1. General terms
1.1. This Policy regarding personal data processing (hereinafter referred to as «Policy») was prepared in accordance with Сlause 2, Part 1, Article 18.1 of the Federal Law of the Russian Federation «On Personal Data» No. 152-FZ of July 27, 2006 (hereinafter referred to as «Law») and determines position of legal entity “Opentrade Commerce” LTD (Reg. Number: 1173668009734, TIN: 3664226667, registration address: 394018 Russian Federation, Voronezh, Svobodi st., 14, office 606) and/or its related parties (hereinafter referred to as «Company») in the field of personal data processing and protection (hereinafter referred to as «Data»), compliance with rights and / freedoms of each person and, in particular, right to personal and family privacy.
2. Scope of Regulation
2.1. This Policy applies to data received both before and after this Policy implementation.
2.2. Company provides reliable data protection realizing importance and value of Data and also caring about observance of the constitutional rights of citizens of the Russian Federation and other states.
3.1. Data is understood as any information relating to a directly or indirectly defined or defined individual (citizen), i.e. to such information as: name, email, phone number, skype.
3.2. Data processing is understood as any action (operation) or set of actions (operations) with Data, performed with the use of automation facilities and / or without using such means. Such actions (operations) include Data collection, recording, systematization, accumulation, storage, updating (modification), extraction, use, transmission (distribution, provision, access), depersonalization, blocking, deletion, destruction.
3.3. Data security means safety from unauthorized and / or unauthorized access to them, destruction, modification, blocking, copying, provision, dissemination, as well as from other illegal actions with respect to Data.
4. Legal grounds and purposes of data processing
4.1. Processing and provision of data security in the Company is carried out in accordance with the requirements of the Constitution of the Russian Federation, the Law, the Labor Code of the Russian Federation, subordinate laws, other defining cases and peculiarities of Data processing of Federal laws of the Russian Federation, guidelines and methodological documents of FSTEC of Russia and Russian Federal Security Service.
4.2. Data Subjects processed by Company are:
- customers — consumers, including visitors of website https://otcommerce.com/, owned by Company including with the purpose of placing an order on the Site https://otcommerce.com/ with subsequent delivery to the client, services recipients.
4.3. Company carries out subjects’ Data processing for the following purposes:
- performing functions, powers and duties assigned to the Company in accordance with Federal laws, including but not limited to: Civil Code of the Russian Federation, Tax Code of the Russian Federation, Labor Code of the Russian Federation, Family Code of the Russian Federation, Federal Law from 01.04.1996 No. 27-FZ «On individual (personified) accounting in mandatory pension insurance system», Federal Law of July 27, 2006 No. 152-FZ «On person Federal Law No. 53-FZ of March 28, 1998 On Military Duty and Military Service, Federal Law No. 31-FZ of February 26, 1997 «On Mobilization Preparation and Mobilization in the Russian Federation», Federal Law from 08.02.1998 No. 14-FZ «On Limited Liability Companies», Federal Law No. 2300-1 of 07.02.1992 «On Protection of Consumer Rights», Federal Law No. 129-ФЗ of 21.11.1996 «On Accounting», Federal Law of 29.11.2010, No. 326-FZ» On compulsory medical insurance in the Russian Federation «
- customers — consumers in order to:
- Providing information on goods / services, special offers;
- Analysis of services quality provided by Company and improving quality of Company customer service;
- Information on order status;
- Contract performance including agreement of sale and purchase, including concluded by a remote way on the Site, provision of paid services; provision of services as well as accounting services provided to consumers for mutual settlements;
- Delivery of ordered goods to customer who made an order on the Site, refunds.
5. Principles and conditions of data processing
5.1. When processing Data Company adheres to the following principles:
- Data processing is performed on a legal and fair basis;
- Data is not disclosed to third parties and does not extend without consent of Data Subject, except for cases requiring Data disclosure at authorized state bodies request, legal proceedings;
- Definition of specific legal objectives before processing (including collection) of Data;
- Collection of only necessary and sufficient Data for stated purpose of processing;
- Unification of databases containing Data, processing of which is carried out for purposes inconsistent with each other is not allowed;
- Data processing is limited to the achievement of specific, predefined and legitimate purposes;
- Processed Data are subject to destruction or depersonalization upon achievement of treatment objectives or in case of no further need to achieve these goals, unless otherwise provided by Federal law.
5.2. Company can include subjects’ Data into publicly available Data sources, while Company takes written consent of subject to process its Data, or by expressing consent through site form (checkbox) for agreement by clicking.
5.3. Company does not process Data related to race, nationality, political views, religious, philosophical and other beliefs, intimate life, membership in public associations, including trade unions.
5.4. Company does not process Biometric Data (information that characterizes physiological and biological characteristics of Data Subject used as the basis for identity determination).
5.5. Company does not perform cross-border data transfer.
5.6. Company is entitled to transfer Data to third parties (Federal Tax Service, State Pension Fund and other state bodies) in cases stipulated by the legislation of the Russian Federation.
5.7. Company has the right to entrust subject’s Data processing to third parties with Data Subject consent based on Agreement between these persons a well as with consent of User Agreement and Policy of personal data processing posted on the site.
5.8. Persons processing data based on Agreement concluded with the Company (operator’s instructions), undertake to comply with principles and rules for data processing and protection provided by Law. For each third person Agreement specifies a list of actions (operations) with Data that will be performed by third person performing Data processing, processing purposes, establishes duty of such person to maintain confidentiality and ensure the data security during processing, specifies requirements for protection of Data being processed in accordance with Law.
5.9. Data processing in the Company is carried out with or without the use of automation in order to comply with current legislation of the Russian Federation and its contractual obligations requirements. Circuit of data processing includes collection, recording, systematization, accumulation, storage, updating (updating, modification), extraction, use, transfer (provision, access), depersonalization, blocking, deletion, destruction.
5.10. Company prohibits making decision on basis of an exclusively automated Data generating legal consequences with respect to Data Subject or otherwise affecting his rights and legitimate interests, except as provided by the legislation of the Russian Federation.
6. Rights and obligations of Data Subjects as well as Company in terms of data processing
6.1. Data Subject has the right:
— To receive the following information from Company:
- confirmation of data processing fact and its availability related to relevant Data Subject;
- information on legal grounds and purposes of data processing;
- information on methods of Data processing by Company;
- information on Company name and location;
- information on persons (with the exception of Company employees) who have access to Data or who may be disclosed Data on the basis of Agreement or Federal law;
- list of data processed relating to Data Subject and information on their receipt source, unless another procedure for providing such Data is provided for by Federal law;
- information on Data processing time including time period for retaining personal data;
- information on procedure for execution of rights by Data Subject provided by Law;
- name (name and last name) and address of person processing Data on behalf of the Company;
- other information provided by Law or other regulatory legal acts of the Russian Federation;
— To request from Company:
- his Data clarification, its blocking or destroying in case Data is incomplete, outdated, inaccurate, illegally obtained or not necessary for processing purpose;
- withdraw own consent to process personal Data at any time; demand elimination of Company illegal actions with respect to its Data;
- appeal against actions or inaction of Company to Federal Service for Supervision of Communications, Information Technology, and Mass Media or in court if Data Subject believes that Company is processing its Data in violation of Law requirements or otherwise violates it rights and freedoms;
— to protect own rights and legitimate interests, including compensation for damages and / or compensation for moral harm in the courts.
6.2. Company is required in Data processing:
- provide information regarding Data processing to Data Subject upon his request or lawfully provide a refusal within thirty days from date of request receipt by Data Subject or his representative;
- explain to Data Subject legal consequences of refusal to provide Data if its provision is mandatory in accordance with the Federal law;
- provide Data Subject with the following information before Data processing, except as otherwise provided in Article 18, Part 4 of the Law (if Data is not provided by Data Subject):
1) name or last name, patronymic and Company address or its representative;
2) purpose of data processing and its legal basis;
3) prospective users of Data;
4) Data Subjects rights established by law;
5) source of Data acquisition.
- take necessary legal, organizational and technical measures or ensure their acceptance to protect Data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, dissemination of Data, as well as from other illegal actions with respect to Data;
- publish on the Internet and provide unrestricted access using the Internet to a document that defines its policy regarding Data processing, to information about current requirements for data protection;
- provide Data Subjects and / or their representatives with free of charge opportunity to get acquainted with Data when handling relevant request within 30 days from receipt date of such request;
- block illegally processed Data pertaining to Data Subject, or ensure that they are blocked (if data processing is performed by another person acting on behalf of Company) from application time or request receipt for verification period, in case Data is illegally processed when Data Subject is accessed or his representative, or, upon request, to Data Subject or his representative or authorized body for protection of rights of personal Data Subjects;
- clarify Data or ensure clarification (if data processing is performed by another person acting on behalf of Company) within 7 working days from information submission date and to remove data blocking in case of confirmation of Data inaccuracy on the basis of information submitted by Data Subject or his representative;
- stop improper Data processing or ensure that Data is not illegally processed by a person acting on behalf of Company in case that undocumented data processing is performed by Company or a person acting on the basis of Company Agreement within a period not exceeding 3 business days from such disclosure date;
- terminate Data processing or ensure its termination (if data processing is performed by another person acting under Company Agreement) and destroy Data or ensure its destruction (if data processing is performed by another person acting under Company Agreement) upon purpose achievement of Data processing if the other is not provided by the Agreement, party of which, beneficiary or guarantor is Data Subject, in case achievement of Data processing purpose;
- stop Data processing or ensure its termination and destroy Data or ensure its destruction in case Data Subject withdraws consent to process Data if Company is not entitled to process Data without Data Subject consent;
- keep a record book of personal data requests, in which requests of Data Subjects for receiving Data should be recorded, as well as facts of providing Data for these requests.
7. Requirements for Data protection
7.1. Company takes necessary legal, organizational and technical measures to protect Data from unauthorized and / or unauthorized access to, data destruction, modification, blocking, copying, provision, dissemination, and other unlawful activities with respect to Data when processing Data.
7.2. Such measures in accordance with the Law, in particular, include:
- designation of responsible person for organization of data processing, and responsible person for ensuring data security;
- development and approval of local acts on data processing and protection;
- application of legal, organizational and technical measures to ensure data security:
· identification of data security threats when processing it in personal data information systems;
· application of organizational and technical measures to ensure Data security in processing it in personal data information systems required to meet data protection requirements, implementation of which is ensured by data security levels established by the Government of the Russian Federation;
· application of procedure set in established order for evaluating compliance of information protection means;
· evaluation of taken measures effectiveness to ensure Data security before putting into operation an information system for personal data;
· registration of computer data carriers, if data storage is carried out on machine carriers;
· detection of unauthorized access facts to Data and taking measures to prevent similar incidents in the future;
· data recovery, modified or destroyed due to unauthorized access to them;
· setting rules for access to Data processed in personal data information system, as well as ensuring registration and recording of all actions performed with Data in personal data information system.
- control over measures taken to ensure data security and level of information systems security of personal data;
- harm evaluation that may be caused to Data Subjects in case of violation of law requirements, ratio of said harm and measures taken by Company aimed to ensure duties fulfillment provided by Law;
- observance of conditions excluding unauthorized access to material data carriers and ensuring data safety;
- acquaintance of Company employees directly processing Data with provisions of the Russian Federation legislation on Data, including requirements for data protection, local acts on data processing and protection, and training of Company employees.
8. Data processing (retention) period
8.1. Data processing (retention) period is determined on the basis of data processing purposes, in accordance with term of Agreement with Data Subject, requirements of federal laws, data operators’ requirements for data processing by Company, basic rules of archives of organizations, limitation period.
8.2. Data whose processing (storage) period has expired must be destroyed, unless otherwise stipulated by federal law. Data storage after termination of their processing is allowed only after depersonalization.
9. Procedure for obtaining clarifications on Data processing
9.1. Persons whose Data is processed by Company can receive clarification on their Data processing by contacting Company personally or by sending a written request to Company’s address: 394018 Russian Federation, Voronezh, Svobodi st., 14, office 606.
9.2. Specify the following information in the text of official request to Company:
- last name, first name and patronymic of Data Subject or his representative;
- number of main document certifying identity of Data Subject or its representative, issue date information of specified document and issuing body;
- information confirming that Data Subject has relations with the Company; information for feedback in order to send a response to request by Company;
- Data Subject signature (or its representative). Request must be in the form of an electronic document and signed by electronic signature in accordance with the legislation of the Russian Federation if it is sent in electronic form.
10. Features of Data processing and protection collected by Company using the Internet
10.1. Company processes Data received from Site’s users from resource: https://otcommerce.com/(hereinafter jointly referred to Site), as well as arriving at Company’s e-mail address: firstname.lastname@example.org, through Company’s feedback form, located at: https://otcommerce.com/order.
10.2. Data collection
There are two main ways in the Company to receive Data using the Internet:
10.2.1. Providing Data
Providing data (Data self-input):
- Phone number;
10.2.2. Data Subjects enter it through Company’s feedback form located at https://otcommerce.com/order. Form is sent to Company’s e-mail address: email@example.com.
10.3. Automatically collected information
Company can collect and process unpersonal information:
- information about users’ interests on the Site on the basis of their entered search requests on goods by Company with the purpose of providing up-to-date information to Company’s customers when using the Site, as well as summarizing and analyzing information what Site sections and goods are most in demand between Company customers;
- processing and storing of Site users’ search requests in order to generalize and create client statistics about Site sections use.
Company automatically receives some types of information obtained during users’ interaction with the Site, e-mail correspondence, etc. It is about technologies and services, such as web protocols, cookies, web markers, as well as applications and tools specified by third side.
Herewith, web markers, cookies and other monitoring technologies do not allow automatic data retrieval. Only processes of automatic detailed information collection for website convenient use and / or improving interaction with users are launched if site user submits his Data at his own discretion, for example, when filling out feedback form or sending email.
10.4. Using Data
Company has a right to use Data provided in accordance with stated purposes of their collection, subject to consent of Data Subject, if such consent is required in accordance with requirements of the Russian Federation legislation in the field of Data.
Obtained data in a generalized and impersonal form can be used to better understand customers of goods and services implemented by Company and improve service quality.
10.5. Data transmission
Company may entrust Data processing to third parties only with Data Subject consent. Data can be also transferred to third parties in the following cases:
а) As a response to legitimate requests of authorized state bodies, in accordance with laws, court decisions, etc.;
б) Data can not be transferred to third parties for marketing, commercial and other similar purposes, except for cases of obtaining preliminary consent of Data Subject.
10.6. Site contains links to other web resources with useful and interesting information for Site users. In this case, this Policy does not affect such sites. Users following links to other sites are advised to familiarize themselves with Data processing policies on such sites.
10.7. Site user may withdraw his consent for Data processing at any time by sending a message to Company’s e-mail address: firstname.lastname@example.org, through Company’s feedback form located at: https://otcommerce.com/order, or by sending a written notice to Company address: 394018 Russian Federation, Voronezh, Svobodi st., 14, office 606. User Data processing will be terminated after receiving such a message and its Data will be deleted, unless processing can be continued in accordance with the law.
Final provisions This Policy is a local regulatory act of the Company. This Policy is public. The general availability of this Policy is provided by publication on the Company’s Site. This Policy may be revised in any of the following cases
11. Final provisions
This Policy is a Company local regulatory act. This Policy is public. General availability of this Policy is provided by publication on Company’s Site. This Policy may be revised in any of the following cases:
- after changes in the legislation of the Russian Federation in the field of processing and protecting personal data;
- in cases of receiving orders from competent state bodies to eliminate inconsistencies affecting Policy scope;
- by decision of Company’s management
- after changes in purposes and terms of data processing;
- after changes in organizational structure, structure of information and / or telecommunications systems (or introduction of new ones);
- after applying new technologies for data processing and protection (including transmission, storage);
- if there is a need to change Data processing related to Company activities. In case of failure to comply with provisions of this Policy, Company and its employees are liable in accordance with the current legislation of the Russian Federation. Control over implementation of this Policy requirements is carried out by persons responsible for organizing Data processing of Company, as well as for personal data security.