information used by the operator;

4) the name and location of the operator, information on persons (except for the operator's employees) who have access to personal information or who can disclose personal information on the basis of a contract with the operator or on the basis of a federal law;

5) the processed personal information relating to the relevant personal information subject, the source of their receipt, if another procedure for the submission of such information is not provided for by federal law;

6) terms of processing of personal information, including the terms of their storage;

7) the procedure for the subject of personal information to exercise the rights provided for by this Federal Law;

8) information on the transboundary information transfer that has been or is being expected;

9) the name or surname, name, patronymic and address of the person carrying out the processing of personal information on behalf of the operator, if the processing is entrusted or will be entrusted to such person;

10) other information provided for by this Federal Law or other federal laws.

5.2. Obligations of the Operator.

The operator is obliged:

1) at the request of the subject of personal information, provide information on the processing of personal information;

2) in cases where the personal information was not received from the personal information subject, notify the subject of personal information about the fact of the receipt of personal information by the Operator;

3) in case of refusal to provide personal information, explain to the subject of personal information the consequences of such refusal;

4) publish or otherwise provide unrestricted access to the document that defines the policy of the Operator with respect to the processing of personal information;

5) to take the necessary legal, organizational and technical measures or to ensure their adoption to protect personal information from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal information, as well as other illegal actions with respect to personal information;

6) to respond to inquiries and appeals from subjects of personal information, their representatives and the authorized body for the protection of the rights of subjects of personal information.