1. General provisions.
1.1. Policy Assignment.
1.1.1. The policy regarding the processing of personal data (hereinafter - the "Policy") was developed in accordance with the Federal Law of July 27, 2006 No 152-ФЗ "On Personal Data" (hereinafter - the Federal Law "On Personal Data").
1.1.2. The policy is aimed at protecting the rights and freedoms of individuals, whose personal data are processed by Grand Hotel Oktyabrskaya LLC, which is the operator of personal data (hereinafter referred to as the Hotel).
1.1.3. This Policy establishes the procedure and conditions for the processing of personal data.
1.1.4. The policy contains information to be disclosed in accordance with the Federal Law "On Personal Data", and is a publicly available document.
1.2. Main terms used in the Policy:
- hotel - an organization that provides hotel services to the client;
- guest - an individual, a consumer of hotel services, a subject of personal data;
- hotel services - actions of the Hotel on accommodation of guests in the accommodation facility, as well as other activities related to accommodation and accommodation, which includes basic and additional services provided to the guest;
- personal data - any information relating to directly or indirectly determined or determined individual (subject of personal data);
- personal data operator (operator) - a legal entity engaged in the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
- personal data processing - any action (operation) or a set of actions (operations) with personal data performed using automation tools or without them. The processing of personal data includes, including: collection, recording, systematization, accumulation, storage, refinement (update, change), use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
- the dissemination of personal data - actions aimed at disclosing personal data to an indefinite circle of people;
- use of personal data - actions (operations) with personal data performed by the operator in order to make decisions or perform other actions engendering legal consequences in relation to the subject of personal data or other persons or in any other way affecting the rights and freedoms of the subject of personal data or other persons;
- confidentiality of personal data - the requirement that the operator or other persons who have access to personal data must comply with the requirement not to allow their distribution without the consent of the subject of personal data or the availability of other legal grounds;
1.3. The hotel must:
- receive personal data of the Guest directly from him;
- to process the personal data of guests solely in order to provide legal services to guests;
- to ensure the storage and protection of personal data of the Guests from their illegal use or loss;
- provide access to his personal data to the Guest or his legal representative when applying or when receiving a request containing the number of the main document certifying the identity of the Guest or his legal representative, information about the date of issue of the specified document and issuing authority and personal signature of the Guest or his legal representative. The request can be sent in electronic form and signed with a digital signature in accordance with the legislation of the Russian Federation. Information on the availability of personal data should be provided to the Guest in an accessible form and should not contain personal data relating to other subjects of personal data.
- not to receive and not to process the personal data of the Guest about his race, nationality, political views, religious or philosophical convictions, state of health, intimate life, except as required by law;
- limit the Guest’s right to access his personal data if access to his personal data violates the rights and legitimate interests of third parties.
- in case of detection of inaccurate personal data or illegal actions with them by the operator when requesting or at the request of the subject of personal data or its legal representative or authorized body to protect the rights of subjects of personal data, the operator is obliged to block personal data relating to the relevant subject of personal data , from the moment of such a request or receipt of such a request for the period of verification;
- in case of confirmation of the fact of inaccuracy of personal data, the operator on the basis of documents submitted by the subject of personal data or his legal representative or authorized body for protection of the rights of subjects of personal data, or other necessary documents must clarify personal data and remove their blocking;
- in case of detection of illegal actions with personal data, the operator, within a period not exceeding three working days from the date of such identification, is obliged to eliminate the violations. In the event that it is impossible to eliminate the violations, the operator must destroy personal data within a period not exceeding three working days from the date of unlawfulness of actions with personal data. The operator is obliged to notify the subject of personal data or his legal representative about the elimination of the violations or the destruction of personal data, and also if the request or request was sent by the authorized body for the protection of the rights of personal data subjects.
1.4. Guest has the right to:
- access to information about himself, including the information confirming the fact of the processing of personal data, as well as the purpose of such processing; methods of processing personal data; information about persons who have access to personal data or who may be granted such access; the list of processed personal data and the source of their receipt, the processing time of personal data, including the storage period; information on what legal consequences for the subject may entail processing of his personal data;
- the definition of forms and methods for processing his personal data;
- restriction of methods and forms of personal data processing;
- a ban on the dissemination of personal data without his consent;
- change, refinement, destruction of information about itself;
- the appeal of illegal actions or inaction on the processing of personal data.
2. The purpose of collecting personal data.
2.1. The purpose of the Policy is to ensure the protection of the rights and freedoms of a person and citizen in the processing of his personal data.
2.2. Personal data is processed in order to fulfill the contract for the provision of services for accommodation or temporary accommodation, one of the parties of which is the Guest. The hotel collects data only in the amount necessary to achieve this goal.
2.3. It is not allowed to process personal data incompatible with the purposes of collecting personal data.
2.4. Personal data cannot be used for the purpose of causing property and moral harm to citizens, hindering the realization of the rights and freedoms of citizens of the Russian Federation.
3. Legal grounds for the processing of personal data.
3.1. The legal basis for the processing of personal data is a set of legal acts, pursuant to which and in accordance with which the Hotel processes personal data, namely:
- The Constitution of the Russian Federation;
- Federal Law dated July 27, 2006 No. 152
- FZ "About personal data";
- Federal law of 11/24/1996 No 132
- the Federal Law "On the basics of tourist activity in the Russian Federation";
- Resolution of the Government of the Russian Federation of October 9, 2015 No 1085 "On approval of the Rules for the provision of hotel services in the Russian Federation";
- Federal law of 18.07.2006. No109
- Federal Law "On Migration Registration of Foreign Citizens and Stateless Persons in the Russian Federation";
- Resolution of the Government of the Russian Federation of January 15, 2007 No9 “On the procedure for the implementation of migration registration of foreign citizens and stateless persons in the Russian Federation”;
- Other legal acts.
4. Composition and receipt of personal data.
4.1. The hotel collects and processes the following personal data:
- passport details of a citizen of the Russian Federation, passport details of a foreign citizen, birth certificate (last name, first name, patronymic, year of birth, month of birth, date of birth, place of birth; series, number and date of issue of the document);
- military ID data;
- registration address;
- pension insurance certificate;
- contact phone number;
4.2. All personal data the Hotel receives directly from the subject of personal data - Guests or their legal representatives.
5. Information on the processing of personal data.
5.1. The hotel processes personal data in a legitimate and fair manner in order to fulfill the functions, powers and responsibilities entrusted by law, exercise the rights and legitimate interests of the Hotel, Hotel employees and third parties.
5.2. The hotel processes personal data in an automated way, with transfer via the internal network of the legal entity, as well as with transfer via the Internet.
5.3. Actions for the processing of personal data include the collection, recording, systematization, accumulation, storage, refinement (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion and destruction.
5.4. Only employees of the Hotel, who need it to perform their job duties, can access the processing of personal data of the Guests.
5.5. Personal data of the Guests is stored on paper and electronically in the local computer network of the Hotel.
5.6. The hotel ensures the confidentiality of personal data and is obliged to prevent their distribution to third parties without the consent of the Guests or the availability of other legal grounds. Information about the personal data of the Guest is confidential.
6. Use and transfer of personal data.
6.1. The use of personal data of the Guests is carried out by authorized employees of the Hotel solely for the achievement of the goals defined by the agreement between the Guest and the Hotel, in particular, for the provision of accommodation and temporary accommodation services, as well as additional services.
6.2. Access to the personal data of the Guests of the Hotel staff whose activities are not related to the direct work with the personal data of the Guests is prohibited.
6.3. The hotel does not perform cross-border transmission of personal data.
6.4. It is not allowed to answer questions related to the transmission of information containing personal data by phone or fax.
6.5. The hotel has the right to provide personal data of Guests to third parties in the following cases:
- if the disclosure of this information is required to comply with the law, the judicial act;
- to assist law enforcement or other government agencies;
- to protect the legitimate rights of the Guest and Hotel.
7. Protection and security of personal data.
7.1. The hotel appoints a person responsible for organizing the processing of personal data to fulfill the obligations stipulated by the Federal Law “On Personal Data” and the regulatory legal acts adopted in accordance with it.
7.2. The hotel makes employees familiar with the provisions of the legislation on personal data.
7.3. The hotel allows employees to access personal data only for the performance of their job duties.
7.4. The hotel identifies threats to the security of personal data during their processing.
7.5. The hotel applies organizational and technical measures and uses the information security tools necessary to achieve the specified level of personal data protection.
7.6. The hotel detects unauthorized access to personal data and takes measures to respond, including the recovery of personal data modified or destroyed due to unauthorized access to it.
7.7. Protection of access to electronic databases containing personal data of the Guests is ensured by the use of licensed software products that prevent unauthorized third-party access to the personal data of the Guests.
7.8. Documents containing personal data of the Guests are stored in the premises, providing protection against unauthorized access.
8. Responsibility for violation of the rules governing the processing of personal data.
8.1. The hotel is responsible for the personal information that is at its disposal and establishes the personal responsibility of staff for compliance with the established confidentiality regime.
8.2. Each employee who receives a document containing the personal data of the Guest for work is solely responsible for the safety of the media and confidentiality of information.
8.3. Any person may contact the Hotel employee with a complaint of violation of these Regulations. Complaints and applications for compliance with data processing requirements are considered within 30 days from the date of receipt.
8.4. Employees of the Hotel are obliged to ensure consideration of requests, statements and complaints of Guests, as well as facilitate the execution of the requirements of the competent authorities.
8.5. Persons guilty of violating the rules governing the receipt, processing and protection of personal data are subject to disciplinary, administrative, civil or criminal liability in accordance with federal laws.
191036, St. Petersburg, Ligovskiy pr., 10/118.