Personal Data Processing Policy

1. Basic terms and definitions

Automated processing of personal data – processing of personal data using computer technology.

Blocking of personal data – temporary suspension of the processing of personal data (except in cases where processing is necessary to clarify personal data).

Personal data information system is a set of personal data contained in databases and information technologies and technical means that ensure their processing.

Depersonalization of personal data – actions as a result of which it becomes impossible without the use of additional information to determine the ownership of personal data to a specific subject of personal data.

Processing of personal data – any action (operation) or a set of actions (operations) performed with the use of automation tools or without the use of such means with personal data, including collection, recording, systematization, accumulation, storage, refinement (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Personal data operator (operator) – a state body, municipal body, legal or natural person, independently or jointly with other persons organizing and (or) processing personal data, as well as determining the purposes of personal data processing, the composition of personal data to be processed, actions (operations) performed with personal data.

Personal data – any information relating directly or indirectly to a specific or identifiable natural person (subject of personal data);

Provision of personal data – actions aimed at disclosing personal data to a certain person or a certain circle of persons.

Dissemination of personal data – actions aimed at disclosing personal data to an indefinite circle of persons.

Cross-border transfer of personal data is the transfer of personal data to the territory of a foreign state to a government body of a foreign state, a foreign individual or a foreign legal entity.

Destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed.

Cookies are a small piece of data sent by a web server and stored in an automated user location.

2. General   Position
   • 1. This Policy regarding the processing of personal data in
     Onegin Management Company LLC (hereinafter referred to as the Policy) is an official document that defines the general principles, goals and procedure for processing personal data (hereinafter referred to as PD), as well as information on the implemented measures to protect PD.
   • 2. This Policy applies to all employees of Onegin Management Company
     LLC   (hereinafter referred   to as the Operator), as well as to employees of third-party organizations interacting with the Operator on the basis of relevant contracts, regulatory, legal and organizational documents.
   • 3 . This Policy comes into force from the moment of its approval and is valid indefinitely, until it is replaced by a new Policy.
3. Goal   Collection   PD
   • 1. Personal data is processed for the following purposes:

– Provision of personnel work and accounting; implementation of labor relations with employees.

– Ensuring the working conditions established by the legislation of the Russian Federation.

– Fulfillment of the requirements of the Labor Code of the Russian Federation.

– Fulfillment of the requirements of tax legislation in connection with the calculation and payment of personal income tax, as well as the unified social tax.

– Fulfillment of the requirements of pension legislation in the formation and submission of personalized data on each recipient of income, taken into account when calculating insurance premiums for compulsory pension insurance and security, the implementation of payments in accordance with the requirements of the legislation of the Russian Federation.

– Performance by the Company of the function of an employer.

–  Recruitment of personnel (selection of candidates for filling vacant positions), compliance with regulatory legal acts of the Russian Federation, local acts; communication with the subject; sending letters, replies to the subject; providing a personnel reserve, assistance in employment, assistance in choosing a suitable position,

–  Interaction with the Operator using the site; room reservations.

–  To provide services to the client, to fulfill contractual obligations.

4. Legal   basis for   processing PD
   • 1. The Operator processes PD in accordance with the following regulatory and legal acts:

– Consent to the processing of personal data of employees,

– Consent to the processing of personal data of the hotel guest,

– Consent to the processing of personal data of the candidate for employment,

– Clause 28 of the Decree of the Government of the Russian Federation dated 15.01.2007 No. 9 "On the Procedure for Migration Registration of Foreign Citizens and Stateless Persons in the Russian Federation"

.- Art. 23, 24 of the Constitution of the Russian Federation;

– Labor Code of the Russian Federation;

– Tax Code of the Russian Federation;

– Federal Law of 15.12.2001 N 167-FZ "On Compulsory Pension Insurance in the Russian Federation";

– Art. Art. 15 and Art. 36.19 of the Federal Law dated 07.05.1998 N 75-FZ "On Non-State Pension Funds";
– Federal Law no. 255-FZ of 29.12.2006 "On Compulsory Social Insurance in the Event of Temporary Incapacity for Work and in Connection with Maternity";

– Art. 8 of the Federal Law of 31.05.1996 N 61-FZ "On Defense";

– Art. 9 of the Federal Law of 26.02.1997 N 31-FZ "On Mobilization Preparation and Mobilization in the Russian Federation";

– Decree of the Government of the Russian Federation dated 09.10.2015 No. 1085 (as amended on 30.11.2018) "On Approval of the Rules for the Provision of Hotel Services in the Russian Federation";

– Federal Law dated 29.11.2010 N 326-FZ "On Compulsory Medical
Insurance in the Russian Federation";

– Art. 13, Art. Art. 92-94 of the Federal Law dated 21.11.2011 N 323-FZ
"On the Basics of Protecting the Health of Citizens in the Russian Federation";

– Commercial contracts (Contract for the provision of services (registration card);

– Charter of LLC "MC "Hotel "Onegin".

5. Scope and   categories, processed   PD, categories of PD entities
   • 1. The Operator carries out the processing of the following categories of PD:

Category of PD subjects	Category of processed PD	Volume of processed PD
Employees, former employees	OTHER CATEGORIES	Less than 100 000 subjects
Candidates for vacant posts	OTHER CATEGORIES	Less than 100 000 subjects
Site visitors	OTHER CATEGORIES	Less than 100 000 subjects
Clients	OTHER CATEGORIES	More than 100 000 subjects

6. Procedure and conditions   of processing PD
   • 1. The processing of PD is carried out on a lawful and fair basis.
   • 2. The processing of PD is limited to the achievement of specific, predetermined and legitimate purposes. Processing of PD that is incompatible with the purposes of collecting PD is not allowed.
   • 3 . It is not allowed to combine databases containing PD, the processing of which is carried out for purposes incompatible with each other.
   • 4. Only PD that meets the purposes of their processing are subject to processing.
   • 5. The content and volume of processed PD correspond to the stated purposes of processing and are not excessive in relation to the stated purposes of their processing.
   • 6. When processing PD, the accuracy of PD, their sufficiency, and, if necessary, relevance in relation to the purposes of PD processing are ensured. Necessary measures shall be taken to delete or clarify incomplete or inaccurate data.
   • 7. For the purpose of information support of the Operator, publicly available sources of the Operator's PD may be created (including directories, electronic databases, pages of the Operator's website in the information and telecommunication network "Internet"). Only PD specified by the pd specified by the subject of pd in written consent to the inclusion of its PD in public sources can be included in publicly available sources.
   • 8. To maintain statistics and analyze the operation of the Site, the Operator processes data such as IP address, browser information, data from cookies using the metric services Google Analytics and Yandex Metrica.
   • 9. In case of refusal to process cookies, the User must stop using the Site or disable the use of cookies in the browser settings, while some functions of the Site may become unavailable.
   • 10. Some cookies can only be stored with the permission of the PD subject. In addition, when the PD subject first visits the Operator's website, permission to store cookies is requested.
   • 11. Storage of PD is carried out in a form that allows to determine the subject of PD, no longer than required by the purposes of processing PD, if the period of storage of PD is not established by federal law, a contract to which, the beneficiary or guarantor, under which the pd subject is a party. Processed PD upon achievement of the purposes of processing or in case of loss of need to achieve these goals, unless otherwise provided by federal law, are subject to destruction or depersonalization.
7. Terms   and Conditions terms oftermination of   processing of personal data
   • 1. The Operator terminates the processing of PD in the following cases:

• – achievement of the purposes of processing PD or maximum storage periods – within 30 days;
• – loss of the need to achieve the purposes of PD processing – within 30 days;
• – provision by the pd subject or his legal representative of information confirming that the PD is illegally obtained or are not necessary for the stated purpose of processing – within 7 days;
• – impossibility of ensuring the lawfulness of pd processing – within 10 days;
• – withdrawal by the subject of PD consent to the processing of PD, if the preservation of PD is no longer required for the purposes of processing PD – within 30 days;
• – expiration of the limitation period for legal relations within the framework of which PD is processed or was carried out.
  • 2. In accordance with Article 21, Part 5 of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data", the Operator does not stop processing the Personal Data of the Subject and does not destroy them in the following cases:
• – otherwise provided by the contract, the party to which, the beneficiary or guarantor, under which the Subject is a party;
• – The Operator has the right to process personal data without the consent of the Subject on the grounds provided for by federal laws;
• – the terms of processing the personal data of the Subject, established by the federal laws of the Russian Federation and other regulatory acts, have not expired.

8. Pd   security measures  
   • 1. The security of PD processed by the Operator is ensured by the implementation of legal, organizational, technical and programmatic measures necessary and sufficient to meet the requirements of the legislation in the field of PD protection.
   • 2. The Operator takes the necessary organizational and technical measures to ensure the safety of pd from accidental or unauthorized access, destruction, modification, blocking of access and other unauthorized actions.
   • 3 . The operator   takes the following organizational and technical measures:

• –  appointment of officials responsible for the organization of processing and ensuring the security of PD;
• –  restriction and regulation of the composition of the Operator's employees who have access to the PD;
• –  familiarization of the Operator's employees with the requirements of federal legislation and local regulations on the processing and protection of personal data;
• –  ensuring the accounting and storage of pd material carriers and their circulation, excluding theft, substitution, unauthorized copying and destruction;
• –  determination of threats to the security of PD when they are processed in personal data information systems (hereinafter referred to as ISPDN), the formation of threat models on their basis;
• –  development, on the basis of a threat model, of a PD protection system for the appropriate level of PD protection when processing them in ISPD;
• –  verification of the readiness and effectiveness of the use of information security tools;
• –  implementation of a permissive system of access of ISPDN users to information resources, software and hardware for processing and protecting information;
• –  registration and accounting of the actions of ISPDn users;
• –  password protection of user access to ISPD;
• –  the use, if necessary, of cryptographic information protection tools to ensure the security of PD during transmission via open communication channels;
• –  implementation of anti-virus control, prevention of the introduction of malicious programs (virus programs) and software bookmarks into the corporate network;
• –  use of firewalls where necessary;
• –  the use, if necessary, of means of detecting intrusions into the corporate network that violate or create prerequisites for violation of the established requirements for ensuring the security of pd;
• –  training of the Operator's employees using the information protection tools used in ISPDN, the rules for working with them;
• –  accounting of the applied means of information protection, operational and technical documentation for them;
• –  the use, where necessary, of information protection tools that have passed the conformity assessment procedure in accordance with the established procedure;
• –  monitoring the actions of ISPDN users, conducting proceedings on the facts of violation of pd security requirements;
• –  placement of technical means of processing PD, within the protected area;
• –  maintenance of technical means of protection, alarm of premises in a state of constant readiness.

9. Rights of personal data subjects
   • 1. The PD subject   has the right to receive information regarding the processing of his PD, including those containing:

• –  confirmation of the fact of PD processing by the Operator;
• –  legal grounds and purposes of PD processing;
• –  the purposes and methods of processing PD used by the Operator;
• –  the name and location of the Operator, information about persons (with the exception of the Operator's employees) who have access to the PD or to whom the PD may be disclosed on the basis of an agreement with the Operator or on the basis of federal law;
• –  pd processed relating to the relevant PD subject, the source of their receipt, unless a different procedure for submitting such data is provided for by federal law;
• –  terms of processing PD, including the terms of their storage;
• –  the procedure for the exercise by the subject of PD of the rights provided for by the Federal Law "On Personal Data";
• –  information on the carried out or on the proposed cross-border transfer of PD;
• –  the name or surname, first name, patronymic and address of the person processing pd on behalf of the Operator, if the processing is entrusted or will be entrusted to such a person;
• –  other information provided for by the Federal Law "On Personal Data" or other federal laws.
  • 2. The subject of PD has the right to demand from the Operator the clarification of its PD, their blocking or destruction in the event that the PD is incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect its rights.
  • 3 . If the pd subject believes that the Operator is processing his PD in violation of the requirements of the Federal Law "On Personal Data" or otherwise violates his rights and freedoms, the PD subject has the right to appeal against the actions or inaction of the Operator to a higher body for the protection of the rights of PD subjects (the Federal Service for Supervision of Communications, Information Technologies and Mass Communications – Roskomnadzor) or in court.
  • 4. The subject of pd has the right to protection of his rights and legitimate interests, including compensation for damages and (or) compensation for moral damage in court.

10. Final   Position
    • 1. Control over the fulfillment of the requirements of this Policy is carried out by the person responsible for the organization of pd processing.
    • 2. Other rights and obligations of the Operator are determined by the Federal Law "On Personal Data" and other regulatory legal acts in the field of PD protection.
    • 3 . Officialsguilty of violating the norms governing the processing and protection of PD bear material, disciplinary, administrative, civil or criminal liability in the manner prescribed by federal laws.