Personal data processing policy at INFA-HOTEL, registered trade name Hotel "Savoy"
1.1. This document defines INFA-HOTEL's policy (the Hotel) regarding the processing and security of personal data.
1.2. This policy is designed to implement the requirements of the legislation in the field of processing and security of personal data and is aimed at ensuring the full protection of the rights and freedoms of the individual and the citizen in the processing of his personal data at the Hotel.
1.3. The provisions of this Policy are binding on all Hotel employees.
1.4. The provisions of this Policy are the basis for organizing all processes in the Hotel related to the processing and protection of personal data.
1.5. This policy is developed in accordance with the federal law of the Russian Federation:
- The Constitution of the Russian Federation;
- Federal Act of 27 July 2006 № 152-FZ «On personal data»;
- Labour Code of the Russian Federation of 30 December 2001 №197-FZ;
- Federal Act of 24 November 1996 № 132-FZ «On fundamentals of tourism activities in the Russian Federation»;
- «Rules of providing hotel Services in the Russian», approved by Government Decree of 09 October 2015 № 1085;
- and in accordance with other applicable federal laws and by-laws of the Russian Federation, which determine the rules and specifics of the processing of personal data and ensuring the security and confidentiality of such processing.
1.6. The Policy establishes:
- purposes of processing personal data;
- general principles and rules for processing personal data;
- classification of personal data and personal data subjects;
- the rights and responsibilities of the personal data subjects and Hotel`s to process them;
- how personal data is handled.
1.7. This Policy is a subject to placement on a public resource – hotels official website
1.8. The policy takes effect on the day of approval.
1.9. This Policy is subject to review in connection with changes in the legislation of the Russian Federation in the field of processing and protection of personal data, based on the assessment of the relevance, adequacy and effectiveness of the measures taken security of personal data processing in the Hotel.
1.10. This Policy applies to actions (operations) or a set of actions (operations) committed using or without the use of such tools with personal data, including collection, recording, systemization, accumulation, storage, refinement (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, removal, destruction of personal data.
2. Main terms and definitions
Automatic processing of personal data — processing personal data with computing.
Personal biometric data — information that characterizes a person's physiological and biological characteristics, on the basis of which his identity can be established and which are used by the operator to establish the identity of the subject of personal data.
Personal data blocking — temporary discontinuation of personal data processing (unless processing is necessary to clarify personal data).
Personal data security — the state of personal data security, characterized by the ability of users, technical facilities and information technologies to ensure the confidentiality, integrity and accessibility of personal data when it is processed in personal data information systems.
Personal data information system — a combination of the personal data contained in the databases and technical facilities and information technologies, providing its processing.
Personal data confidentiality — mandatory requirement for the Hotel or any other person who has access to personal data not to disclose and disseminate it without the consent of the subject of personal data or the existence of other legal grounds.
Processing of personal data — any action (operation) or a set of actions (operations) carried out using or without the use of such tools with personal data, including collection, recording, systemization, accumulation, storage, refinement ( update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.
Public personal data — personal data that is accessed by an unlimited number of persons with the consent of the personal data subject or which are not subject to the confidentiality requirement in accordance with federal law.
Personal data depersonalization — actions that make it impossible to determine the identity of personal data to a specific entity without the use of additional information.
Operator — a public authority, a municipal authority, a legal or natural person, who, independently or jointly with others, organizes and/or processes personal data, as well as determines the purposes of personal data processing, composition of the personal data to be processed, actions (operations) committed with personal data.
Personal data sharing — actions aimed at disclosing personal data to a particular person or a certain circle of persons.
Personal data — any information relating to a directly or indirectly defined individual (subject of personal data).
Special categories of personal data — personal data relating to race, nationality, political views, religious or philosophical beliefs, health status and intimate life of the subject of personal data.
Personal data subject — an individual who is directly or indirectly defined by the data.
Other information — information that doesn`t identify or relates to the individual directly.
Personal data destruction — actions that make it impossible to recover the content of personal data in the information system and/or, as a result of which material carriers of personal data are destroyed.
3. Purposes of personal data processing
3.1. The hotel processes personal data for the purpose of:
- providing hotel and/or additional services at the Savoy Hotel in accordance with the INFA-HOTEL Hotel Rules approved by the Order of the General Director No.14-DIR of 28.12.2018, by civil law Russian Federation and the hotel category;
- providing the personal data subject with the Savoy Hotel booking confirmation;
- concluding contracts with the personal data subject to provide hotel and additional services at the Savoy Hotel and their further implementation;
- organizing and maintaining personnel management in the Hotel;
- attracting and selecting candidates for the Hotel;
- formation of statistical reporting, including for the provision of state authorities in the Russian Federation;
- providing the personal data subject with information about the services provided, current marketing promotions and new services;
- and other goals that are not prohibited by federal law, international treaties of the Russian Federation.
4. Classification of personal data and Subjects categories, whose personal data is processed in the Hotel
4.1. Personal data includes any information relating directly or indirectly to a particular or defined individual (personal data subject) processed by the Hotel to achieve these goals.
4.2. The hotel does not process special categories of personal data relating to race, nationality, political views, religious and philosophical beliefs, unless otherwise established by Russian law Federation.
4.3. The hotel processes personal data in the following personal data subject categories:
- individuals who are employees of the Hotel;
- individuals who are candidates for the position of employees of the Hotel;
- individuals who perform work and provide services under civil legal contracts concluded with the Hotel;
- individuals who are customers of the Hotel (guests) and/or legally representing the interests of the Hotel's clients, or intending to become such;
- individuals who purchase or intend to purchase third-party services through the hotel, provided that their personal data is included in the Hotel's automated systems in connection with the provision of hotel and/or Extras;
- individuals who have agreed to the Hotel's processing of their personal data or whose personal data is required by the Hotel to perform the duties, performance of the functions or powers vested and/or provided for by the international treaty of the Russian Federation or the law of the Russian Federation.
5. Basic principles for personal data processing
5.1. Personal data processing in the Hotel is based on the following principles:
- legality of the purposes and ways in which personal data is processed;
- compliance with the purpose of processing personal data to the purposes, predetermined and stated in the collection of personal data;
- compliance with the composition and volume of personal data processed, as well as how personal data is handled to the stated processing purposes;
- the reliability of personal data, their sufficiency for processing purposes;
- inadmissibility of processing of personal data that is redundant in relation to the purposes stated in the collection of personal data;
- inadmissibility of combining databases containing personal data which processing is carried out for purposes that are incompatible;
- ensuring the storage of personal data no longer than required by the purpose of processing personal data, if the personal data retention period is not established by federal law, a contract, the party of which is the personal data subject;
- destruction or depersonalization of personal data upon attainment of processing purposes or in case of attainment of processing purposes is no longer required, unless otherwise provided by the laws of the Russian Federation or by the contract of which the personal data subject is a party;
- ensuring the privacy and security of personal data processed.
6. Personal data processing
6.1. Personal data is processed in accordance with the principles and regulations set by the Federal Law of 27.07.2006 No. 152 "On Personal Data."
6.2. The hotel processes personal data, both through using automation tools and without using automation tools.
6.3. The Hotel may include personal data of the subjects in public sources of personal data, in this case the Hotel takes the written consent of the subject to process his personal data.
6.4. Biometric personal data in the Hotel is not processed.
6.5. The hotel may carry out cross-border transfer of personal data (both to countries that provide an appropriate level of protection of personal data, and to other countries that may not provide an adequate level of protection for personal data) in order to comply with the contract of which the personal data subject is a party to, and/or with its consent.
6.6. Decisions based on the exclusively automatic processing of personal data, which give legal consequences to the personal data subject or otherwise affect his rights and legitimate interests, are not made.
6.7. In the absence of the need for written consent of the subject to process his personal data, the consent of the subject may be given by the personal data subject or his representative in any way allowing to obtain the fact of its receipt of the form.
6.8. The Hotel has the right to entrust the processing of personal data to another person with the consent of the subject of personal data, unless otherwise provided by federal law, on the basis of the contract concluded with that person (the operator's order).At the same time, the Hotel obliges the person processing personal data on behalf of the Hotel under the contract, to comply with the principles and rules of personal data processing provided by this Federal law.
6.9. Providing access to personal data processed by the Hotel to public authorities (including monitoring, supervising, public security authorities) is carried out in the volume and order established by the relevant legislation of the Russian Federation.
6.10. Collection and processing of Other information
Because Other Information does not personally identify you, such information may be disclosed for any purpose where permitted by law. In some instances (for example: subscribing to the newsletter, using feedback forms), we may combine Other Information with personal information. If we do combine any Other Information with personal information, the combined information will be treated by us as personal information in accordance with this Policy.
7. Rights of the personal data subject
7.1. Personal data subject has the right:
- to obtain information relating to the processing of the personal data, in the order, form and time frame specified by the personal data law;
- to require clarification of the personal data, blocking or destruction it in case personal data is incomplete, outdated, inaccurate, illegally obtained, is not necessary for the stated purpose of processing or used for purposes not previously stated when the Subject has previously granted the subject's personal data consent to the processing of personal data;
- to take legal action to defend ones rights;
- to revoke the consent to the processing of personal data.
7.2. The personal data subject is obliged to provide complete, accurate and reliable information about their personal data.
7.3. The right of the personal data subject to access his personal data may be limited in accordance with federal laws.
8. Hotel rights and obligations in the processing of personal data
8.1. Hotel has the right:
- to process the personal data of the personal data subject in accordance with the stated purpose;
- to require the subject of personal data to provide reliable personal data necessary for the performance of the contract and the providing of the service, identification of the personal data subject, as well as in other cases specified by the personal data law;
- to restrict the subject's access to the personal data if it violates the rights and legitimate interests of third parties, as well as in other cases under Russian law;
- to process the public personal data of individuals;
- to process personal data to be published or related to mandatory disclosure in accordance with Russian law;
- to clarify the personal data processed, to block or delete if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
- to keep records of personal data subjects appeals;
- to entrust the processing of personal data to another person with the consent of the personal data subject.
8.2. In accordance with the requirements of the Federal Act «On personal data»
Hotel is obliged:
- to provide the subject with personal data upon request information relating to the processing of his personal data, or to reject legitimately;
- upon the request of the personal data subject to clarify the personal data processed, to block or delete if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
- to keep records of personal data subjects appeals;
- to notify the personal data subject about the processing of personal data if personal data was not obtained from the subject, except in cases provided by the law of the Russian Federation;
- if the purpose of personal data processing is reached to stop processing personal data immediately and destroy the relevant personal data, unless otherwise provided by a contract, the party of which is the personal data subject, or another agreement between the Hotel and the personal data subject;
- if the subject revokes consent to the processing of the personal data to stop processing personal data and destroy personal data within the time limit set by the legislation of the Russian Federation. The Hotel is obliged to notify the personal data subject about the personal data destruction;
- The hotel is committed and commits other individuals who have gained access to personal data not to disclose it to third parties and not to distribute personal data without the consent of the personal data subject, unless otherwise provided by the law of the Russian Federation;
- to appoint the person (persons) responsible for the organization of the processing of personal data.
9. Measures to ensure the personal data security when processing it
9.1. In the processing of personal data, the Hotel takes the necessary legal, organizational and technical measures to protect personal data from improper or accidental access to it, destruction, editing, blocking, copying, providing, dissemination of personal data, as well as other misconduct in relation to personal data.
9.2. The security of personal data is achieved through:
- Identifying threats to the personal data security when processing it in personal data information systems;
- Applying organizational and technical measures to ensure the personal data security when processing it in the information systems necessary to meet the requirements for the personal data protection, the implementation of which ensures the levels of personal data protection established by the Government of the Russian Federation;
- Assessing the effectiveness of measures taken to ensure the personal data security prior to the commissioning of the personal data information system;
- Accounting personal data mediums;
- Discovering unauthorized access to personal data and taking action;
- Restoring personal data modified or destroyed by unauthorized access to it;
- Establishing rules for access to personal data processed in the personal data information system, as well as ensuring the registration and accounting of all actions committed with personal data in the personal data information system;
- Training of the Hotel staff involved in the processing of personal data on personal data security;
- Monitoring of measures taken to ensure the personal data security and the security level of personal data information systems.
10. Hotel Responsibility
10.1. The rules and requirements of this Policy, which are applied in the processing of personal data in the Hotel, are monitored by persons appointed by the Order of the Hotel Executive Authority.
10.2. The Hotel, as well as its officials and employees, bear criminal, civil, administrative and disciplinary liability for non-compliance with the principles and conditions of personal data processing, as well as for the disclosure or illegal use of personal data in accordance with the law of the Russian Federation.