1. General provisions
1.1. This Privacy Policy has been developed by «Granit Concern» JSC 1055011347093 (hereinafter “Policy” and “Data Controller”, respectively) to comply with the requirements stated in Article 18.1, part 1, paragraph 2 of the Russian Federal Law on Personal Data Protection No. 152 dated 27.07.2006 (hereinafter “Personal Data Protection Law”) and regulates the processing of personal data of Users of the Website by the Data Controller.
1.2. The terms used in the Policy are defined in paragraph 1.6 of the Policy. The Policy applies to relations in the field of personal data processing which the Data Controller was involved in, both before and after the approval of this Policy.
1.3. The Data Controller independently or jointly with other persons organizes the processing of personal data, and also determines the purposes of personal data processing, determines the actions (operations) performed with personal data.
1.4. The Policy applies to all personal data that the Data Controller receives from the Users of the Website.
1.5. In order to comply with the requirements of Article 18.1, part 2 of the Personal Data Protection Law, this Policy is made freely accessible online on the Website.
1.6. Key terms used in the Policy are the following:
1.6.1. “Personal data” refers to any information relating directly or indirectly to a specific or identifiable User of the Website;
1.6.2. “Website” refers to a collection of associated web pages (web documents) available online at: https://tor-m.com;
1.6.3. “User” refers to any person who provided information to the Data Controller using the Website;
1.6.4. “Personal data informational system” refers to a collection of personal data contained in databases and information technologies and technical means that are responsible for their processing;
1.6.5. “Personal data processing” refers to any action (operation) or a series of actions (operations) performed with personal data using computer technologies or without their use. The processing of personal data includes, among other things:
- collection;
- recording;
- systematization;
- accumulation;
- storage;
- clarification (update, change);
- extraction;
- usage;
- transfer (distribution, provision, access);
- depersonalization;
- blocking;
- removal;
- disposal.
1.6.6. “Automatic processing of personal data” refers to processing of personal data using computer devices;
1.6.7. “Dissemination of personal data” refers to actions intended to disclose personal data to any number of unspecified persons;
1.6.8. “Sharing of personal data” refers to actions intended to disclose personal data to a specific person or a specific group of people;
1.6.9. “Anonymization of personal data” refers to a series of actions that make it impossible to determine the ownership of personal data without the use of additional information;
1.6.10. “Blocking of personal data” refers to a temporary suspension of the personal data processing (unless the processing is necessary to refine personal data);
1.6.11. “Disposal of personal data” refers to a series of actions that make it impossible to restore the content of personal data in the personal data informational system and (or) resulting in disposal of storage media that has been used to store or process personal data;
1.6.12. “Cross-border flow of personal data” refers to the transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity.
2. Purpose of personal data processing
2.1. The Data Controller processes personal data for the following purposes:
2.1.1. Processing of User applications in order to conclude agreements between the Data Controller and Users;
2.1.2. Conclusion and execution of agreements between the Data Controller and Users;
2.1.3. Providing Users with access to information and materials contained on the Website;
2.1.4. Informing Users about products, services, promotional and other activities of the Data Controller;
2.1.5. Other purposes which are essential for the Data Controller in order to comply with the Personal data protection law.
3. What categories of personal data are processed?
3.1. The Data Controller processes the following personal data types:
- User’s full fame;
- User’s email address;
- User’s phone number.
3.2. The Data Controller collects and processes anonymized data of the Users (including cookies) using such online statistics and advertising services as Yandex Metrika, Google Analytics and others.
3.3. The Data Controller does not process certain categories of personal data specified by the Personal Data Protection Law.
3.4. The Data Controller does not process the biometric personal data specified by the Personal Data Protection Law.
4. Terms and conditions for personal data processing
4.1. The processing of personal data is performed by the Data Controller if of the Users agree to the processing of their personal data, as well as without Users consent, in cases specified by law. The User gives his consent to the processing of his personal data by the Data Controller from the moment when the User places a check mark in the specified box in the personal data collection form available on the Website.
4.2. The Data Controller performs automated processing of personal data.
4.3. The Data Controller processes personal data in a form that allows to identify the subject of personal data no longer than required by the purposes of personal data processing.
4.4. When the purpose of personal data processing is achieved, and in case the User revokes the consent to his data processing, personal data is subject to disposal, with exception to the cases specified by law.
4.5. The Data Controller fulfils the following requirements for the personal data protection:
4.5.1. requirements for confidentiality of personal data;
4.5.2. requirements ensuring protection of the personal data subjects’ rights, including the right to access information;
4.5.3. requirements to ensure the accuracy of personal data, and, if necessary, relevance in relation to the purposes of personal data processing (this includes measures to dispose of or refine incomplete or inaccurate data);
4.5.4. requirements for the protection of personal data from unauthorized or random access, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data;
4.5.5. other requirements specified by law.
4.6. The Data Controller takes the following measures, which are essential for ensuring the fulfillment of the obligations specified by law in relation to the processing and protection of personal data:
4.6.1. designation of the Person responsible for personal data protection;
4.6.2. providing a list of employees authorized to work with personal data;
4.6.3. adoption of this Privacy Policy referring to the personal data processing and ensuring data security;
4.6.4. application of legal, organizational and technical measures to ensure the security of personal data, namely:
— identifying of threats to the security of personal data during its processing in the personal data informational system;
— application of organizational and technical measures to ensure the security of personal data during its processing in the personal data informational system, which are essential for meeting the requirements for the personal data protection, the implementation of which ensures the level of protection of personal data established by the Russian Federation Government;
— the use of procedures for assessing the conformity of information security tools;
— establishing rules for accessing personal data processed in the personal data informational system;
— providing control over the measures taken to ensure the security of personal data and the security level of the personal data informational system;
4.6.5. providing internal control over the compliance of the personal data processing with the Personal Data Protection Law and the corresponding laws and regulations, the requirements for the personal data protection, the Data Controller’s policy on the personal data processing, Data Controller’s internal regulations;
4.6.6. familiarizing employees directly involved in the personal data processing with the laws of the Russian Federation on personal data, including the requirements for the personal data protection and with this Policy.
4.7. The Data Controller has the right to share the User’s personal data with third parties in the following cases:
4.7.1. The user has agreed to such sharing;
4.7.2. The data sharing is necessary in order to fulfill the contract concluded between the User and the Data Controller;
4.7.3. The data sharing is necessary in order to provide the User, at his request, with access to specific services of the Website;
4.7.4. The data sharing is specified by relevant law;
4.7.5. The personal data sharing serves statistical or other research purposes, except for the purposes specified in Article 15 of the Personal Data Protection Law, on condition that personal data is anonymized.
4.8. When collecting personal data of Users, the Data Controller ensures recording, systematization, accumulation, storage, refinement (updating, modification), retrieval of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for the cases stated in the Personal Data Protection Law.
5. The procedure for interaction between Users and the Data Controller
5.1. Users have the right to request information from the Data Controller regarding the processing of their personal data. You can do this by sending a request at: info@tor-m.com. The User’s request must contain the information specified by Article 14, part 3 of the Personal Data Protection Law.
5.2. Users have the right to send requests for refinement and updating of their personal data, as well as applications for withdrawal of consent to the personal data processing to the email specified in paragraph 5.1 of this Policy.