Privacy policy

Privacy policy
  1. Terms and definitions

Site – a set of software and hardware for computers that ensure the publication for public viewing of information and data united by a common purpose, by means of technical means used for communication between computers on the Internet. A Website in the Policy is a Website located on the Internet at: http://carpiworld.ru/.

User – the user of the Internet and, in particular, the Site.

Federal Law (FZ) – Federal Law No. 152 FZ of 27.07.2006 "On Personal Data" (hereinafter referred to as the Law on Personal Data).

Personal data – any information relating directly or indirectly to a specific or identifiable individual (subject of personal data).

Personal data authorized by the subject of personal data for distribution – personal data, access of an unlimited number of persons to which is provided by the subject of personal data by giving consent to the processing of personal data authorized by the subject of personal data for distribution in accordance with the procedure provided for by the Law on Personal Data.

Operator – an organization that independently or jointly with other persons organizes the processing of personal data, as well as determines the purposes of processing personal data to be processed, actions (operations) performed with personal data.

Operator status: Limited Liability Company "Carpi" (OGRN 1227700005961).

Processing of personal data – any action (operation) or set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Mixed processing of personal data – combined processing of personal data manually and with the help of computer technology.

Provision of personal data – actions aimed at disclosing personal data to a certain person or a certain circle of persons.

Blocking of personal data – temporary termination of the processing of personal data (except in cases where processing is necessary to clarify personal data).

Destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and/or as a result of which the material carriers of personal data are destroyed.

Depersonalization of personal data – actions, as a result of which it becomes
it is impossible to determine the identity of personal data to a specific subject of personal data without using additional information.

Personal Data Information System (ISPDn) – the totality of personal data contained in databases and information technologies and technical means that ensure their processing.

  1. General provisions

2.1. The Privacy Policy (hereinafter referred to as the Policy) has been developed in order to comply with the requirements of the legislation of the Russian Federation when processing personal data of Website Users, namely, but not limited to: when registering information of individuals and legal entities necessary for the implementation of activities (services) for the development of IT products, analytics and testing, product design, support and escorts. The Operator has the right to process personal data of other persons who are not Users of the Site, but interact with the Operator in accordance with labor and civil legislation in terms of the implementation of labor and economic relations.

2.2. The Policy has been developed in accordance with the Constitution of the Russian Federation, the Civil Code of the Russian Federation, the current legislation of the Russian Federation in the field of personal data protection.

2.3. The Policy establishes the procedure for processing personal data of Users of the Site: actions for the collection, systematization, accumulation, storage, clarification (updating, modification), destruction of personal data. The Policy establishes the procedure for processing personal data of other persons who are not Users of the Site, but interact with the Operator in accordance with labor and civil legislation in terms of the implementation of labor and economic relations.

2.4. The Policy establishes mandatory for the Operator's employees involved in the maintenance of the Site, general requirements and rules for working with all types of media containing personal data of Site Users, as well as when processing personal data from other persons who are not Site Users, but interact with the Operator in accordance with labor, civil legislation in terms of implementation labor and economic relations.

2.5. The Policy does not address issues of ensuring the security of personal data classified in accordance with the established procedure as information constituting a state secret of the Russian Federation.

2.6. The objectives of the Policy are:

  • ensuring the requirements for the protection of human and civil rights and freedoms in the processing of personal data, including the protection of the rights to privacy, personal and family secrets;
  • exclusion of unauthorized actions of the Operator's employees and any third parties to collect, systematize, accumulate, store, clarify (update, change) personal data, other forms of illegal interference in information resources and the Operator's local computer network, ensuring legal and regulatory confidentiality of undocumented information of the Site Users; protection of the constitutional rights of citizens to personal secrecy, confidentiality of information constituting personal data, and prevention of a possible threat to the security of Site Users.

2.7. Principles of personal data processing:

  • the processing of personal data must be carried out on a legal and fair basis;
  • the processing of personal data should be limited to achieving specific, predetermined and legitimate goals. Processing of personal data incompatible with the purposes of personal data collection is not allowed;
  • it is not allowed to combine databases containing personal data, the processing of which is carried out for purposes incompatible with each other;
  • only personal data that meet the purposes of their processing are subject to processing;
  • the content and volume of the processed personal data must correspond to the stated purposes of processing. The processed personal data should not be redundant in relation to the stated purposes of their processing;
  • the content and volume of the processed personal data to an indefinite circle of persons is determined by the subject of personal data in the agreement on the distribution of personal data;
  • when processing personal data, the accuracy of personal data, their sufficiency, and, if necessary, relevance in relation to the purposes of personal data processing must be ensured;
  • the storage of personal data should be carried out no longer than the purposes of personal data processing require, unless the storage period of personal data is established by Federal Law, an agreement to which the User is a party;
  • the processed personal data is subject to destruction or depersonalization upon achievement of the processing goals, upon withdrawal by the personal data subject of consent to the dissemination of personal data, or in case of loss of the need to achieve these goals, unless otherwise provided by Federal Law.

2.8. Terms of personal data processing.

2.8.1. The processing of personal data of the Site Users is carried out on the basis of the Civil Code of the Russian Federation, the Constitution of the Russian Federation, the current legislation of the Russian Federation in the field of personal data protection.

2.8.2. The processing of personal data on the Website is carried out in compliance with the principles and rules provided for by the Policy and legislation of the Russian Federation.

2.9. Purposes of personal data processing.

2.9.1. The processing of personal data of the Site Users is carried out in order to provide the User with the opportunity to interact with the Site and its functionality, as well as with the Operator, who is a person providing services in accordance with clause 2.1 of the Policy.

2.9.2. The information constituting personal data is any information related to a certain or determined on the basis of such information to an individual (subject of personal data).

2.10. Sources of obtaining personal data of Users.

2.10.1. The source of information about all the User's personal data is the User himself, as well as other persons who are not Users of the Site, but interact with the Operator in accordance with labor and civil legislation regarding the implementation of labor and economic relations.

2.10.2. The source of information about the User's personal data is information obtained as a result of the Operator granting the User the rights to use the Site, its functionality, as well as when transferring information to the Operator by other persons who are not Users of the Site, but interact with the Operator in accordance with labor, civil legislation in terms of the implementation of labor and economic relations.

2.10.3. Users' personal data refers to confidential information of limited access.

2.10.4. The Operator has no right to collect and process the User's personal data about his race, nationality, political views, religious or philosophical beliefs, private life, except in cases provided for by applicable law.

2.10.5. The Operator has no right to receive and process the User's personal data about his membership in public associations or his trade union activities, except in cases provided for by Federal Law.

2.11. Methods of processing personal data.

2.11.1. Personal data of Site Users and other persons who are not Site Users, but interact with the Operator in accordance with labor and civil legislation regarding the implementation of labor and economic relations, are processed using the method of mixed (automated, non-automated) processing (on paper, on electronic media and in ISPDn).

2.12. Rights of subjects (Users) of personal data.

2.1. The User has the right to receive from the Operator, when contacting him personally or when the Operator receives a written request from the User, the following information concerning the processing of his personal data, including containing:

  • confirmation of the fact of processing of personal data by the Operator, as well as the purpose of such processing;
  • legal grounds and purposes of personal data processing;
  • purposes and methods of personal data processing used by the Operator;
  • the name and location of the Operator, information about persons (with the exception of the operator's employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Operator or on the basis of Federal Law;
  • processed personal data related to the relevant personal data subject, the source of their receipt, unless another procedure for providing such data is provided for by Federal Law;
  • terms of processing of personal data, including the terms of their storage;
  • the procedure for the exercise by the subject of personal data of the rights provided for by Federal Law;
  • information about the transborder data transfer that has been carried out or is expected to be carried out;
  • the name or surname, first name, patronymic and address of the person processing personal data on behalf of the Operator, if processing is or will be entrusted to such a person;
  • other information provided by Federal law or other federal laws;
  • to demand changes, clarifications, destruction of information about oneself;
  • appeal against unlawful actions or omissions in the processing of personal data and demand appropriate compensation in court;
  • to supplement personal data of an evaluative nature with a statement expressing his own point of view;
  • identify representatives to protect your personal data;
  • require the Operator to notify about all changes made in them or exceptions from them.

2.12.2. The User has the right to appeal to the authorized body for the protection of the rights of personal data subjects or in court against the actions or inaction of the Operator if he believes that the latter processes his personal data in violation of the requirements of the Federal Law "On Personal Data" or otherwise violates his rights and freedoms.

2.12.3. The user of personal data has the right to protect his rights and legitimate interests, including compensation for damages and (or) compensation for moral damage in court.

2.13. Obligations of the Operator.

2.13.1. Upon a personal request or upon receipt of a written request from a personal data subject or his representative, the Operator, if there are grounds, is obliged to provide information within 30 days from the date of the request or receipt of the request from the personal data subject or his representative to the extent prescribed by Federal Law. Such information must be provided to the subject of personal data in an accessible form, and it must not contain personal data related to other subjects of personal data, except in cases where there are legitimate grounds for disclosure of such personal data.

2.13.2. All requests of personal data subjects or their representatives are registered in the Register of requests (personal data subjects) regarding the processing of personal data.

2.13.3. In case of refusal to provide the personal data subject or his representative with information on the availability of personal data about the relevant personal data subject when contacting or receiving a request from the personal data subject or his representative, the Operator is obliged to give a reasoned response in writing containing a reference to the provision of part 8 of Article 14 of the Personal Data Law or another federal law. which is the basis for such refusal, within a period not exceeding 30 days from the date of the request of the personal data subject or his representative, or from the date of
receiving a request from the personal data subject or his representative.

2.13.4. In case of receiving a request from the authorized body for the protection of the rights of personal data subjects for the provision of information necessary for the implementation of the activities of the specified body, the Operator is obliged to report such information to the authorized body within 30 days from the date of receipt of such request.

2.13.5. In case of detection of unlawful processing of personal data when contacting or at the request of a personal data subject or his representative or an authorized body for the protection of the rights of personal data subjects, the Operator is obliged to block the unlawfully processed personal data related to this personal data subject from the moment of such request or receipt of the specified request for the verification period.

2.13.6. In case of detection of illegal processing of personal data carried out by the Operator, the latter, within a period not exceeding three working days from the date of this detection, is obliged to stop the illegal processing of personal data. The Operator is obliged to notify the personal data subject or his representative about the elimination of the violations committed, and if the request of the personal data subject or his representative or the request of the authorized body for the protection of the rights of personal data subjects was sent by the authorized body for the protection of the rights of personal data subjects, also the specified body.

2.13.7. The subject of personal data has the right to request to stop the transfer (distribution, provision, access) of his personal data, previously authorized by the subject of personal data for distribution, to any person processing his personal data, in case of non-compliance with the provisions of this article, or to apply to the court with such a request. This person is obliged to stop the transfer (distribution, provision, access) of personal data within three working days from the date of receipt of the request of the personal data subject or within the period specified in the court decision that has entered into force, and if such a period is not specified in the court decision, then within three working days from the date of entry of the court decision into legal force.

2.13.8. The transfer (distribution, provision, access) of personal data authorized by the personal data subject for distribution must be terminated at any time at the request of the personal data subject. This requirement must include the surname, first name, patronymic (if any), contact information (phone number, email address or postal address) of the personal data subject, as well as a list of personal data whose processing is subject to termination. The personal data specified in this request can only be processed by the operator to whom it is sent.

2.13.9. If the purpose of personal data processing is achieved, the Operator is obliged to stop processing personal data and destroy personal data within a period not exceeding 30 working days from the date of achievement of the purpose of personal data processing, unless otherwise provided by the consent to the processing of personal data, to which the personal data subject is a party.

2.13.10. It is prohibited to make decisions based solely on automated processing of personal data that generate legal consequences with respect to the subject of personal data or otherwise affect his rights and legitimate interests.

2.14. Confidentiality of personal data.

2.14.1. The Operator ensures the confidentiality and security of personal data when processing them in accordance with the requirements of the legislation of the Russian Federation.

2.14.2. The Operator does not disclose or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by Federal Law.

2.14.3. In accordance with the list of personal data processed on the Website,
the personal data of the Website Users and other persons providing the Operator with personal data are confidential information.

2.14.4. Persons processing personal data are obliged to comply with the requirements of the Operator's regulatory documents regarding the confidentiality and security of personal data.

  1. Processing of personal data

3.1. The list of processed personal data of Users is indicated by the subject of personal data in consent to the processing of personal data authorized by the subject of personal data for distribution.

3.2. Persons who have the right to access personal data.

3.2.1. The right of access to the personal data of the subjects is held by persons with appropriate powers in accordance with their official duties.

3.2.2. The list of persons with access to personal data is approved by the Operator.

3.3. Terms of storage of personal data on the Website.

3.3.1. The terms of storage of Users' personal data on the Site are determined by the terms of the User Agreement, are put into effect from the moment of acceptance (acceptance) by the User of this Agreement on the Site and are valid until the User declares his desire to delete his personal data from the Site. When providing personal data to the Operator not through the Website (a mixed form of processing), the retention periods of personal data are valid until the User declares his desire to delete his personal data from the Operator.

3.3.2. In case of deletion of data from the Site on the initiative of one of the parties, namely, termination of use of the Site, the User's personal data is stored in the Operator's databases for five years in accordance with the legislation of the Russian Federation.

3.3.3. After the expiration of the above-mentioned period of storage of the User's personal data, the User's personal data is deleted automatically by the algorithm specified by the Operator.

3.3.4. The Operator may process Users' personal data on paper media.

3.4. Blocking of personal data.

3.4.1. The blocking of personal data is understood as the temporary termination by the Operator of operations for their processing at the request of the User when he reveals the unreliability of the processed information or illegal, in the opinion of the subject of personal data, actions with respect to his data.

3.4.2. The Operator does not transfer personal data to third parties and does not entrust the processing of personal data to third parties and organizations. The personal data of the Site Users is processed only by the Operator's employees who are allowed by the established procedure to process the personal data of Users.

3.4.3. Blocking of personal data on the Website is carried out on the basis of a written application from the subject of personal data.

3.5. Destruction of personal data.

3.5.1. The destruction of personal data means actions as a result of which it becomes impossible to restore the content of personal data on the Website and/or as a result of which the material carriers of personal data are destroyed.

3.5.2. The subject of personal data has the right to demand in writing the destruction of his personal data if the personal data is incomplete, outdated, unreliable, illegally obtained or is not necessary for the stated purpose of processing.

3.5.3. In the absence of the possibility of destruction of personal data, the Operator shall block such personal data.

3.5.4. The destruction of personal data is carried out by erasing information with guaranteed destruction.

  1. Personal data protection system

4.1. Measures to ensure the security of personal data during their processing.

4.1.1. When processing personal data, the Operator is obliged to take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of personal data, as well as from other illegal actions with respect to personal data.

4.1.2. Ensuring the security of personal data is achieved, in particular:

  • identification of threats to the security of personal data during their processing in personal data information systems;
  • application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to meet the requirements for the protection of personal data;
  • the use of information security tools that have passed the compliance assessment procedure in accordance with the established procedure;
  • assessment of the effectiveness of the measures taken to ensure the security of personal data prior to the commissioning of the personal data information system;
  • taking into account machine-based personal data carriers;
  • detection of unauthorized access to personal data and taking measures;
  • recovery of personal data modified or destroyed due to unauthorized access to them;
  • establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with personal data in the personal data information system;
  • control over the measures taken to ensure the security of personal data and the level of security of personal data information systems.

4.1.3. For the purposes of the Policy, threats to the security of personal data are understood as a set of conditions and factors that create a risk of unauthorized, including accidental, access to personal data, the result of which may be the destruction, modification, blocking, copying, provision, dissemination of personal data, as well as other illegal actions during their processing in the personal data information system data. The level of personal data security is understood as a complex indicator characterizing the requirements, the fulfillment of which ensures the neutralization of certain threats to the security of personal data during their processing in the personal data information system.

4.2. Protected information about the subject of personal data.

The protected information about the subject of personal data on the Site includes data that allows you to identify the subject of personal data and / or obtain additional information about him provided for by law and Policy.

4.3. Protected objects of personal data.

4.3.1. The protected objects of personal data on the Website include:

  • objects of informatization and technical means of automated processing of information containing personal data;
  • information resources (databases, files, etc.) containing information about information and telecommunication systems in which personal data circulates, about events that have occurred with managed objects, about plans to ensure uninterrupted operation and procedures for switching to emergency management;
  • communication channels that are used to transmit personal data in the form of informative electrical signals and physical fields;
  • alienable information carriers on a magnetic, magneto-optical and other basis used for the processing of personal data.

4.3.2. Technological information about information systems and elements of the personal data protection system to be protected includes:

  • information about the access control system for informatization objects where personal data is processed;
  • control information (configuration files, routing tables, security system settings, etc.);
  • technological information of means of access to control systems (authentication information, access keys and attributes, etc.);
  • characteristics of communication channels that are used to transmit personal data in the form of informative electrical signals and physical fields;
  • information about personal data protection tools, their composition and structure, principles and technical solutions of protection;
  • service data (metadata) appearing during the operation of software, messages and protocols of inter-network interaction, as a result of the processing of personal data.

4.4. Requirements for the personal data protection system.

The personal data protection system must comply with the requirements of Government Decree No. 1119 dated 01.11.2012 "On approval of requirements for the protection of personal data during their processing in personal data information systems".

4.4.1. The personal data protection system must ensure:

  • timely detection and prevention of unauthorized access to personal data and (or) their transfer to persons who do not have the right to access such information;
  • prevention of the impact on the technical means of automated processing of personal data, as a result of which their functioning may be disrupted;
  • the possibility of immediate recovery of personal data modified or destroyed due to unauthorized access to them;
  • constant monitoring of ensuring the level of protection of personal data.

4.5. Methods and methods of information protection in personal data information systems.

4.5.1. Methods and methods of information protection in the information systems of the Operator's personal data must comply with the requirements:

  • FSTEC Order No. 21 dated 02/18/2013 "On Approval of the Composition and Content of organizational and technical measures to ensure the security of personal data during their Processing in Personal Data Information Systems";
  • FSB Order No. 378 dated 10.07.2014 "On Approval of the Composition and Content of organizational and Technical measures to ensure the security of personal data during their Processing in Personal Data Information Systems using Cryptographic information Protection Tools Necessary to Meet the requirements established by the Government of the Russian Federation for the protection of personal data for each of the security levels" (if the Operator determines the need the use of cryptographic protection of information to ensure the security of personal data).

4.5.2. The main methods and methods of information protection in the information systems of Users' personal data are methods and methods of information protection from unauthorized, including accidental, access to personal data, the result of which may be the destruction, modification, blocking, copying, dissemination of personal data, as well as other unauthorized actions (hereinafter – methods and methods protection of information from NSD).

4.5.3. The selection and implementation of methods and methods of information protection on the Site is carried out in accordance with the recommendations of regulators in the field of information protection – the FSTEC of Russia and the FSB of Russia, taking into account the threats to the security of personal data determined by the Operator (threat models) and depending on the class of the information system.

4.5.4. The selected and implemented methods and methods of information protection on the Website should ensure the neutralization of the alleged threats to the security of personal data during their processing.

4.6. Measures to protect the information constituting personal data.

4.6.1. Measures to protect databases containing personal data taken by the Operator should include:

  • determination of the list of information constituting personal data;
  • restriction of access to information containing personal data by establishing the procedure for handling this information and monitoring compliance with this procedure.

4.6.2. Measures to protect the confidentiality of information are considered reasonably sufficient if:

  • access to personal data of any third parties is excluded without the consent of the Operator;
  • it is possible to use information containing personal data without violating the legislation on personal data.;
  • when working with the User, such an Operator's procedure is established, in which the safety of information containing the User's personal data is ensured.

4.6.3. Personal data may not be used for purposes contrary to the requirements of Federal Law, protection of the foundations of the constitutional order, morality, health, rights and legitimate interests of other persons, ensuring the defense of the country and the security of the state.

4.7. Responsibility.

4.7.1. All employees of the Operators who process personal data are obliged to keep secret about information containing personal data in accordance with the Policy and the requirements of the legislation of the Russian Federation.

4.7.2. Persons guilty of violating the requirements of the Policy shall bear the prescribed
responsibility under the legislation of the Russian Federation.

4.7.3. Responsibility for compliance with the personal data regime in relation to personal data stored in the databases of the Site is borne by those responsible for processing personal data.

  1. Final provisions

5.1. In the event of changes in the current legislation of the Russian Federation, amendments to the regulatory documents on the protection of personal data, this Policy applies to the part that does not contradict the current legislation until it is brought into compliance with such.

Мы используем cookie-файлы для наилучшего представления нашего сайта. Продолжая использовать этот сайт, вы соглашаетесь с использованием cookie-файлов.
Принять
Privacy policy