1. GENERAL PROVISIONS
1.2 This policy developed up in order to ensure the protection of the human rights and liberties when processing personal data, including the protection of the privacy rights, personal and family privacy.
1.3 This Policy discloses the procedure for processing Website users personal connected with using the Website.
1.4 The policy was developed by the Company in accordance with the Constitution of the Russian Federation, Federal Law of July 27, 2006 No. 152-FZ “On Personal Data” (hereinafter the Law on Personal Data), other regulatory legal acts of the Russian Federation, and also taking into account international regulatory legal acts: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR), Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
1.5 The Policy is developed and used in conjunction with the users Consent to the processing of personal data.
1.6 This Policy is placed on the Company's website. Unlimited access to the Policy is provided to any person who contacts the Company.
1.7 This Policy does not apply to Company’s websites that do not link to this Policy or that link to a document other than the Policy regarding the processing of personal data.
1.8 The Company reserves the right to amend the Policy as necessary. A mandatory review of the Policy is carried out in case of significant changes in international or national legislation regarding the processing of personal data. If the Company already processes personal data, the Company shall notify of such changes by the email address provided by the user of the Website.
1.9 The Company does not verify the accuracy of the provided personal data and the legal capacity of the person who provided it. The user of the Website guarantees that all data is reliable, relevant and does not violate the laws of the Russian Federation.
1.10 The Company is the Operator of only those personal data that it received from the user, as from an individual, using the Website. If it is not possible in any way to correlate information and an individual, the Operator does not consider this information as personal data.
2. POLICY GENERAL TERMS
2.1. Personal data – any information relating directly or indirectly to a specific individual (personal data subject);
2.2. Operator – CVisionLab LLC, which independently or jointly with other persons organizes and/or carries out the processing of personal data, as well as determines the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
2.3. Personal data processing – any action (operation) or a set of actions (operations) performed using automation tools or without using such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
2.4. Automated processing of personal data – processing of personal data using computer technology;
2.5. Distribution of personal data – actions aimed at disclosing personal data to any number of unspecified persons;
2.6. Provision of personal data – actions aimed at disclosing personal data to a specific person or a certain circle of persons;
2.8. Blocking of personal data – temporary suspension of personal data processing (unless the processing is necessary to clarify personal data);
2.9. Destruction of personal data – actions, as a result of which it becomes impossible to restore the content of personal data in the personal data information system and/or as a result of which physical storage of personal data is destroyed;
2.10. Depersonalization of personal data – actions, as a result of which it becomes impossible without the use of additional information to determine the ownership of personal data to a specific personal data subject;
2.11. Personal data information system – an aggregate of personal data contained in the databases and information technologies and technical means providing the processing of such data;
2.12. Cross-border transfer of personal data – the transfer of personal data to the territory of a foreign state, to a foreign authority, a foreign individual or to a foreign entity;
2.13. Cookies – Internet identification files stored on the user’s terminal equipment, allowing to store individual information about the user.
3. PURPOSES, PRINCIPLES AND LEGAL BASIS OF PERSONAL DATA PROCESSING
3.1. The Company adheres to the following principles when processing personal data:
1) Legality and fairness of the processing of personal data;
2) Processing personal data in accordance with specific, predetermined and legal purposes;
3) Prevention of combining databases containing personal data, the processing of which is carried out for purposes incompatible with each other;
4) Processing only those personal data that meet the purposes of their processing;
5) Compliance of the content and amount of personal data with the stated processing purposes;
6) Accuracy, sufficiency, relevance and reliability of personal data;
7) Legality of technical measures used in the processing of personal data;
8) Reasonableness and expediency of processing personal data;
9) Storage of personal data in a form that allows determining the personal data subject no longer than is required by the purpose of their processing or during the term of consent of a personal data subject;
10) The processed personal data is subject to destruction or depersonalization immediately after the purposes of their processing have been achieved or the need to achieve them has been lost.
3.2. The user confirms that the Operator carries out actions related to the processing of personal data for the following purposes:
1) When using the Website – for the purpose of properly fulfilling the obligations of the Company to you, providing access to the Website, registering on the Website, as well as in any other cases related to this action;
2) When communicating with the user of the Website – by the email address specified by the user for the purpose of timely communication and the provision of any necessary reliable and complete information related to the activities of the Company. This includes the provision and distribution of information about the Website and promotion actions and events organized by the Company and/or authorized third parties;
3) When receiving feedback from the user in order to:
– receive information about user loyalty and satisfaction, research and process such information;
– analyze feedback to improve the quality of the Website;
– conduct any kind of research;
4) When ensuring the protection and confidentiality of the user's personal data – to ensure the operability and safety of the Website, to confirm the actions you take, to prevent the cases of fraud, cyberattacks and other abuses, as well as to investigate such cases.
3.3. The legal basis for the processing of personal data is the totality of legal acts pursuant to and in accordance with which the operator processes personal data:
– Federal laws and enacted on their basis regulatory legal acts of the Russian Federation regulating the activities of the Operator;
– Operator’s constitutional documents;
– Contracts concluded between the Operator and the personal data subject;
– Consent to the processing of personal data.
4. PERSONAL DATA FOR PROCESSING WHICH USER AGREES
4.1. Depending on the webform you fill out, the Company may process the following personal data of the user:
1) surname, first name and patronymic;
2) email address;
3) portrait image;
4) data on technical means (devices): IP address, operating system, type of device (personal computer, mobile phone, tablet), browser type, geolocation, ISP, etc.;
5) information obtained as a result of user actions, including the following information: about comments left, requests, reviews and questions;
6) information automatically obtained when accessing the Site using cookies;
7) country of residence;
8) contact phone number.
5. PERSONAL DATA PROCESSING
5.1. All personal data is requested directly from a personal data subject. If personal data can only be obtained from a third party, personal data subject should be notified in advance and his consent must be obtained.
5.2. Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the personal data subject’s agreement to the processing of personal data relating to him, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting the Website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the personal data subject’s acceptance of the proposed processing of his personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the personal data subject’s consent is to be given following a request by electronic means, the request must be clear and concise.
5.3. Personal data processing without the consent of the personal data subject is carried out in the following cases:
– the personal data is publicly available;
– at the request of the authorities in cases provided by federal law;
– personal data processing is carried out for the purposes of statistical or other researches, subject to the mandatory depersonalization of personal data;
– in other cases provided by law.
5.4. Personal data is collected in the following ways:
1) provision of personal data by you when filling out forms, including webforms on the Website;
2) automatic data collection using technologies and services: web protocols, cookies, etc.
3) provision of personal data by you in writing, including by electronic means;
5.5. Personal data storage and use:
1) personal data is stored only on properly protected data carriers, including electronic ones, and processed both with the use of automation tools and without the use of such tools;
2) the Operator ensures the use of databases located on the territory of the Russian Federation for the automated processing of personal data.
5.6. Передача персональных данных:
1) the Operator transfers personal data to third parties, including, but not limited to, consultants, partners, contractors, and agents (hereinafter the Consultants) with your consent. Exceptions are cases when the transfer is carried out to ensure compliance with legal requirements, to prevent or suppress your illegal actions and protect the legitimate interests of the Company and third parties;
2) the transfer of personal data to the Consultants is carried out for the above purposes and is based on a contract concluded with the Consultant. At the same time, the Consultants undertake to use personal data exclusively in accordance with this Policy, for the above purposes and for the provision of services under the concluded contract;
3) persons receiving personal data are warned by the Operator that these data can only be used for the purposes for it was transferred.
5.7. The Operator destroys personal data, unless otherwise provided by the contract, by the party, beneficiary or guarantor under which the data subject is, or by other agreement between the Operator and the user, in the following cases:
1) upon achievement of processing purposes;
2) withdrawal by the Website user his of consent to the processing of personal data;
3) existence of a threat to the security of the Website;
4) violation by the user of the terms of the Policy;
5) expiration of the period for retaining personal data;
6) upon users request.
5.8. The procedure for blocking and unblocking of personal data:
– The blocking of personal data implies a temporary suspension of personal data processing.
– The blocking of subject’s personal data is carried out at his written request.
– Paper documents related to the personal data subject and containing such data are removed from the internal document flow of the Company, their use is prohibited.
– Unblocking of subject’s personal data is carried out at his written consent or request.
– The repeated consent of the personal data subject to the processing of his personal data entails the unblocking of his personal data.
5.9. The procedure for depersonalization of personal data:
– When carrying out depersonalization of personal data, personal data in Personal data information systems is replaced by a set of characters, according to which it is impossible to determine the ownership of personal data to a specific personal data subject.
– The depersonalization of subject’s personal data is carried out at his written request, provided that contractual relationship is completed or terminated.
– Paper documents related to the personal data subject and containing such data are destroyed.
5.10. If a fact of inaccuracy of personal data or the illegality of its processing is revealed, it’s processing should be stopped, and the personal data is subject to clarification by the Operator.
6. WEBSITE USER RIGHTS
6.1. Website user rights:
6.1.1. The user has the right to receive information about the processing of his personal data, including:
1) confirmation of the fact of personal data processing;
2) legal basis of personal data processing;
3) purposes and methods of personal data processing used by the Operator;
4) what kind of personal data does the Operator process and the source of its receipt
5) period of the processing of personal data, including period for retaining personal data;
6) the procedure for exercising the rights provided for by the Russian Federation legislation;
7) information on completed or proposed cross-border transfer of personal data;
8) information on persons to whom personal data may be provided on the basis of a contract with the Company or in accordance with the Russian Federation legislation;
9) the name or surname, first name, patronymic and the address of the person performing personal data processing on behalf of the Operator, if the processing is entrusted or will be entrusted to such a person;
10) other information provided by the Russian Federation legislation.
6.1.2. The user has the right to request the Operator to clarify his personal data, to block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, and also to take measures prescribed by law to protect his rights.
6.1.3. The user has the right to appeal against illegal actions or inaction of the Operator when processing his personal data in Federal Service for Supervision of Communications, Information Technology and Mass Media of the Russian Federation (Roskomnadzor) or in court.
6.2. The user has the right to receive the information specified in this section an unlimited number of times. For this, it is necessary to send an appropriate request to the Operator as prescribed by section 11 of the Policy.
7. OPERATOR RESPONSIBILITIES
7.1. The Operator should:
7.1.1. Organize personal data processing in accordance with the requirements of the Law on Personal Data;
7.1.2. Respond to applications and requests of personal data subjects and their legal representatives in accordance with the requirements of the Law on Personal Data;
7.1.3. Provide the authorized body for the protection of the rights of personal data subjects (Federal Service for Supervision of Communications, Information Technology and Mass Media of the Russian Federation (Roskomnadzor) at its request with the necessary information within 30 days from the date of receipt of such a request;
7.1.4. As soon as the Operator becomes aware that a personal data breach has occurred, he should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the Operator is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of an individual. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay;
7.1.5. The Operator should communicate to the personal data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of an individual in order to allow him or her to take the necessary precautions;
7.1.6. Provide information on personal data processing at the request of the user;
7.1.7. Take the necessary and sufficient measures to ensure the fulfillment of the obligations under the Law on Personal Data;
7.1.8. At the request of the user, clarify the processed personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
7.1.9. In case of withdrawal of consent to the processing of personal data, the Operator stops processing it and destroys it within a period not exceeding 30 (thirty) business days from the date of receipt of the withdrawal of consent. Exceptions are cases when processing can be continued in accordance with the Russian Federation legislation.
8. PERSONAL DATA PROTECTION
8.1. All personal data provided by the user is confidential by default. The protection of personal data processed by the Operator is ensured by the implementation of legal, organizational and technical measures necessary and sufficient to meet the requirements Russian Federation legislation on the protection of personal data.
8.1.1. Legal measures include:
– drafting of local regulations of the Company that implement the requirements of Russian Federation legislation regarding the processing and protection of personal data, including this Policy, and posting it on the Website;
– refusal of any methods of personal data processing that do not meet the purposes stated by the Company.
8.2. Organizational measures include:
– appointment of a person responsible for the personal data processing organizing. The user can contact this person by e-mail indicated on the site;
– limiting the number of employees of the Company with access to personal data, and the organization of an authorization system for access to personal data;
– periodic risk assessment regarding the personal data processing;
– initiating internal investigations to detect facts related to unauthorized access to the personal data;
– monitoring and analysis of the security of the Operator's network infrastructure;
– making the provisions of the Russian Federation legislation on personal data, including the requirements for the protection of personal data, and local regulations of the Company on the processing of personal data known by the Company's employees, training of these employees;
– organization of trainings for employees of the Company regarding various issues of personal data processing.
The Operator undertakes and obliges third parties, if they are entrusted with the personal data processing, to respect for confidentiality of personal data and not to use personal data without the consent of an individual, except as otherwise provided in this Policy.
8.3. Technical measures include:
– the organization of a security regime for the premises in which personal data carriers are located, preventing the possibility of unauthorized access or the presence of persons who do not have access to these premises;
– the use of encryption methods during personal data processing.
9. CROSS-BORDER TRANSFER OF PERSONAL DATA
9.1. The Operator is an international company, in this regard, in order to achieve the purposes specified in the Policy, the Operator can transfer personal data of users to countries other than the country from which they were originally obtained – cross-border transfer of personal data.
9.2. Prior to the start of the cross-border transfer of personal data, the Operator must verify that the foreign state to whose territory personal data will be transferred provides adequate protection of the rights of personal data subjects. When carrying out cross-border transfer of personal data, the Company protects personal data in accordance with the Policy.
9.3. Cross-border transfer of personal data to the territory of foreign states that do not provide adequate protection of the rights of personal data subjects can be carried out in the following cases:
– where the personal data subject has given his/her consent to the cross-border transfer of his/her personal data;
– in cases provided for in agreements of the Russian Federation;
– in cases provided for in federal laws where this is necessary to protect the foundations of the constitutional order of the Russian Federation, to provide for national defence and state security, to secure the stable and safe operation of the transport complex and to protect the interests of the individual, society and the state in the transport sphere against acts of unlawful interference;
– for the purpose of the execution of a contract to which the personal data subject is a party;
-for the purpose of protecting life, health and other vital interests of a personal data subject or of other persons where it is impossible to obtain the written consent of the personal data subject.
10. RESTRICTION OF THE POLICY
10.1. The user undertakes to reasonably and responsibly treat the placing of his own personal data in the public domain, including on the Website when leaving feedback and comments.
10.2. The Operator is not responsible for the actions of third parties who gained access to the user's personal data through his fault.
11. APPLICATIONS AND REQUESTS OF PERSONAL DATA SUBJECTS
11.1. The user can send the Operator their requests, including requests regarding the use of personal data:
11.1.1. in writing at the address: Severnaya Ploshchad 3, 347930, Taganrog, Rostov region, Russian Federation;
11.1.2. in the form of an electronic document to the email address: firstname.lastname@example.org.
11.2. The request should contain the following information:
11.2.1. the number of the principal identification document of the personal data subject;
11.2.2. information as to the date of issue of that document and the body which issued it;
11.2.3. information evidencing the personal data subject’s relationship with the Operator or information which otherwise confirms the processing of the personal data by the Operator;
11.2.4. the signature.
11.3. The Operator is obliged to consider the request and send a response to the address indicated in the request within 30 (thirty) calendar days from the receipt of the request.
11.4. All correspondence received by the Company (in writing or in electronic form) is restricted information and is not disclosed without written consent.