Personal Data Processing Policy adopted by Plaza Oteli, LLC

1. GENERAL TERMS AND CONDITIONS

1.1. The Policy adopted by Plaza Oteli, Limited Liability Company, in connection with personal data processing (hereinafter referred to as the Policy) is a binding internal regulation, a foundation document specifying the general goals, principles and standards of Plaza Oteli, Limited Liability Company (hereinafter referred to as the Operator) in the course of personal data processing.

1.2. The Policy has been developed to comply with the requirements provided by Clause 18.1 of Federal Law No. 152-FZ “On Personal Data” dd. July 27, 2006 (hereinafter referred to as the Federal Law) to implement the requirements set forth in the Russian legislation in the sphere of personal data processing and protection and is focused on ensuring the protection of human and civil rights and liberties in the course of his/her personal data processing by the Operator, including protection of rights to privacy, personal and family secrets.

1.3. Basic concepts used in the Policy are as follows: Personal Data (hereinafter referred to as the PD) shall include any information referred to a directly or indirectly identified or identifiable natural person (Personal Data Subject); Personal Data Operator (Operator) shall mean any public or local authority, any legal or natural person arranging and (or) engaged in personal data processing independently or together with other persons and defining the goals for the PD processing, scope of the PD to be processed, actions (operations) to be made with the PD; Personal Data Processing is any action (operation) or a series of actions (operations) with the PD made using automation means or without using thereof. PD processing shall include, but is not limited to:

  • collection;
  • recording;
  • classification;
  • accumulation;
  • storage;
  • validation (updating, changing);
  • extracting;
  • using;
  • transfer (distribution, provision, access);
  • anonymization;
  • blocking;
  • deleting;
  • erasing;

personal data automated processing is PD processing using computer engineering means; personal data distribution shall include any actions aimed to disclose PD to general public; personal data providing shall include any actions aimed to disclose PD to a definite person or a certain group of persons; personal data blocking is temporary suspension of PD processing (except for the cases when such processing is necessary to clarify the PD); personal data erasing shall include any actions making it impossible to restore PD contents in the PD information system and (or) resulting in PD tangible media destroying; personal data anonymization shall include any actions making it impossible without additional information using to identify that certain PD refer to a particular PD subject; personal data information system means the PD scope stored in data bases and information technologies and hardware and software ensuring processing thereof; personal data international transfer is PD transfer to the territory of a foreign state to a foreign state authority, any foreign natural or legal person.

1.4. The Operator’s principal rights and obligations

1.4.1. The Operator may:

1) independently select the scope and list of measures necessary and appropriate to ensure obligations discharging provided by the Federal Law and internal regulations made subject thereto, unless otherwise is provided by the Federal Law or other federal laws;

2) authorize PD processing to any other person upon the consent of the personal data subject, unless otherwise is provided by the Federal Law subject to an agreement made with such the person. Any person engaged in personal data processing upon the Operator’s instructions shall comply with all principles and rules for the PD processing provided by the Federal Law;

3) in case the PD subject withdraws his/her consent on PD processing, the Operator may continue PD processing without the personal data subject’s consent when it is legally provided by the Federal Law.

1.4.2. The Operator shall:

1) arrange PD processing subject to the requirements specified in the Federal Law;

2) respond to applications and requests made by PD subjects and their legal representatives subject to the requirements specified in the Federal Law;

3) submit to the authorized agency protecting the rights of PD subjects (the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor)) at such agency’s request any required information within 30 days as of the date of such request receipt;

4) refrain from processing PD referred to race or national identity, political opinion, religious or philosophic beliefs, health condition and intimate life. In case of receiving PD referred to race or national identity, political opinion, religious or philosophic beliefs, health condition, intimate life, the Operator shall immediately erase such PD referred to race or national identity, political opinion, religious or philosophic beliefs, health condition and intimate life.

1.5. Fundamental Rights of the Personal Data Subject. Each Personal Data Subject may:

1) receive information referred to its PD processing, except for the cases provided by federal laws. Such information shall be submitted to the PD subject by the Operator in an intelligible form without any PD referring to other personal data subjects, except for the cases when there are certain legal grounds to disclose such PD. The list of information and procedure for receiving thereof is provided by the Federal Law;

2) require from the Operator to make its PD more accurate, to block or erase thereof in case such PD is incomplete, outdated, inaccurate, were received illegally or are not necessary for the declared processing goal, and take measures provided by the law to protect its rights.

1.6. The relations in connection with PD processing and protection submitted by the PD subject shall be governed by this Policy, Operator’s internal regulations and Russian legislation in the sphere of PD processing.

1.7. Personal data processing is limited to the achievement of certain, pre-determined and legal goals. Personal data may not be processed to achieve any goals other than that such personal data have been collected for.

1.7.1. The Operator shall process PD to achieve the following goals:

  • ensuring compliance with the Constitution of the Russian Federation, federal laws and other Russian internal regulations;
  • submitting to a PD subject any information on the products, special offers, goods availability, any other data and consultations providing, and newsletters sending, commercials delivery, including for
  • the Operator’s discharging its employer’s obligations provided by the legislation;
  • making marketing and other research by the Operator; Preparation and submitting by the Operator responses to applications filed by PD subjects;
  • holding events by the Operator with PD subjects participation (excursions, shows, etc.);
  • obligations discharging by the Operator arising out of contractual and other civil law relations with PD subjects.

1.7.2. The Operator may process PD of the following categories of subjects in the following scope:

1) persons interested in the Operator’s offers of services and persons considering buying the products offered by the Operator and to achieve the aforementioned goals having submitted a request for services rendering/products buying;

2) persons who are in the process of the services rendering by the Operator, products acquiring, agreement making (the Operator shall process the following data: the taxpayer’s identification number, details of the identity document, registration address, information about the family, professional status and any other information submitted by the PD subject on his/her free will, except for the data referred to race or national identity, political opinion, religious or philosophic beliefs, health condition, intimate life);

3) persons to whom the Operator has rendered services, who have bought products from the Operator, made agreements (the Operator processes the data required to enter and properly perform the agreement subject to the provisions thereof to make questionnaire surveys about the Operator’s products, services and maintenance quality);

4) persons visiting the website plghotels.com (the Operator processes data about users’ activities on the aforementioned web-site as follows: browser and search history, device identifier and other identification characteristics, software devices (for example, statistics about visiting the web-site, URL-address from which the user loads the web-site), and information submitted due to using cookie). If a PD subject continues to use the website plghotels.com, he/she agrees to the Operator's use of cookies;

5) persons using ‘PLG Hotels’ mobile application (the Operator processes the data about users’ actions in such the mobile application in the following scope: data automatically transferred to ‘PLG Hotels’ mobile application in the course of using thereof with the help of software installed at the user’s device, including IP-address, information from cookies, information on the user’s browser (or some other program helping him/her to access ‘PLG Hotels’ mobile application), access time, etc., and information submitted due to using cookie files). If a PD subject continues to use ‘PLG Hotels’ mobile application, he/she agrees to the Operator's use of cookies;

6) contractors and prospective contractors, natural persons being representatives of such contractors and prospective contractors (the Operator processes the data in the scope required to make and perform the agreement);

7) the Operator’s employees and former employees (the Operator processes the data submitted to it when sending a CV to its address and (or) covering letters when searching for work); other persons in the cases provided by the Russian legislation and Operator’s internal regulations.

8) other persons in the cases provided by Russian law and the Operator’s internal regulations.

1.7.3. The list of PD to be processed by the Operator shall be established by the executive directive made by the Operator’s manager.

1.8. Legal grounds for PD processing are:

federal laws and internal regulations adopted on their basis governing the relations in connection with the Operator’s activities; agreements made by and between the Operator and PD subjects; consent of a PD subject for PD processing.

1.9. This Policy will cover the relations in connection with processing the PD received by the Operator both before and after approval thereof, except for the cases when due to legal, arrangement and other reasons the Policy provisions may not cover the relations in connection with processing and protecting the PD received before the approval thereof.

2. PD PROCESSING PROVISIONS AND CONDITIONS FOR TRANSFERRING THEREOF TO THIRD PARTIES

2.1. PD shall be processed by the Operator subject to requirements provided by the Russian legislation.

2.2. PD shall be processed upon the consent made by the personal data subjects for their personal data processing or without such consent in the cases provided by the Russian legislation.

2.3. PD subject’s PD shall be processed during the term required to achieve the goals set forth in the Policy (unless such personal data storage term is fixed by any federal law or agreement) by any legal means, including in information systems using automation means or without using thereof.

2.4. PD may be transferred by the Operator to authorized government agencies only on the grounds and in the manner provided by the Russian legislation.

2.5. The fact of filling in the draft (of feedback/questionnaire in the course of a profile account creating) (hereinafter referred to as the Draft) and sending thereof to the Operator where PD are entered on the Operator’s corporate web-site on the Internet, each PD subject confirms that he/she:

  • provides accurate information about himself/herself, all other information is provided by such PD subject at his/her own discretion;
  • agrees to his/her personal data processing subject to this Policy
  • recognizes the legal force of e-mails/documents sent by e-mail, including by the Operator;
  • holds an exclusive right and access ability to the e-mail account and/or mobile telephone communication device with the address and/or number specified in the draft. Such access is granted by the PD s

2.5.1. The Operator does not verify the accuracy of the received information about the PD subject except for the cases when such verification is required to discharge the obligations assumed to him/her.

2.6. The Operator may transfer PD to third parties in the following cases:

  • a PD subject has given his/her consent on such actions;
  • such transfer is a part of the procedure provided by the Russian legislation.

2.7. When processing the PD, the Operator relies upon the current Russian legislation about the PD and Operator’s internal regulations.

2.8. When collecting PD, including on the information and telecommunication network Internet, the Operator ensures recording, classification, accumulation, storage, validation (updating, changing), extraction of Russian citizens’ personal data using data bases being within the Russian Federation, except for the cases specified in the Personal Data Law.

2.9. A personal data subject agrees that the Operator may relying upon the consent given by such PD subject process PD, including transfer such PD to third parties, including contractors servicing the Operator’s corporate web-site on the Internet, to other legal and natural persons rendering marketing and other services to the Operator, including to make excursions and hold other events and subject to Part 1 of Clause 18 of the Federal Law agrees to receive messages, including SMS notices, commercials via telecommunication networks, including using phone, fax, mobile telephone communication.

3. FEEDBACK

3.1. The Operator’s contact data for PD subjects to send their applications in connection with PD:

e-mail address: Info@plghotels.com;

postal address: 26 Sinopskaya Embankment, Letter A, Premise 2-N, 10-N, office 5-4, 191167 Saint Petersburg;

contact phone number: 8 (812) 305-5-101

3.2. In case of sending or receiving a request using the aforementioned contact details, the subject of the PD being processed by the Operator or a representative thereof may receive information in connection with processing such subject’s PD, including containing:

  • the confirmation of the fact of such PD processing by the Operator;
  • legal grounds and goals of PD processing;
  • goals and means of PD processing used by the Operator;
  • the Operator’s name and place of location, information about the persons (except for the Operator’s employees) having access to such PD or who may receive such PD subject to an agreement made with the Operator or subject to the federal law;
  • processed PD referred to a relevant PD subject, the source of receiving thereof, unless some other procedure of such data submitting is provided by the federal law;
  • terms for PD processing, including their storage terms;
  • procedure for the rights exercising by the PD subject provided by the Federal Law;
  • information about completed or intended international PD transfer;
  • corporate name or full name of a person processing PD upon the Operator’s instructions in case processing is delegated or will be delegated to such person;
  • other information provided by the Federal Law or other federal laws.

3.3. Any PD subject may receive information in connection with his/her data processing, except for the cases when such right is restricted subject to federal laws. Any PD subject may require from the Operator to make his/her PD more accurate, to block or erase thereof in case such PD is incomplete, outdated, inaccurate, were received illegally or are not necessary for the declared processing goal, and take measures provided by the law to protect his/her rights.

3.3.1. The Operator assumes that the PD subject agrees that upon its written demand a notice about such PD erasing will be sent/delivered to his/her e-mail or residential addresses specified in the consent for PD processing or to his/her representative by hand or to his/her residential address.

3.3.2. A request for information receipt or PD erasing shall have the number of a principal identity document of a PD subject or his/her representative, information about the aforementioned document issuing date and authority, information confirming the PD subject’s participation in the relations with the Operator (agreement number, date of making thereof, respective verbal mark and/or other data) or information that otherwise confirms the fact of PD processing by the Operator, PD subject’s or his/her representative’s signature. Such request may be sent as a respective notice by e-mail from the e-mail address specified by such PD subject to the Operator’s e-mail address (Info@plghotels.com) or as a written application to the Operator by registered mail with delivery confirmation and an enclosure list to the address: 26 Sinopskaya Embankment, Letter A, Premise 2-N, 10-N, office 5-4, 191167 Saint Petersburg.

The PD subject’s right to access his/her PD may be restricted subject to Part 8 of Clause 14 of the Federal Law, including when such PD subject’s access to his/her PD violates third parties’ rights and legal interests.

3.4. In case the aforementioned information and processed PD are provided to any PD subject for review, such PD subject may contact the Operator once again or send a repeated request to receive PD at least 30 (thirty) days after his/her initial application or initial request sending.

4. PD PROCESSING SECURITY

4.1. The principal goal of PD security ensuring during processing thereof by the Operator is to prevent unauthorized access thereto by third parties, to prevent deliberate hardware-in-the-loop or other actions to steal PD, destroy (erase) or corrupt thereof in the course of processing.

4.2. The Operator shall take any and all sufficient technical and arrangement measures to ensure the information safety and PD protection from unlawful or accidental access, erasing, changing, blocking, copying, distribution and from any other illegal actions with such data by third parties.

4.3. The Operator shall not process PD in case it contradicts the goals for collecting thereof. Unless otherwise provided by the federal law, upon completing PD processing the Operator, including upon achieving its goals to process thereof or in case it does not need thereof to achieve such goals any more, all PD processed by the Operator shall be erased or anonymized.

4.4. In the course of PD processing their accuracy, sufficiency shall be ensured, and where applicable, their urgent character related to the purposes of processing thereof. The Operator shall take all required measures to erase or clarify any incomplete or inaccurate PD.

5. MISCELLANEOUS

5.1. The Operator may make amendments to the Policy. Such Policy’s updated version shall come into effect as of posting thereof on the corporate web-site plghotels.com of Plaza Oteli, unless otherwise provided by such updated version.