RUSSPASS Privacy Policy

Updated: 11.11. 2021.

1.1. This Policy of the Project Office for the Development of Tourism and Hospitality of Moscow (Privacy Policy) (address: 7/5 B. Dmitrovka St., Bldg. 1, Floor 5, Internal City of Tverskoy Municipal District, Moscow, 125009, phone +7 (495) 957-96-77, e-mail: info@welcome.moscow, OGRN 1187700020947, INN 7703468243, KPP 771001001) with regard to processing of personal data (hereinafter, the Policy) was developed in accordance with the requirements of Clause 2, Part 1 of Art. 18.1 of Federal Law No. 152-FZ dated July 27, 2006 "On Personal Data" (hereinafter, the Law on Personal Data) in order to ensure the protection of human and civil rights and freedoms when processing their personal data, including the protection of the rights to privacy, personal and family secrets.

1.2. The Policy applies to all personal data that is processed by the Project Office for the Development of Tourism and Hospitality of Moscow (hereinafter, the Operator, Organization).

1.3. The Policy defines the basic rights and obligations of the Operator and Personal Data Subjects, purposes of personal data processing, legal grounds for personal data processing, categories of processed personal data, categories of Personal Data Subjects, the procedure and conditions for processing personal data, as well as measures to ensure the security of personal data during processing undertaken by the Organization.

1.4. The Policy applies to relations of personal data processing that arise with the Operator both before and after the approval of the Policy.

1.5. The Policy, as well as changes to it, are approved by the CEO of the Organization or by the Acting CEO.

1.6. In pursuance of the requirements of Part 2 of Art. 18.1 of the Law on Personal Data, the Policy is published in the public domain on the Operator's website on the Internet.

1.7. Control over the implementation of the requirements of the Policy is carried out by authorized persons responsible for organizing processing of personal data by the Operator.

1.8. Liability for violation of the requirements of the legislation of the Russian Federation and the regulatory acts of the Operator with respect to processing and protection of personal data is determined in accordance with the legislation of the Russian Federation.

1.9. Main terms and definitions

Personal Data shall mean any information relating directly or indirectly to a specific or identifiable individual (Personal Data Subject).

Personal Data Operator (Operator) shall mean a state body, municipal body, legal entity, or individual, independently or together with other persons organizing and/or conducting processing of personal data and determining the purposes for which personal data is processed, the composition of the personal data to be processed, and the actions (operations) to be performed with personal data.

Processing of Personal Data shall mean any action (operation) or a set of actions (operations) with personal data performed with the use of automation tools or without them.

Processing of personal data includes, among other things:

• collection;
• recording;
• systematization;
• accumulation;
• storage;
• clarification (update, change);
• extraction;
• usage;
• transmission (distribution, provision, access);
• depersonalization;
• blocking;
• deletion;
• destruction.Automated Processing of Personal Data shall mean processing of personal data using computer technology.

Distribution of Personal Data shall mean actions aimed at disclosing personal data to an indefinite range of persons.

Provision of Personal Data shall mean actions aimed at disclosing personal data to a certain person or a certain range of persons.

Blocking of Personal Data shall mean a temporary suspension of processing of personal data (unless processing is necessary to clarify personal data).

Destruction of Personal Data shall mean actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and/or as a result of which material carriers of personal data are destroyed.

Depersonalization of Personal Data shall mean actions, as a result of which it becomes impossible to determine the ownership of personal data to a specific Personal Data Subject without using additional information.

Personal Data Information System shall mean a set of personal data contained in databases and information technologies and technical means that ensure their processing.

Cross-Border Transfer of Personal Data shall mean transfer of personal data to the territory of a foreign state, to a foreign state authority, a foreign individual, or a foreign legal entity.

1.10. Basic rights and obligations of the Operator

1.10.1. The Operator may:

• independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of obligations stipulated by the Law on Personal Data and regulatory legal acts adopted in accordance with it, unless otherwise provided by the Law on Personal Data or other federal laws;
• entrust processing of personal data to another person with the consent of the Personal Data Subject, unless otherwise provided by federal law, on the basis of an agreement concluded with this person. The person who processes personal data on behalf of the Operator is obliged to comply with the principles and rules for processing personal data provided for by the Law on Personal Data;
• if the Personal Data Subject withdraws consent for processing personal data, the Operator has the right to continue processing the personal data without the consent of the Personal Data Subject if there are grounds specified in the Law on Personal Data.

1.10.2. The Operator shall:

• arrange processing of personal data in accordance with the requirements of the Law on Personal Data;
• respond to requests and inquiries from the Personal Data Subjects and their legal representatives in accordance with the requirements of the Law on Personal Data;
• report the necessary information to the authorized body for the protection of rights of the Personal Data Subjects (the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) at the request of this body within thirty (30) calendar days of the date of the receipt of such a request.

1.11. Basic rights of the Personal Data Subject

1.11.1. The Personal Data Subject may:

• receive information regarding processing of their personal data, with the exception of cases provided for under federal law. The information is to be provided to the Personal Data Subject by the Operator in an accessible form, and it must not contain personal data relating to other Personal Data Subjects unless there are legal grounds for disclosing such personal data. The list of information and the procedure for obtaining it is established by the Law on Personal Data;
• require the Operator to clarify their personal data, to block or destroy them if the personal data is incomplete, outdated, inaccurate, illegally obtained, or not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect their rights;
• put forward a condition of prior consent when processing personal data in order to promote goods, works, and services on the market;
• appeal to Roskomnadzor or the courts over any illegal actions or inaction of the Operator when processing their personal data.

2.1. Processing of personal data is limited to the achievement of specific, predetermined, and legitimate purposes. Processing of personal data that is incompatible with the purposes of collecting personal data is not allowed.

2.2. Only personal data that meet the purposes of their processing is to be subject to processing.

2.3. Processing of personal data by the Operator is carried out for the following purposes:

• ensuring compliance with the Constitution of the Russian Federation, federal laws, and other regulatory legal acts of the Russian Federation;
• carrying out its activities in accordance with the charter of the Organization;
• exercising the rights and fulfillment of the obligations of the parties in their labor relations;
• attracting and selecting candidates for work with the Operator;
• organizing individual (personified) registration of employees in the compulsory pension insurance system;
• filling out and submitting the required reporting forms to the executive authorities and other authorized organizations;
• implementing civil law relations;
• accounting;
• purchasing and/or booking of services, as well as providing access to the Integrated Information System "Moscow Digital Tourist Platform" (RUSSPASS);
• holding contests, shows, and other events;
• implementing access control.

2.4. Processing of personal data of employees may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts.

3.1. The legal basis for processing of personal data is a set of regulatory legal acts, in pursuance of which and in accordance with which the Operator processes personal data, including:

• the Constitution of the Russian Federation;
• the Civil Code of the Russian Federation;
• the Labor Code of the Russian Federation;
• the Tax Code of the Russian Federation;
• Federal Law No. 7-FZ dated January 12, 1996 "On Non-Commercial Organizations";
• Federal Law No. 402-FZ dated December 6, 2011 "On Accounting";
• Federal Law No. 167-FZ dated December 15, 2001 "On Compulsory Pension Insurance in the Russian Federation";
• other regulatory legal acts regulating relations related to the activities of the Operator.

3.2. The legal basis for processing of personal data also includes:

• the Operator's charter;
• contracts concluded between the Operator and the Personal Data Subjects;
• consent of the Personal Data Subjects to processing of their personal data.

4.1. The content and volume of the processed personal data must comply with the stated processing objectives provided for in Section 2 of the Policy. The processed personal data shall not exceed that required for the stated purposes of their processing.

4.2. The Operator can process personal data of the following categories of Personal Data Subjects.

4.2.1. Applicants for employment with the Operator:

• first name, middle name, surname;
• gender;
• citizenship;
• date of birth;
• place of birth;
• contact phone number;
• e-mail;
• photographic image;
• information about education, work experience, qualifications;
• other personal data provided by candidates in CVs and cover letters.

4.2.2. Employees and former employees of the Operator:

• first name, middle name, surname;
• gender;
• citizenship;
• date of birth;
• place of birth;
• passport data (number, passport series, by whom and when issued, code of the department that issued the passport);
• data from a document used in lieu of a passport (name of the document, number, series of the document, by whom and when it was issued, the code of the department that issued the document);
• residence (registration) address;
• address of the place of actual residence;
• contact phone number;
• e-mail;
• photographic image;
• information about education, including the following information: level of education, name of educational institution, year of graduation, diploma number, specialty / field of training, qualifications;
• individual taxpayer number (INN);
• insurance number of an individual personal account (SNILS);
• information about marital status and family composition;
• information about work activity, including about the place of work, insurance (labor) experience, about the position held, transfers to other positions;
• information about military registration;
• bank account details;
• information about wages and other payments;
• information about awards and incentives;
• other personal data provided by employees in accordance with the requirements of the legislation of the Russian Federation.

4.3. The Operator does not process biometric or special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, health status, intimate life, with the exception of cases provided for by the legislation of the Russian Federation.

5.1. Processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.

5.2. The Operator collects, records, systematizes, accumulates, stores, clarifies (updates, changes), extracts, uses, transfers (distributes, provides, accesses), depersonalizes, blocks, deletes, and destroys personal data.

5.3. Processing of personal data by the Operator is carried out in the following ways:

• non-automated processing of personal data;
• automated processing of personal data with or without transmission of the information received via informational and telecommunication networks.

5.4. Processing of personal data is carried out with the consent of the Personal Data Subjects to processing of their personal data, or without it in the cases provided for by the legislation of the Russian Federation, namely:

• processing of personal data is carried out with the consent of the Personal Data Subject to processing of their personal data;
• processing of personal data is necessary to achieve the goals provided for by an international treaty to which the Russian Federation is beholden or by law, for the implementation and fulfillment of the functions, powers, and duties imposed by the legislation of the Russian Federation on the operator;
• processing of personal data is carried out in connection with the participation of a person in constitutional, civil, administrative, criminal proceedings or proceedings in arbitration courts;
• processing of personal data is necessary for the execution of a judicial act, an act of another body or official, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;
• processing of personal data is necessary for the execution of the powers of federal executive bodies, bodies of state extra-budgetary funds, executive bodies of state power of the constituent entities of the Russian Federation, local self-government bodies, and the functions of organizations involved in the provision of state and municipal services, respectively, stipulated by the Federal Law No. 210-FZ dated July 27, 2010 "On the Organization of the Provision of State and Municipal Services," including the registration of the Personal Data Subject on a single portal of state and municipal services and/or regional portals of state and municipal services;
• processing of personal data is necessary for the performance of an agreement to which the Personal Data Subject is either a party or a beneficiary or guarantor, as well as for concluding an agreement initiated by the Personal Data Subject or an agreement under which the Personal Data Subject will be a beneficiary or guarantor;
• processing of personal data is necessary to protect the life, health, or other vital interests of the Subject of the Personal Data if it is impossible to obtain the consent of the Personal Data Subject;
• processing of personal data is necessary to exercise the rights and legitimate interests of the operator or third parties, including in the cases provided for by the Federal Law "On the Protection of the Rights and Legal Interests of Individuals in the Performance of Activities for the Return of Overdue Debts" and on Amendments to the Federal Law "On Microfinance Activities and Microfinance Organizations," or to achieve socially significant goals, provided that this does not violate the rights and freedoms of the Personal Data Subject;
• processing of personal data is necessary for the implementation of the professional activity of a journalist and/or the legitimate activity of the media or scientific, literary, or other creative activity, provided that this does not violate the rights and legitimate interests of the Personal Data Subject;
• processing of personal data is carried out for statistical or other research purposes, with the exception of the purposes specified in Art. 15 of the Law on Personal Data, subject to the mandatory depersonalization of the personal data;
• processing of personal data obtained as a result of depersonalization of personal data is carried out in order to increase the efficiency of state or municipal administration, as well as for other purposes provided for by Federal Law No. 123-FZ dated April 24, 2020 "On Conducting an Experiment to Establish Special Regulation in Order to Create the Necessary Conditions for the Development and Implementation of Artificial Intelligence Technologies in the Constituent Entity of the Russian Federation—the City of Federal Significance Moscow and Amending Articles 6 and 10 of the Federal Law 'On Personal Data' and Federal Law No. 258-FZ dated July 31, 2020 'On Experimental Legal Regimes in the Sphere of Digital Innovations in the Russian Federation,'" in the manner and on the terms provided for by the specified federal laws;
• processing of personal data subject to publication or mandatory disclosure in accordance with federal law.

5.5. Employees of the Operator are allowed to process personal data, given that their job description includes processing of personal data.

5.6. Processing of personal data is carried out by:

• receiving personal data orally and in writing directly from the Personal Data Subjects;
• obtaining personal data from publicly available sources;
• entering personal data into the logs, registers, and information systems of the Operator;
• using other methods of processing personal data.

5.7. Disclosure to third parties and the dissemination of personal data without the consent of the Personal Data Subject is not allowed unless otherwise provided by the Law on Personal Data. Consent to processing of personal data permitted by the Personal Data Subject for distribution is drawn up separately from other consents of the Personal Data Subject to processing of their personal data.

5.8. The transfer of personal data to the bodies of inquiry and investigation, to the Federal Tax Service, the Pension Fund of the Russian Federation, the Social Insurance Fund, and other authorized executive bodies and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.

5.9. The Operator takes the necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access to them, destruction, alteration, blocking, distribution, or other unauthorized actions, including:

• identifies threats to the security of personal data during their processing;
• adopts local regulations and other documents regulating relations in the field of processing and protection of personal data;
• appoints persons responsible for ensuring the security of personal data in the structural divisions and information systems of the Operator;
• creates the necessary conditions for working with personal data;
• arranges the accounting of documents containing personal data;
• arranges work with information systems in which personal data are processed;
• stores personal data in conditions under which their safety is ensured and unlawful access to them is excluded;
• arranges training for the Operator's employees who process personal data.

5.10. The Operator stores personal data in a form that makes it possible to determine the Personal Data Subject, no longer than the purpose of processing personal data requires if the storage period for personal data is not established by the Law on Personal Data, by an agreement.

5.11. When collecting personal data, including through the information and telecommunications network known as the Internet, the Operator provides recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for the cases specified in the Law on Personal Data.

6.1. Confirmation of the fact of personal data processing by the Operator, the legal grounds and purposes of personal data processing, as well as other information specified in Part 7 of Art. 14 of the Law on Personal Data are provided by the Operator to the Personal Data Subject or their representative upon contact or upon receipt of a request from the Personal Data Subject or their representative.The information provided does not include personal data relating to other Personal Data Subjects unless there are legal grounds for disclosing such personal data.

Data Subjects unless there are legal grounds for disclosing such personal data.

The request shall contain:

• number of the main identity document of the Personal Data Subject or their representative, information on the date of issue of the specified document and the issuing authority;
• information confirming the participation of the Personal Data Subject in relations with the Operator (contract number, date of conclusion of the contract, conventional verbal designation and/or other information), or information otherwise confirming the fact of processing of personal data by the Operator;
• signature of the Personal Data Subject or their representative.

The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

If the request of the Personal Data Subject does not reflect all the necessary information in accordance with the requirements of the Law on Personal Data or the Personal Data Subject does not have the right to access the requested information, then a reasoned refusal is sent to them.

The right of the Personal Data Subject to access their personal data may be limited in accordance with Part 8 of Art. 14 of the Law on Personal Data, including if the access of the Personal Data Subject to their personal data violates the rights and legitimate interests of third parties.

6.2. In case inaccurate personal data are revealed when the Personal Data Subject or their representative applies, or at their request, or at the request of Roskomnadzor, the Operator is to block personal data related to this Personal Data Subject from the moment of such a request or receipt of the specified request for the verification period if the blocking of personal data does not violate the rights and legitimate interests of the Personal Data Subject or third parties.

In the event of confirmation of the fact of the inaccuracy of personal data, the Operator, based on the information provided by the Personal Data Subject or their representative or Roskomnadzor, or other necessary documents, clarifies the personal data within seven (7) business days of the date of submission of such information and removes the blocking of the personal data.

6.3. In the event of unlawful processing of personal data upon application (request) of the Personal Data Subject or their representative or Roskomnadzor, the Operator blocks the unlawfully processed personal data related to this Personal Data Subject from the moment of such a request or receipt of the request.

6.4. Upon reaching the goals of processing the personal data, or in the event that the Personal Data Subject withdraws consent to their processing, the personal data are subject to destruction if:

• another course of action is not provided for by the contract, the party to which, the beneficiary, or the guarantor of which is the Personal Data Subject;
• the Operator is not entitled to carry out processing without the consent of the Personal Data Subject on the grounds provided for by the Law on Personal Data or other federal laws;
• another course of action is not provided by any other agreement between the Operator and the Personal Data Subject.