POLICY FOR PROCESSING PERSONAL DATA IN SMART HOTEL NETWORK
1.1. This document defines the policy of Petrovsky Alliance LLC regarding the processing and security of personal data of citizens in the Smart Hotel chain (hereinafter referred to as the Operator).
1.2. This policy has been developed in order to comply with the requirements of the legislation in the field of processing and ensuring the security of personal data and is aimed at ensuring the protection of the rights of a citizen when processing his personal data by the Operator.
1.3. The provisions of this Policy form the basis for organizing the activities of the Operator for the processing and protection of personal data.
1.4. This Policy has been developed in accordance with the legislation of the Russian Federation:
- the Constitution of the Russian Federation;
- Federal Law of 27.07. 2006 No. 152-FZ "On Personal Data";
- Labor Code of the Russian Federation dated December 30, 2001 No. 197-FZ;
- Federal Law of November 24, 1996 No. No. 132-FZ “On the basics of tourism activities in the Russian Federation;
- "Rules for the provision of hotel services in the Russian Federation", approved by the Decree of the Government of the Russian Federation of 18.11.2020. No 1853;
as well as other regulatory legal acts of the Russian Federation that determine the rules for processing and protecting personal data.
1.5. This Policy states:
- the purposes of processing personal data;
- general principles and rules for the processing of personal data;
- classification of personal data and Personal Data Subjects;
- rights and obligations of the Subjects of personal data and the Operator for their processing;
- the procedure for organizing the processing of personal data;
- measures to ensure the security of personal data and the responsibility of the Operator.
1.6. This Policy shall be posted on a public resource - on the official website of the Operator https://hotel-smart.ru in the public domain for review.
1.7. This Policy is subject to revision in connection with changes in the legislation of the Russian Federation in the field of processing and protection of personal data, as well as based on the results of an assessment of the relevance, sufficiency and effectiveness of the measures taken to ensure the security of personal data processing by the Operator.
1.8. This Policy applies to actions (operations) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
1.9. The subject of personal data, who voluntarily provided the Operator with his personal data, accepts and agrees with the provisions of this Personal Data Processing Policy.
2. Basic terms and definitions
Automated processing of personal data - processing of personal data using computer technology.
Biometric personal data - information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his identity and which is used by the operator to identify the Personal Data Subject.
Blocking of personal data - temporary suspension of the processing of personal data (except when processing is necessary to clarify personal data).
Security of personal data - the state of protection of personal data, characterized by the ability of users, technical means and information technologies to ensure the confidentiality, integrity and availability of personal data when they are processed in personal data information systems.
Personal data information system - a set of personal data contained in databases and information technologies and technical means that ensure their processing.
Confidentiality of personal data is a mandatory requirement for the Operator or other person who has gained access to personal data to prevent their disclosure and distribution without the consent of the Subject of personal data or other legal grounds.
Processing of personal data - any action (operation) or a set of actions (operations) performed with the use of automation tools or without the use of such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Publicly available personal data - personal data, access to which is granted to an unlimited number of persons with the consent of the Personal Data Subject or which, in accordance with federal laws, is not subject to the confidentiality requirement.
Depersonalization of personal data - actions, as a result of which it becomes impossible to determine the ownership of personal data by a specific Personal Data Subject without the use of additional information.
Operator - a state body, municipal body, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, the actions (operations) performed with personal data.
Providing personal data - actions aimed at disclosing personal data to a certain person or a certain circle of persons.
Personal data - any information relating directly or indirectly to a specific or identifiable natural person (Personal Data Subject).
Special categories of personal data - personal data relating to race, nationality, political views, religious or philosophical beliefs, health status and intimate life of the Subject of personal data.
The subject of personal data is a natural person who can be directly or indirectly identified using these data.
Destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed.
3. Purposes of personal data processing
3.1. The operator processes personal data for the following purposes:
- provision of hotel and / or additional services in hotels of the Smart Hotel chain in accordance with the civil legislation of the Russian Federation, as well as the Rules for the provision of hotel services posted on the official website of the network https://hotel-smart.ru;
- providing the Subject of personal data with confirmation of the reservation of a room / rooms in a hotel;
- conclusion of agreements with the Personal Data Subject for the provision of hotel and additional services in the hotel and their further execution;
- providing the Subject of personal data with information about the services provided, about current marketing promotions and new services in order to improve the quality of service;
- organization and maintenance of personnel records management of the Operator;
- study and selection of candidates to fill the vacant positions of the Operator;
- formation of statistical, tax and accounting reports, as well as for submission to regulatory authorities and executive authorities of the Russian Federation in cases provided for by law;
- as well as for other purposes, the achievement of which is not prohibited by federal legislation, international treaties of the Russian Federation.
4. Classification of personal data and categories of Subjects whose personal data are processed by the Operator
4.1. Personal data includes any information relating directly or indirectly to a specific or identifiable natural person (Personal Data Subject).
4.2. The Operator does not process special categories of personal data relating to race, nationality, political views, religious and philosophical beliefs, unless otherwise provided by the legislation of the Russian Federation.
4.3. The Operator processes personal data of the following categories of Personal Data Subjects:
- individuals who are employees of the Operator;
- individuals who are candidates for filling vacant positions of the Operator;
- individuals performing work and providing services under civil law contracts concluded with the Operator;
- individuals who are clients of a hotel chain (guests) and / or legally represent the interests of hotel chain customers, or intend to become such;
- individuals purchasing or intending to purchase third party services through the Operator, provided that their personal data is included in the Operator's automated systems in connection with the provision of hotel and / or additional services;
- other individuals who have expressed their consent to the processing by the Operator of their personal data, or the processing of whose personal data is necessary for the Operator to perform duties, perform functions or powers provided for by the legislation of the Russian Federation.
5. Basic principles of personal data processing
5.1. The processing of personal data by the Operator is carried out on the basis of the following principles:
- legality of the purposes and methods of processing personal data;
- compliance of the purposes of processing personal data with the purposes predetermined and declared when collecting personal data;
- compliance of the composition and volume of processed personal data, as well as the methods of processing personal data with the stated purposes of processing;
- reliability of personal data, their sufficiency for the purposes of processing,
- inadmissibility of processing personal data that is excessive in relation to the purposes stated when collecting personal data;
- inadmissibility of processing personal data that is incompatible with the purposes of collecting personal data;
- the inadmissibility of combining databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other;
- ensuring the storage of personal data no longer than required by the purposes of processing personal data, if the period for storing personal data is not established by federal law or an agreement to which the Subject of personal data is a party;
- destruction or depersonalization of personal data upon reaching the goals of processing or in case of loss of the need to achieve these goals, unless otherwise provided by the legislation of the Russian Federation or an agreement to which the Personal Data Subject is a party;
- ensuring the confidentiality and security of the processed personal data.
6. Organization of personal data processing
6.1. The processing of personal data is carried out in accordance with the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data".
6.2. The operator carries out the processing of personal data, both with the use of automation tools, and without the use of automation tools.
6.3. The Operator may include personal data of subjects in public sources of personal data only with the written consent of the Subject.
6.4. If there is no need for the written consent of the Subject to the processing of his personal data, consent by the Subject or his representative may be given in any form that allows confirming the fact of its receipt.
6.5. The Operator has the right to entrust the processing of personal data to another person with the consent of the Personal Data Subject, unless otherwise provided by federal law, on the basis of an agreement concluded with this person. At the same time, in the contract, the Operator obliges the person who processes personal data on his behalf to comply with the principles and rules for the processing of personal data provided for by law.
6.6. Granting access to public authorities (including regulatory, supervisory, law enforcement and other bodies) to personal data processed by the Operator is carried out in the amount and in the manner established by the current legislation of the Russian Federation.
7. Rights and obligations of the Subject of personal data
7.1. The subject of personal data has the right:
- receive information regarding the processing of his personal data in the manner, form and terms established by the legislation on personal data;
- demand clarification of their personal data, their blocking or destruction in cases where personal data is incomplete, outdated, inaccurate, illegally obtained, is not necessary for the stated purpose of processing or is used for purposes not previously declared when the Personal Data Subject provided consent to the processing of personal data;
- take legal measures to protect their rights;
- withdraw your consent to the processing of personal data.
7.2. The subject of personal data who accepts and agrees with the provisions of this Personal Data Processing Policy is obliged to provide the necessary complete, accurate and reliable information about his personal data.
7.3. The right of the subject of personal data to access his personal data may be limited in cases provided for by the legislation of the Russian Federation.
8. Rights and obligations of the Operator when processing personal data
8.1. The operator has the right:
- process the personal data of the Personal Data Subject in accordance with the stated purpose;
- require the Personal Data Subject to provide reliable personal data necessary for the execution of the contract, the provision of services;
- identify the Subject of personal data in cases provided for by the legislation on personal data;
- restrict the Personal Data Subject's access to his personal data if such access violates the rights and legitimate interests of third parties, as well as in other cases provided for by the legislation of the Russian Federation;
- process publicly available personal data of individuals;
- carry out the processing of personal data subject to publication or mandatory disclosure in accordance with the legislation of the Russian Federation;
- clarify the processed personal data, block it or delete it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
- keep a record of requests from Personal Data Subjects;
- entrust the processing of personal data to another person with the consent of the Personal Data Subject.
8.2. In accordance with the requirements of the Federal Law "On Personal Data", the Operator is obliged to:
- provide the Personal Data Subject, at his request, with information regarding the processing of his personal data, or legally provide a refusal;
- at the request of the Personal Data Subject, clarify the processed personal data, block it or delete it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
- keep a record of requests from Personal Data Subjects;
- notify the Personal Data Subject about the processing of personal data in the event that personal data was not received from the Personal Data Subject, except as otherwise provided by the legislation of the Russian Federation;
- if the purpose of processing personal data is achieved, immediately stop processing personal data and destroy the relevant personal data, unless otherwise provided by the contract or agreement to which the Personal Data Subject is a party;
- in the event that the Subject of personal data withdraws consent to the processing of his personal data, stop processing personal data and destroy personal data within the period established by the legislation of the Russian Federation. The Operator is obliged to notify the Subject of personal data about the destruction of personal data;
- the operator undertakes and obliges other persons who have gained access to personal data not to disclose them to third parties and not to distribute personal data without the consent of the Personal Data Subject, unless otherwise provided by federal law;
- appoint a person (persons) responsible for organizing work on the processing and protection of personal data.
9. Measures to ensure the security of personal data during their processing
9.1. When processing personal data, the Operator takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, distribution of personal data, as well as from other illegal actions in relation to personal data.
9.2. Ensuring the security of personal data is achieved, in particular:
- Determination of threats to the security of personal data during their processing in information systems of personal data;
- The application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to meet the requirements for the protection of personal data, the implementation of which ensures the levels of protection of personal data established by the Government of the Russian Federation;
- Evaluation of the effectiveness of the measures taken to ensure the security of personal data prior to the commissioning of the personal data information system;
- Accounting for machine carriers of personal data;
- Detection of facts of unauthorized access to personal data and taking the necessary measures to protect personal data;
- Recovery of personal data modified or destroyed due to unauthorized access to them;
- Establishing rules for access to personal data processed in the personal data information system, as well as ensuring the registration and accounting of all actions performed with personal data in the personal data information system;
- Training of the Operator's employees involved in the processing of personal data, the rules of processing and issues of ensuring the security of personal data;
- Control over the measures taken to ensure the security of personal data and the security of personal data information systems.
10. Responsibility of the Operator
10.1. Control over the fulfillment of the requirements of this Policy, the rules and requirements applicable to the processing of personal data by the Operator, is carried out by persons appointed by order of the organization.
10.2. The operator, as well as its officials, bear criminal, civil, administrative and disciplinary liability for non-compliance with the rules for processing personal data, as well as for disclosure or illegal use of personal data in accordance with the legislation of the Russian Federation.
CONSENT TO PROCESSING OF PERSONAL DATA
This document defines the procedure for processing personal data and measures to ensure the security of personal data in Petrovsky Alliance LLC. In the process of using the site https://hotel-smart.ru, an individual is invited to accept (accept) this Consent to the processing of personal data (hereinafter referred to as the Consent). The user gives his consent to Petrovsky Alliance LLC (TIN 7813593864), which is located at 197022, St. Petersburg, emb. river Karpovka, d.5, bldg. 22, lit. A, room 14-N (hereinafter referred to as the Operator), for the processing of their personal data with the following conditions:
1. This Consent is given to the processing of personal data, both without the use of automation tools, and with their use.
2. Consent is given to the processing of the following personal data:
- your name, gender, personal and work contact information, position, date and place of birth, passport and visa details;
- accommodation information, dates of arrival and departure, goods and services purchased at the hotel, special requests, information about your preferences in the field of services (including types of rooms and types of recreation), telephone numbers used, and telephone and fax messages received;
- information about your bank card, as well as account and registration data for loyalty programs;
- any information necessary to fulfill special requests (for example, about the state of health, which implies certain living conditions or the purchase of services);
- information, feedback or content provided by you in relation to your marketing preferences, in surveys, sweepstakes, contests or promotional offers on our websites or applications, as well as information of this kind about third parties;
- information collected during your stay at a hotel or through CCTV, Internet systems (including wireless networks that collect data about your computer, smart or mobile device, or your location), card key, other security systems and technologies security;
- information collected during the use of the website;
- contact details and other relevant information about employees, corporate clients and service providers, as well as other persons with whom we do business (travel agencies, meeting and event planners); in some cases - information about the state of the customer's credit account.
3. Personal data is not publicly available.
4. The processing of personal data by the Operator is carried out in order to:
- provision of hotel services in a hotel operating under the Smart Hotel brand;
- booking hotel rooms, services by the subject of personal data;
- conclusion of contracts with the subject of personal data for the provision of hotel services, the provision of these services;
- providing the subject of personal data with information about the services provided by the hotel, about ongoing marketing promotions and new services.
For other purposes, the achievement of which is not prohibited by federal legislation and international treaties of the Russian Federation.
5. Subject to applicable law, we may collect and use relevant portions of your personal data in order to:
- provide and collect fees for hotel stays and other goods and services;
- provide more personalized service, including providing information and services from third parties (for example, additional services to guests in hotels, visits to local attractions and the possibility of a transfer);
- respond to requests for information and services, including those of a third party (such as restaurants or transport companies);
- fulfill our contractual obligations towards you, everyone involved in the organization of your holiday (for example, travel agencies, organizers of group tours and your employer), as well as service providers (for example, credit card companies);
- conduct market research, surveys to determine the level of customer satisfaction with the quality of service and for the purpose of quality assurance, carry out targeted marketing and organize advertising campaigns;
- ensure the safety and security of staff, guests and other visitors;
- maintain general documentation;
- ensure compliance with the requirements of laws and regulations;
- test and evaluate new products and services.
6. In the course of processing, the following actions will be performed with personal data: collection; record; systematization; accumulation; storage; clarification (update, change); extraction; usage; transfer (distribution, provision, access); blocking; removal; destruction. You can always choose which personal data (if any) you want to provide to us. However, if you choose not to provide certain data, this may affect our interaction (for example, we cannot make a reservation without a name). If you provide us with your contact information (for example, postal address, email address, telephone number), we may contact you about products, services, promotions and events that we think may be of interest to you. You can always limit the number of all or some of the emails you receive by contacting us as described in Section 11 below or by following the unsubscribe instructions in the relevant emails. The operator and other persons who have gained access to personal data are obliged not to disclose to third parties and not to distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law. Your personal information will be kept for as long as required by law in the hotel's jurisdiction. This means that the information may be kept after your departure. We may delete your personal information when it is no longer required to fulfill the purposes described above.
7. Consent comes into force from the moment of its signing and is valid until the individual withdraws from this Consent.
8. Consent may be withdrawn by the subject of personal data or his representative by sending a written application to the Operator or his representative at the address indicated at the beginning of this Consent.
9. If the subject of personal data or his representative withdraws consent to the processing of personal data, the Operator has the right to continue processing personal data without the consent of the subject of personal data if there are grounds specified in clauses 2-11 of part 1 of article 6, part 2 of article 10 and part 2 Article 11 of the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”.
10. Because our business is constantly changing, these Rules are subject to change.
11. If you have questions about Consent or have any other concerns or complaints related to the regulation of Consent, or if you would like to make a request for information regarding the personal information we hold about you, please contact us using one of the following methods:
- by calling one of the phones listed in the "Contacts" section of the official website of the Smart Hotel;
- by sending a letter to the address 197022, St. Petersburg, st. Professor Popov, d.23, letter B, office 108;
- by contacting the front desk at the hotel. If you are not satisfied with the response you received, you can send an email to the Hospitality Director at marketing@hotel-smart.ru.
12. This Consent is valid all the time until the termination of the processing of personal data specified in clauses 7 and 8 of this Consent. In the event of any discrepancy between the Russian and English versions of this document and any version of this Consent in any other language, the Russian version shall prevail (to the maximum extent permitted under applicable law).
Date of entry into force of the document: July 1, 2020