Travel Baikal Logo

APPROVED
by Order of RUTRAVEL LLC No. ___ as of __._. 2019

disclosure of such personal data. The procedure for providing information to personal data owners is established in the General Data Protection Regulation and the Law on Personal Data.

Before personal data processing begins (if personal data is received directly from the personal data owner) or within a reasonable time (maximum one month), personal data owners shall be provided with the following information:

· the name and location of the operator;

· the purposes and legal basis for personal data processing, including the cases when such personal data processing is required to exercise the rights and legal interests of the operator or third parties;

· recipients of personal data of such personal data owners, including personal data processors;

· in the case of cross-border personal data processing: the information on how the received data will be protected in the jurisdiction where personal data is transferred to;

· data retention period;

· when personal data is processed under an agreement to which either the beneficiary or guarantor is the personal data owner, or on other grounds established by law: on existence of such a ground and on possible consequences of failure to provide personal data for the personal data owner;

2) require the operator to clarify (also to correct) its personal data, transfer (port) personal data, limit its processing, block or destruct if personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures prescribed by law for protection of their rights;

3) object to personal data processing;

4) when personal data is processed with the consent of the personal data owner: withdraw such consent;

5) put forward precondition for consent when personal data is processed in order to promote any goods, works and services on the market;

6) appeal any illegal actions or omission of the operator in personal data processing.

1.7. Implementation of the requirements of this Policy is controlled by the authorized person responsible for arrangement of personal data processing by the Operator.

1.8. Liability for non-compliance with the requirements of legislation of the EU and the Russian Federation, as well as the regulations of RUTRAVEL LLC, for processing and protection of personal data shall be determined in accordance with the legislation of the EU and the Russian Federation.

2. Objectives of Personal Data Collection

2.1. Personal data processing is limited to achievement of specific, predetermined and legitimate objectives. Personal data processing that is incompatible with the purposes of personal data collection is not allowed.

2.2. Only the personal data that is consistent with the purposes of processing thereof are subject to processing.

2.3. The Operator shall process personal data for the following purposes:

2.3.1. When processing the personal data related to establishment of employment relationship between the personal data owner and RUTRAVEL LLC:

- head hunting and selection of applicants for work with the Operator;

- assistance to employees in finding a job, getting an education and professional advancement, ensuring personal safety of employees, monitoring the quantity and quality of the work performed, ensuring safeguard of property;

- HR record management;

- arrangement of individual (personalized) record-keeping of employees in the compulsory pension insurance system;

- filling in and submitting the required reporting forms to the executive authorities and other designated organizations;

- accounting records maintenance;

- implementation of access control;

2.3.2. When processing the personal data related to establishment of civil law relations with the personal data owner:

- communication with the personal data owner through the communication channels provided;

- identification and verification of customers, including with a view to meeting the requirements for combating the financing of terrorism and money laundering;

- conduct of financial transactions with the personal data owner;

- ensuring proper functioning of the service (website) and detection of technical problems;

- providing the personal data owner with advertising mailings.

2.4. Processing of the meployees’ personal data may be carried out solely to ensure compliance with laws and other regulatory legal acts.

3. Legal Basis for Personal Data Processing

3.1. The legal basis for personal data processing is a set of regulatory legal acts pursuant to and in accordance with which the Operator carries out personal data processing, including:

- the Treaty on the Functioning of the European Union, TFEU;

RUTRAVEL Limited Liability Company Policy for Personal Data Processing

1. General Provisions

1.1. This Policy of RUTRAVEL Limited Liability Company for personal data processing (hereinafter referred to as the Policy) is developed in compliance with the requirements of the clause 2, Part 1, Article 18.1, of Federal Law N 152-FZ On Personal Data as of 27/07/2006 (hereinafter referred to as the Law on Personal Data), as well as the Article 24 of the General Data Protection Regulation (EU) 2016/679, hereinafter referred to as GDPR).

1.2. The Policy is valid for all personal data processed by RUTRAVEL Limited Liability Company (hereinafter referred to as the Operator or RUTRAVEL LLC).

1.3. The Policy applies to relations in the field of personal data processing that arose with the Operator both before and after the approval of this Policy.

1.4. Basic terms used in the Policy:

personal data means any information relating to an individual directly or indirectly defined (personal data owner);

personal data operator (operator) means any state body, municipal body, legal or natural person that, independently or jointly with other persons, arranges and (or) processes personal data, as well as determines the objectives and methods of personal data processing, composition of personal data subject to processing, actions (operations) to be taken (made) with personal data;

personal data processor means an individual or legal entity, state body, agency or any other authority that processes personal data on behalf of the operator;

personal data processing means any action (operation) or a combination of actions (operations) with personal data or groups of personal data to be taken (made) with or without automation tools. Personal data processing also includes:

- data collection;

- data recording;

- data management;

- data systematization;

- data accumulation;

- data storage;

- data refinement (adaptation, updating, modification);

- data retrieval;

- consultation;

- data using;

- disclosure by transfer (distribution, provision, access);

- data matching or combining;

- data depersonalization;

- limitation;

- data blocking;

- data deletion;

- data destruction;

automated personal data processing means personal data processing using computer technology;

personal data distribution means any actions aimed at disclosure of personal data to public;

personal data provision means any actions aimed at disclosure of personal data to a definite person or a certain group of persons;

personal data blocking means temporary suspension of personal data processing (except when processing is necessary for personal data refinement);

limitation of personal data processing means marking of stored personal data in order to limit their processing in the future;

personal data destruction means any actions resulting in impossibility to restore the content of personal data within personal data information system and (or) in destructing tangible media of personal data;

personal data depersonalization means any actions resulting in impossibility to define the relevant personal data owner without the use of additional information;

personal data information system means a structured collection of personal data contained in personal data databases that are available in accordance with certain criteria, regardless of whether such personal data is centralized, decentralized or dispersed on a functional or geographical basis, as well as providing their processing using information technology and technical means;

cross-border data processing can denote one of the following cases of personal data processing:

· transfer of personal data received by an operator located in the territory of the Russian Federation to a government authority, individual or legal entity located outside the territory of the Russian Federation;

· transfer of personal data received by an operator established in an EU Member State to a territory outside the European Economic Area.

1.5. Basic rights and obligations of the Operator.

1.5.1. The Operator may:

1) determine independently the scope and list of measures required and sufficient to ensure fulfillment of the obligations stipulated by the General Data Protection Regulation, the Law on Personal Data, as well as any regulatory legal acts adopted in accordance therewith, unless otherwise provided by the General Data Protection Regulation, the Law on Personal Data or other laws;

2) entrust personal data processing to another person (processor) with the consent of the personal data owner on the terms and pursuant to the conditions set out in the agreement made with such person. The person processing personal data (processor) on behalf of the Operator shall comply with the principles and rules for personal data processing stipulated by the General Data Protection Regulation and the Law on Personal Data. The personal data processor entrusted by the Operator to process personal data of personal data owners is not entitled to delegate personal data processing to another processor without general written instruction from the Operator;

3) if owner of personal data withdraws its consent for personal data processing the Operator may continue personal data processing without the consent of such personal data owner if there are grounds specified in the General Data Protection Regulation and the Law on Personal Data.

1.5.2. The Operator shall:

1) arrange personal data processing in accordance with the requirements of the General Data Protection Regulation and the Law on Personal Data;

2) respond to appeals and inquiries of personal data owners and their legal representatives in accordance with the requirements of the General Data Protection Regulation and the Law on Personal Data;

3) provide the authorized body for protection of the rights of personal data owners (the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor), upon its request, with relevant information within 30 days from the date of receipt of such a request

4) notify personal data owners of any changes made herein.

1.6. Basic rights of a personal data owner. A personal data owner may:

1) receive information relating to its personal data processing, as well as access to the personal data processed.

TheOperator shall provide the personal data owner with the information in a short, transparent, understandable and readily accessible form, and such information shall not contain personal data related to other personal data owners, unless there are legal grounds for

- the Treaty on European Union, TEU;

- the Charter of Fundamental Rights of the European Union;

- the General Data Protection Regulation (EU) 2016/679, GDPR;

- legislation of the EU Member States for personal data protection;

- the Constitution of the Russian Federation;

- the Civil Code of the Russian Federation;

- the Labor Code of the Russian Federation;

- the Tax Code of the Russian Federation;

- Federal Law No. 14-FZ On Limited Liability Companies as of 08.02.1998;

- Federal Law No. 402-FZ On Accounting as of 06.12.2011;

- Federal Law No. 167-FZ On Mandatory Pension Insurance in the Russian Federation as of 15.12.2001;

- other legal acts regulating relations associated with the Operator’s activities.

3.2. The legal basis for personal data processing also includes:

- the Articles of Association of RUTRAVEL LLC;

- agreements made between the Operator and personal data owners;

- consent of the personal data owner to processing its personal data.

4. Scope and Categories of Personal Data to be Processed. Categories of Personal Data Owners

.1. The content and scope of the personal data to be processed shall comply with the stated objectives of processing defined in the section 2 hereof. The personal data to be processed should not be redundant with respect to the stated objectives of processing thereof.

4.2. The Operator may process personal data of the following categories of personal data owners.

4.2.1. Applicants for employment with the Operator:

- surname, first name and patronymic;

- sex;

- citizenship;

- date and place of birth;

- contact details (mobile phone number, email address);

- information on education, work experience, qualifications;

- other personal data communicated by the applicants in resumes and enclosed letters.

4.2.2. Employees and former employees of the Operator:

- surname, first name and patronymic;

- sex;

- citizenship;

- date and place of birth;

- image (photo);

- passport details;

- registration residence address;

- actual residence address;

- contact details (mobile phone number, email address);

- Taxpayer Identification Number (INN);

- Insurance Individual Account Number (SNILS);

- information on education, qualifications, professional training and advanced training;

- marital status, parental status, family ties;

- information on labor activity, including incentives, awards and (or) disciplinary penalties;

- marriage registration details;

- military service details;

- disability information;

- information on maintenance deduction;

- details of income from the previous place of work;

- other personal data provided by employees in accordance with the requirements of labor legislation.

4.2.3. Family members of the Operator’s employees:

- surname, first name and patronymic;

- relation degree;

- year of birth;

- other personal data provided by employees in accordance with the requirements of labor legislation.

4.2.4. The Operator’s customers:

- surname, first name and patronymic;

- date and place of birth;

- passport details;

- registration residence address;

- contact details (mobile phone number, email address);

- settlement account number;

- other personal data provided by the customers and contractors (individuals) required for conclusion and execution of agreements.

4.2.5. In addition, when visiting the Operator’s website, the following data of the internet user is being processed:

- device data (including geolocation data, IP address);

- technical information (including information on software and information on equipment (for example, the type of the browser and operating system on the user's device, language settings, access time, name of the domain from which the user connects to the website, etc.);

- analytical information (user activity on the website).

4.3. The Operator shall not process special categories of personal data regarding race, nationality, political views, religious or philosophical beliefs, health status, intimate life, with the exception of the cases provided for by the EU legislation for personal data processing, as well as the legislation of the Russian Federation.

5. Procedure for and Conditions of Personal Data Processing

5.1. The Operator shall process personal data in accordance with the requirements of the EU legislation for personal data processing, as well as the legislation of the Russian Federation.

5.2. The Operator shall process personal data on the following grounds:

- with the consent of the personal data owner to its personal data processing executed in writing (including that executed through electronic means of communication) separately from any other statements (expressions of will) of the personal data owner contained in the relevant agreement;

- in the event that personal data processing is necessary to perform the agreement made between the Operator and the personal data owner or to take preparatory measures for making such agreement between the Operator and the personal data owner;

- on any other grounds stipulated by the EU legislation for personal data and the legislation of the Russian Federation.

5.3. The Operator carries out both automated and manual personal data processing.

5.4. Personal data is allowed to be processed by the Operator’s employees whose duties include personal data processing.

5.5. Personal data is processed through:

- receipt of personal data in oral and in written form directly from the personal data owner;

- receipt of personal data from publicly available sources;

- entering personal data into the logs, registers and information systems of the Operator;

- using other methods of personal data processing.

5.6. Disclosure to third parties and distribution of personal data without the consent of the personal data owner is not allowed, unless otherwise provided for by the EU legislation for personal data and the legislation of the Russian Federation.

5.7. The Operator shall take necessary legal, organizational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, distribution and other unauthorized actions in accordance with the risks in personal data processing, including the following measures:

- arrangements for keeping the records containing personal data;

- determination of security threat to personal data during processing;

- implementation of preventive measures aimed at personal data protection (including through application of privacy by design, as well as the principle of confidentiality by default), minimizing personal data processed;

- depersonalization and encryption of personal data processed;

- carrying out the activities aimed at maintaining the ability to ensure constant confidentiality, integrity, accessibility and sustainability of personal data processing;

- ensuring the ability for timely restoration of personal data accessibility, as well as access to the data in the event of a physical or technical malfunction;

- regular testing and evaluating effectiveness of technical and organizational measures to ensure safety of PD processing);

- adoption of local regulations and other documents governing relations in personal data processing and protection;

- appointment of persons responsible for ensuring security of personal data in the structural units and information systems of the Operator;

- arrangement of work with the information systems in which personal data is processed;

- storage of personal data in conditions under which they are protected and unauthorized access to them is excluded;

- arranges training for the Operator's employees processing personal data.

5.9. The Operator shall store personal data in a form that allows to determine the personal data owner, no longer than the objectives for personal data processing require, if the storage period for personal data is not established by law or by an agreement between the Operator and the personal data owner.

5.10. When collecting personal data, including through the information and telecommunication Internet network, the Operator shall provide recording, systematization, accumulation, storage, refinement (updating, modification), extraction of personal data of the citizens of the Russian Federation using the databases located in the territory of the Russian Federation, except for the cases specified in the Law on Personal Data.

5.11. Cross-border personal data processing shall be carried out based on full consent obtained from the relevant personal data owner.

6. Updating, Correction, Deletion and Destruction of Personal Data. Responses to Inquiries of the Owners for Access to Personal Data

6.1. Confirmation of the fact of personal data processing by the Operator, legal grounds and objectives of personal data processing, as well as other information specified in Art. 1.7 (1) hereof and Part 7, Art. 14, of the Law on Personal Data shall be provided by the Operator to the personal data owner or its representative upon application or upon receipt of a request from the personal data owner or its representative.

Such request shall contain:

- the number of the main document proving the identity of the personal data owner or its representative, information on the issuing authority and the date of issue of the document;

- information confirming participation of the personal data owner in relations with the Operator (number and date of agreement, conventional verbal designation and (or) other information), or the information that otherwise confirms that the Operator has processed personal data;

- signature of the personal data owner or its representative (including digital signature).

If the application (request) of the personal data owner does not reflect all the information necessary in accordance with the requirements of the General Data Protection Regulation and the Law on Personal Data, the owner has no right to access to the information requested, or the objectives that the personal data owner is guided by when applying (requesting) to the operator does not correspond or is not associated with processing of its personal data, a motivated refusal shall be sent to the owner.

The right of the personal data owner to access its personal data may be limited in accordance with the clause (63) of the General Data Protection Regulation, the Part 8, Art. 14, of the Law on Personal Data, including if such access of the personal data owner to its personal data violates the rights and legal interests of third parties.

6.2. A personal data owner may transfer (port) its personal data processed by the Operator, the right to receive the personal data that it previously provided to the Operator in a structured, widely used form suitable for entering into a computer, as well as freely to transfer such data to another operator when all of the following conditions are met:

· the personal data requested is processed using automation tools (without paper records);

· the personal data is provided to the Operator by the personal data owner;

· in the event that the ground for personal data processing is the consent obtained from the personal data owner or if the personal data is processed in order to perform the agreement made between the Operator and the personal data owner or to take preparatory measures for making such agreement between the Operator and the personal data owner.

6.3. The personal data owner may at any time send an objection to the Operator regarding its personal data processing in case its personal data is processed for the purposes of direct marketing or on the legal grounds established in the clauses (e), (f), Article 6 (1), of the General Data Protection Regulation. In the event of an objection received from a personal data owner, the Operator shall immediately stop processing of the personal data of such owner, unless the Operator may provide compelling legal grounds to continue personal data processing having superior legal force in relation to the interests, rights and freedoms of the personal data owner or if the relevant personal data is processed in order to submit, execute or protect against legal claims.

6.4. A personal data owner has the right to demand from the Operator limitation of personal data processing in the following cases:

· in the event that the personal data owner disputes the accuracy of the personal data provided; limitation on personal data processing may be imposed for a period enabling the Operator to verify the accuracy of the personal data processed;

· in the event that personal data processing by the Operator is illegal but the personal data owner is against deletion thereof and requests to limit the use of its personal data instead;

· in the event that the Operator no longer needs the personal data of the owner to fulfill the objectives of processing stated upon receipt of the relevant personal data but the personal data of the owner is required to submit, execute or protect against legal claims;

· in the event that the personal data owner has sent an objection to the Operator regarding its personal data processing, limitation on personal data processing may be imposed for a period necessary to establish existence or lack of legal grounds for the Operator to continue personal data processing.

· In the case of limitation on personal data processing the relevant personal data should be processed, except for storage, only with the separate consent of the personal data owner or when personal data processing is necessary to submit, execute or protect against the legal claims aimed at protecting the rights of another individual or legal entity, or on the ground of the public interest of the EU or any EU Member State.

6.5. In the event that upon application or request of the personal data owner, its representative or Roskomnadzor any inaccurate personal data is detected, the Operator shall block the personal data related to such personal data owner from the date of the application or upon receipt of the request for the period of verification if such personal data blocking does not violate the rights and legal interests of the personal data owner or third parties.

If inaccuracy of the personal data is confirmed, the Operator, based on the information provided by the personal data owner, its representative, Roskomnadzor or other necessary documents, shall refine the relevant personal data within seven business days from the date of submission of such information and release the personal data blocking.

6.6. In the event that upon application or request of the personal data owner, its representative or Roskomnadzor any illegal personal data processing is revealed, the Operator shall block illegally processed personal data relating to such personal data owner from the date of the application or receipt of the request.

6.8. Personal data shall be deleted in the following cases:

- upon achievement of the objectives of personal data processing;

- when the personal data owner withdraws its consent to its data processing, except for the cases where further processing of its personal data is stipulated by:

· an agreement to which either the beneficiary or guarantor is the personal data owner;

· the Operator has legal grounds provided for in the General Data Protection Regulation, the Law on Personal Data or other laws to process personal data without the consent of the personal data owner;

· there are any other grounds provided for in the agreement between the Operator and the personal data owner;

- in the case of limitation imposed by the personal data owner on processing if the Operator has no legal grounds to continue personal data processing;

- in the case of illegal personal data processing by the Operator or if personal data processing violates the requirements established by the legislation of any EU Member State.

Personal data is subject to deletion within a period not exceeding 30 days from the date of submission by the personal data owner of an application (request) on deletion thereof.

Let’s talk about your next trip
Send us an email tours@travel-baikal.com
Reach out via phone +7 (395) 248 07 88

Come to visit us at the address: Irkutsk, Kievskaya str. 7, office 505A, 5th floor