Policy regarding personal data processing in Turbaza.ru Co., Ltd

1. General provisions

1.1. Personal Data Processing Policy (hereinafter referred to as the Policy) is aimed at protecting the rights and freedoms of individuals whose personal data is processed by Turbaza.ru Co., Ltd (hereinafter referred to as the Operator).

1.2. The policy is created in accordance with paragraph 2 h. 1 Article 18.1 of the Federal Law of 27 July 2006 No. 152-FZ "On Personal Data" (hereinafter referred to as "the Federal Law on Personal Data").

1.3. the policy contains information to be disclosed in accordance with part 1 of Article 14 of the Federal Law "On Personal Data" and is a publicly available document.

2. Operator information

2.1. The operator operates at 2, Italyanskaya St., 2, St. Petersburg, 191186. 509.

2.2. Andrey Sergeevich Romanov, General Director (phone +7 (812) 407-21-31), was appointed responsible for organizing the processing of personal data.

3. Personal data processing information

3.1. the Operator processes personal data on a lawful and fair basis in order to perform the functions, powers and duties assigned by law, exercise the rights and legitimate interests of the Operator, the Operator's employees, and third parties.

3.2. the operator receives personal data directly from the subjects of personal data.

3.3. the Operator processes personal data in an automated and non-automated way, with the use of computer facilities and without the use of such facilities.

3.4. personal data processing activities include collection, recording, systematization, accumulation, storage, clarification (update, modification), extraction, use, transmission (distribution, provision, access), depersonalization, blocking, deletion and destruction.

4. Processing of employees' personal data

4.1. the Operator processes personal data of the Operator's employees within the framework of the legal relations regulated by the Labor Code of the Russian Federation of December 30, 2001, No. 197-FZ (hereinafter referred to as the "LCRF"), including Chapter 14 of the LCRF concerning the protection of employees' personal data.

4.2. the Operator processes personal data of employees in order to fulfill employment contracts, comply with Russian legislation, as well as for the purpose of:

— keep personnel records;

— keep accounting records

— perform the functions, powers and obligations imposed by the legislation of the Russian Federation on the Operator, including the provision of personal data to the state authorities, the Pension Fund of the Russian Federation, the Social Insurance Fund of the Russian Federation, the Federal Compulsory Medical Insurance Fund, as well as other state authorities;

— comply with the norms and requirements for occupational health and personal safety of the employees of LLC Turbaza.RU, as well as for the safety of property;

— open personal bank accounts of the employees of LLC "Turbaza.RU" for salary transfer.

4.3. the operator does not make decisions affecting the interests of employees based on their personal data obtained electronically or solely as a result of automated processing.

4.4. The Operator protects personal data of employees at its own expense in accordance with the procedure established by the Russian Labour Code, the Federal Law "On Personal Data" and other federal laws.

4.5. the Operator informs employees and their representatives, upon signature, of the documents establishing the procedure for processing employees' personal data, as well as of their rights and obligations in this area.

4.6. the operator allows access to employee personal data only by authorized persons, who are entitled to receive only those data that are necessary to perform their functions.

4.7. The operator receives all personal data from the employees themselves. If the employee's data can only be obtained from a third party, the Operator notifies the employee in advance and receives his written consent. The Operator informs the employee about the purposes, sources, methods of obtaining, as well as the nature of the data to be received and the consequences of the employee's refusal to give a written consent to their receipt.

4.8. the Operator processes the personal data of the employees with their written consent, provided for the duration of the employment contract.

4.9. The operator processes personal data of employees during the term of the employment contract. The operator processes the personal data of dismissed employees within the period established by the item. 5 ч. 3 Article 24 Part One of the Tax Code of the Russian Federation No. 146-FZ of July 31, 1998, part 1. 1 Article 29 of the Federal Law "On Accounting" dated December 6, 2011 No. 402-FZ and other regulatory legal acts.

4.10. The operator may process special categories of employees' personal data (health information related to the issue of their ability to perform their work functions) on the basis of item 2.3 hours. Article 10, paragraph 2, of the Federal Law "On Personal Data"

4.11. The operator does not process employees' biometric personal data.

4.12. The operator does not receive data on the membership of employees in public associations or their trade union activities, except in cases provided for by the Russian Labour Code or other federal laws.

4.13. The operator processes the following personal data of employees

— Last name, first name, patronymic

— Type, series and number of identity document;

— Date of issue of the identity document and the issuing authority;

— Year of Birth

— Month of Birth

— Date of birth

— Address;

— Position

— Income

— Place of birth

— Mobile phone

— Family status;

— Nationality;

— Education

— Length of service

— Information on military registration

— Data on social benefits;

— Taxpayer Identification Number;

— Number of state pension insurance certificate;

— Photo;

— Information about staying abroad;

— Contact phone number;

— Email address;

— Profession

— Insurance premiums on OPS;

— MHI premiums

— Tax deductions;

— Retirement;

— Temporary disability

— Time number.

4.14. The Operator does not disclose the employee's personal data to a third party without his or her written consent, except in cases when it is necessary to prevent a threat to the employee's life and health, as well as in other cases provided for by the Russian Labour Code, the Federal Law "On Personal Data" or other federal laws.

4.15. The operator does not disclose the personal data of the employee for commercial purposes without his written consent.

4.16. The operator transfers personal data of employees to their representatives in accordance with the procedure established by the Labour Code of the Russian Federation, the Federal Law On Personal Data and other federal laws, and limits this information only to those data which are necessary for the performance of their functions.

4.17. The operator warns the persons receiving the employee's personal data that this data can only be used for the purposes for which it has been communicated, and requires that these persons confirm that this rule is respected.

4.18. In accordance with the procedure established by law and in accordance with Article 7 of the Federal Law "On Personal Data", in order to achieve the purposes of personal data processing and with the consent of employees, the Operator shall provide personal data of employees or entrust its processing to the following persons:

— State bodies (FIU, FTS, FSS, etc.);

— Bank (under payroll project);

— Passenger Cargo Companies and Hotels (within the framework of business trips).

4.19. Employees can get free access to information about their personal data and the processing of this data. Employees may receive a copy of any record containing their personal data, except as provided by federal law.

4.20. Employees can access medical records reflecting their state of health with the help of a health care professional of their choice.

4.21. Employees can appoint a representative to protect their personal data.

4.22. Employees may request to exclude or correct their incorrect or incomplete personal data, as well as data processed in violation of the requirements of the Russian Labour Code, the Federal Law "On Personal Data" or another federal law. If the Operator refuses to exclude or correct the employee’s personal data, he’may declare his’disagreement in writing and justify such disagreement. Employees may supplement personal data of an evaluative nature with a statement expressing their own point of view.

4.23. The employee may request that all persons to whom his or her personal data have been previously communicated incorrectly or incompletely be informed of any exceptions, corrections or additions made to them.

4.24. The employee may appeal to the court against any illegal actions or omissions of the Operator in the processing and protection of his personal data.

5. Processing of personal data of users

5.1. The Operator processes personal data of users within the framework of legal relations with the Operator, regulated by part two of the Civil Code of the Russian Federation dated January 26, 1996, № 14-FZ, (hereinafter referred to as users).

5.2. the Operator processes the personal data of users in order to comply with the laws of the Russian Federation, as well as for the purpose of:

— enter into and perform obligations under contracts with customers;

— carry out the types of activities provided for in the foundation documents of LLC Turbaza.RU;

— inform about new products, special promotions and offers.

5.3. the operator processes the personal data of users with their consent, provided for the duration of the contracts concluded with them. In the cases stipulated by the Federal Law "On Personal Data", the consent shall be given in writing. In other cases, the consent shall be deemed to have been obtained upon conclusion of the contract or when performing specific actions.

5.4. the Operator processes the personal data of users during the term of validity of the contracts concluded with them. The operator can process the personal data of users after the expiration of the term of validity of the concluded contracts with them within the term established by the item. 5 ч. 3 Article 24 part one of the Tax Code of the Russian Federation, part 1 Article 29 of the Federal Law "On Accounting" and other regulatory legal acts.

5.5. the operator processes the following personal data of users:

— Last name, first name, patronymic

— Year of Birth

— Month of Birth

— Date of birth

— Contact phone number;

— Email address;

— Photo.

5.6. In order to achieve the purposes of personal data processing and with the consent of the users, the Operator provides personal data or instructs the following persons to process it:

— to Suppliers (accommodation facilities) for booking.

6. Processing of personal data of applicants

6.1. the Operator processes the personal data of job seekers (hereinafter — job seekers).

6.2. the operator processes the personal data of the applicants for the purpose:

— decide whether or not to hire.

6.3. the Operator processes the personal data of the applicants with their written consent, provided for the period necessary to make a decision on hiring or refusing to hire them. The exception is the case when a recruitment agency acts on behalf of the applicant, with which he has signed a contract, as well as when the applicant places his resume, available to the public, on the Internet.

6.4. the Operator processes the personal data of the applicants within the period necessary to make a decision on hiring or refusing to hire them. In case of refusal to hire, the Operator stops processing the applicant's personal data within 30 days in accordance with Part 4 of Article 21 of the Federal Law "On Personal Data". If the applicant has given his consent to be included in the personnel reserve, the Operator may continue processing personal data for the period specified in the consent.

6.5. the Operator does not process special categories of personal data of applicants and biometric personal data of applicants.

6.6. The operator processes the following personal data of applicants:

— Last name, first name, patronymic

— Year of Birth

— Month of Birth

— Date of birth

— Contact phone number;

— Email address;

— Family status;

— Photo;

— Education

— Profession; — Income; Position

— Employment record.

7. Personal data security information

7.1. the Operator appoints a person responsible for organizing the processing of personal data in order to perform the duties provided for by the Federal Law "On Personal Data" and the regulatory legal acts adopted in accordance with it.

7.2. the Operator applies a set of legal, organizational, and technical measures to ensure the security of personal data in order to ensure the confidentiality of personal data and their protection from illegal actions:

— provides unlimited access to the Policy, a copy of which is placed at the Operator's address, and may also be placed on the Operator's website (if any);

— in compliance with the Policy, approves and enforces the Regulation on Processing of Personal Data (hereinafter the Regulation) and other local acts

— makes acquaintance of employees with the provisions of the legislation on personal data, as well as with the Policy and Regulations

— allows employees to access personal data processed in the Operator's information system, as well as their physical media, only for the purpose of performing their job duties;

— establishes the rules of access to personal data processed in the Operator's information system, as well as provides registration and accounting of all activities with them;

— assesses the harm that may be caused to personal data subjects in case of violation of the Federal Law on Personal Data

— defines threats to the security of personal data when processing them in the Operator's information system;

— applies organizational and technical measures and uses information security measures necessary to achieve the established level of personal data protection;

— detects unauthorized access to personal data and takes action, including the recovery of personal data modified or destroyed as a result of unauthorized access to it;

— assesses the effectiveness of measures taken to ensure the security of personal data before the Operator's information system is put into operation;

— carries out internal control over the compliance of the processing of personal data of the Federal Law "On Personal Data", adopted in accordance with it, regulatory legal acts, requirements for the protection of personal data, the Policy, Regulations and other local acts, including control over the measures taken to ensure the security of personal data and their level of security when processing in the Operator's information system.

8. Rights of personal data subjects

8.1. the subject of personal data has the right

— to obtain personal data relating to this entity and information relating to its processing;

— to clarify, block or destroy his personal data if it is incomplete, outdated, inaccurate, unlawfully obtained or not necessary for the stated purpose of processing;

— to revoke his or her consent to the processing of personal data;

— to protect their rights and legitimate interests, including compensation for damages and compensation for moral damages in court;

— to appeal against the Operator's actions or omissions to the authorized body for the protection of personal data subjects' rights or in court.

8.2 To exercise their rights and legitimate interests, personal data subjects have the right to contact the Operator or send a request in person or through a representative. The request shall contain the information specified in part 3 of Article 14 of the Federal Law "On Personal Data".