CONSENT TO PERSONAL DATA PROCESSING
I hereby agree that GOODT LLC may contact me by mail, email, SMS, phone and other methods of communication for marketing, advertising and research purposes. In order to receive only the information that is interesting to me, I agree to analyze and process the history of my interaction with GOODT LLC. I agree to the processing of my personal data, which may be shared with third parties that authorized by GOODT LLC for marketing, advertising and research purposes. I have read and agreed to the terms regarding the of processing, storage and protection of personal data belonging to users of the site https://goodt.me/. I understand that I can withdraw my consent at any time by making an official appeal to GOODT LLC.
STATUS OF PROCESSING, STORAGE AND PROTECTION OF PERSONAL DATA
The legislature and other relevant legal provisions of the Russian Federation in accordance with which the provisions on the processing, storage and protection of personal user data on the site https://goodt.me/ are defined:
- Labor Code of the Russian Federation;
- Federal Law of July 27, 2006 No. 152-FZ \"On Personal Data\";
- Decree of the President of the Russian Federation of March 6, 1997, No. 188 \"On Approving the List of Confidential Information\";
- Decree of the Government of the Russian Federation on September 15, 2008 No. 687 \"On the approval of Regulations on the particulars of processing personal data, carried out without the use of automation equipment\";
- Decree of the Government of the Russian Federation on July 6, 2008, No. 512 \"On the approval of requirements for the material carriers of biometric personal data and the technologies for storing such data outside personal data information systems\";
- Decree of the Government of the Russian Federation on 1 November 2012 No. 1119 \"On the approval of the requirements for the protection of personal data while processing them in personal data information systems\";
- Order of the FSTEC of Russia No. 55, Federal Security Service on Russia No. 86, Ministry of Information Technologies and Communications of Russia No. 20 on February 13, 2008 \"On Approval of the Procedure for the Classification of Information Systems for Personal Data\";
- Order of the FSTEC of Russia on February 18, 2013 No. 21 \"On the approval of the composition and content of organizational and technical measures to ensure the safety of personal data during their processing in personal data information systems\";
- Order of Roskomnadzor on September 5, 2013 No. 996 \"On the approval of requirements and methods for the depersonalization of personal data\";
- Other normative legal acts of the Russian Federation and regulatory documents from the authorized bodies of state power.
1. TERMS AND DEFINITIONS
- The site is an aggregation of hardware and software for computers that ensures the process of publishing general access data and information for a common purpose, with the help of communication technology and the Internet. The site may be found on the Internet address: https://goodt.me/.
- The user is an individual who uses the Internet and more specifically, the site.
- Personal data is any information relating directly or indirectly to a particular or given individual (the subject of personal data).
- The operator is an organization which, independently or jointly with others organizes the processing of personal data, as well as determining the purpose for processing this data, and the actions undertaken with this personal data. The operator is Limited Liability Company \"GOOD DATA\" INN 7730191329, OGRN 5157746104951.
- Personal data processing is any action (operation) or a set of actions (operations) performed using automated or other means with personal data, including its collection, recording, systematization, accumulation, storage, updating, extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion and destruction.
- The automated processing of personal data is processing of personal data by computer devices.
- The sharing of personal data is the disclosure of a user’s personal data to specific parties with their prior consent, in cases determined by the law.
- The provision of personal data is the disclosure of personal data to a certain persons or parties.
- The blocking of personal data is the temporary suspension of personal data processing (except in cases when such processing is needed to confirm personal data).
- The destruction of personal data is an action as a result of which it becomes impossible to restore the contents of personal data in the database system and/or the physical destruction of the carriers of personal data.
- The depersonalization of personal data is an action which makes it to determine whether personal data belong to a particular individual or data subject, without the use of additional information.
- The personal data information system is a set of personal data contained in databases, allowing for their processing through information technology and technical means.
2. GENERAL PROVISIONS
2.1. The provisions on the processing, storage and protection of the personal data of the users of the site (hereinafter referred to as the Regulations) are designed to comply with the requirements of the legislation of the Russian Federation, containing personal data and identification of the users of the site.
2.2. The provisions establish the procedure for processing personal data of the site’s users: the procedures for collecting, systematizing, accumulating, storing, updating and destroying personal data.
2.3. The provisions establish the general requirements and rules for working with all types of media containing the personal data of the users of the site, which are mandatory for the operator's employees involved in the maintenance of the site.
2.4. The provisions do not address the issues of ensuring the security of personal data, related to the established procedure for information that constitutes a state secret of the Russian Federation.
2.5. The aims of the provisions are:
- Ensuring the requirements for the protection of human and civil rights and freedoms in the processing of personal data, including the protection the rights to private life, personal and family secrets;
- The exclusion of unauthorized actions by the operator's employees and any third parties in the collection, systematization, accumulation, storage and updating of personal data, other forms of unlawful interference with the information resources and the local computer network of the operator, ensuring the legal and regulatory regime of confidentiality of the undocumented information of site’s users; protection of the constitutional rights of citizens to personal secrecy, confidentiality of the information constituting personal data, and the prevention of a possible threat to the security of users of the site.
2.6. Principles of processing personal data:
- The processing of personal data must be carried out in a fair and lawful manner;
- The processing of personal data must be limited to the achievement of specific, pre-determined and legitimate purposes. Processing personal data incompatible with these purposes is not permitted;
- Combining databases containing personal data, the processing of which is carried out for incompatible purposes is not permitted;
- Only personal data that is necessary for the required aims may be processed;
- The content and volume of the processed personal data must comply with the stated processing objectives. The processed personal data should not exceed the stated purposes of their processing;
- When processing personal data, it’s accuracy, sufficiency, and, if necessary, its relevance to the purposes of processing this data must be verified;
- Personal data must not be stored for longer than it takes for processing, unless the period of storage of personal data has been set by a federal law, an agreement to which the user is a party;
- Processed personal data is subject to destruction or depersonalization upon the achievement of the processing objectives, or in case achieving those objectives is no longer necessary, unless otherwise stipulated by federal law.
2.7. Conditions for processing personal data.
2.7.1. Processing of personal data of the site’s users is carried out on the basis of the Civil Code of the Russian Federation, the Constitution of the Russian Federation and the current legislation of the Russian Federation in the field of personal data protection.
2.7.2. The processing of personal data on the site is carried out in compliance with the principles and rules provided for by the provisions and the legislation of the Russian Federation. The processing of personal data is allowed in the following cases:
- The processing of personal data is necessary to use the site, to which the user is a party;
- The processing of personal data is necessary for the protection of the life, health or other vital interests of the user of the site, if the obtaining of consent is impossible;
- Processing of personal data is necessary for the implementation of the rights and legitimate interests of the operator or third parties or for the achievement of socially significant purposes, provided that the rights and freedoms of the site’s users are not violated at the same time;
- The processing of personal data is carried out for statistical or other research purposes, except for the processing of personal data in order to promote goods, works, services on the market that make direct contact with potential consumers, as well as for political agitation, subject to the mandatory depersonalization of the personal data.
2.8. The objectives of processing personal data.
2.8.1. The processing of personal data of users of the site is carried out solely in order to provide the user with the opportunity to interact with the site.
2.8.2. The information constituting the personal data on the site is any information concerning a physical party or person who is the subject of such data.
2.9. The sources of user’s personal data.
2.9.1. All personal data about the user comes from the user themselves.
2.9.2. The source of information about the user's personal data is information obtained as a result of the user's use of the site.
2.9.3. User’s personal data is confidential information to which there is restricted access.
2.9.4. Ensuring the confidentiality of personal data is not required in the case of their depersonalization, as well as with respect to publicly available personal data.
2.9.5. The operator has no right to collect and process the user's personal data about their race, nationality, political views, religious or philosophical beliefs, private life, except as provided by applicable law.
2.9.6. The operator does not have the right to receive and process the user's personal data about their membership in public associations or their trade union activities, except as provided for by federal law.
2.10. Methods of processing personal data.
2.10.1. The personal data of the site’s users are processed exclusively using automated tools.
2.11. Rights of the subjects (users) of personal data.
2.11.1. The user has the right to receive information about the operator, their location, the possession of personal data by the operator pertaining to the user, and also to familiarize themselves with such personal data, except for cases stipulated by part 8 of Article 14 of the Federal of the law \"On Personal Data\".
2.11.2. The user is entitled to receive from the operator, upon personal or written request, of the following information regarding the processing of their personal data, including:
- Confirmation of the fact of personal data processing by the operator, as well as the purposes of such processing;
- The legal grounds and objectives for the processing of personal data;
- The methods and objectives of the operator for processing personal data;
- The name and location of the operator, information on persons (except for the operator's employees) who have access to personal data or to whom it may be disclosed on the basis of a contract with the operator or on the basis of a federal law;
- Processed personal data relating to the relevant personal data subject and their source, if another procedure for providing such data is not provided for by federal law;
- The terms for processing personal data, including the terms of their storage;
- The procedure for the subject of personal data to exercise the rights provided for by federal law;
- Information on the carried out or expected cross-border data transfer;
- Name or surname, name, patronymic and address of the person carrying out the processing of personal data on behalf of the operator, if the processing is entrusted or will be entrusted to such person;
- Other information provided for by federal law or other federal laws;
- Demand changes, corrections or the destruction of information about oneself;
- Appeal against unlawful acts or omissions on the processing of personal data and demand adequate compensation in court;
- To supplement a personal data of a character evaluation with a statement expressing their own point of view;
- Identify representatives to protect their personal data;
- Require the operator to notify of all changes or exceptions made therein.
2.11.3. The user has the right to appeal against the actions or omissions of the operator to an authorized body for protecting the rights of subjects of personal data or in court proceedings, if they believe that the latter carries out the processing of their personal data in violation of the requirements of the Federal Law \"On Personal Data\" or otherwise violates their rights and freedoms.
2.11.4. The user of personal data has the right for their rights and legitimate interests to be protected, including compensation for damages and (or) moral compensation in court.
2.12. Obligations of the operator.
2.12.1. Upon the personal request or the receipt of a written request from the subject of personal data or their representative, the operator, provided that there are grounds, is obliged to provide information within the period specified in the federal law within 30 days from the date of application or receipt of the request of the personal data subject or its representative as stipulated by federal law. Such information should be provided to the personal data subject in an accessible form and they should not contain personal data relating to other personal data subjects, unless there are legitimate and lawful reasons for disclosing such personal data.
2.12.2. All the appeals by subjects of personal data or their representatives are registered in the Journal of Registration of Citizens' Appeals (subjects of personal data) concerning the processing of such data.
2.12.3. In the case of refusal to provide personal data to the subject or their representative, either on request of the subject or their representatives, about information on the availability of personal data on the given personal data subject, the operator must give a reasonable answer in writing that contains a reference to the provision of part 8 of Article 14 Federal law \"On personal data\" or another federal law which is the basis for such refusal, within a period not exceeding 30 days from the date of the request by the subject of this personal data or their representative, or from the date of receiving such a request by the personal data subject or their representative.
2.12.4. In case of receiving a request from an authorized body for the protection of the rights of subjects of personal data to provide the information necessary for carrying out the activities of the specified body, the operator must relay such information to the authorized body within 30 days from the date of the receipt of such request.
2.12.5. In the case of the discovery of the illegal processing of personal data after a request by the subject of personal data, their representative or an authorized body for protection of the rights of subjects of personal data, the operator is obliged to block the illegally processed personal data related to this personal data subject, from the start of such illegal activity or the receipt of the said request for the verification period.
2.12.6. In the case of the discovery of the illegal processing of personal data carried out by the operator, the latter shall be obliged to stop the illegal processing of personal data within a period not exceeding three working days from the date of this discovery. Of these violations, the operator is obliged to notify the subject of personal data or their representative, and if the request of the personal data subject or its representative or the request of the authorized body for protection of the rights of subjects of personal data was sent by the authorized body for protection of the rights of subjects of personal data, also the said authority.
2.12.7. In the event that the aims of processing personal data are achieved, the operator must stop processing personal data and destroy it, within a period not exceeding 30 working days from the date of achieving the aims of processing personal data, unless otherwise provided by the contract to which the subject of personal data is a party.
2.12.8. It is prohibited to make a decision on the basis of the exclusively automated processing of personal data that may lead to legal consequences with respect to the subject of personal data, or otherwise affect their rights and legitimate interests.
2.13. The regime of confidentiality regarding personal data.
2.13.1. The operator ensures the confidentiality and safety of personal data while processing them, in accordance with the legal requirements of the Russian Federation.
2.13.2. The operator does not disclose to third parties or distribute personal data without the consent of the subject of personal data, unless otherwise permitted by federal law.
2.13.3. In accordance with the list of personal data processed on the site, the personal data of the site’s users are confidential information.
2.13.4. Parties carrying out the processing of personal data must comply with the requirements of the operator's regulatory documents in terms of ensuring the confidentiality and safety of personal data.
3. PROCESSING OF PERSONAL DATA
3.1. A list of personal user data to be processed:
- Surname;
- Name;
- Middle name;
- Position;
- Company;
- Industry;
- Region;
- Mobile phone;
- Email.
3.2. Persons who have the right to access personal data.
3.2.1. The right of access to the personal data of the subjects is given to parties with the appropriate authority in accordance with their official duties.
3.2.2. The list of persons having access to personal data is approved by the Director General of the operator.
3.3. The procedure and terms of storage of personal data on the site.
3.3.1. The operator only stores personal data of users of the site.
3.3.2. The terms of storage of the user's personal data on the site are determined by the terms of the User Agreement and are put into effect from the moment the user accepts this agreement on the site, and lasts until the user declares their desire to delete their personal data from the site.
3.3.3. In the event of the removal of data from the site on the initiative of one of the parties, namely the termination of the use of the site, the user's personal data is stored in the operator's databases for five years in accordance with the legislation of the Russian Federation.
3.3.4. After the expiration of the aforementioned period of storage of the user's personal data, the user's personal data is deleted automatically by the specified algorithm, which is set by the operator.
3.3.5. The operator does not carry out processing of personal user data on paper documents.
3.4. Blocking of personal data.
3.4.1. The blocking of personal data means the temporary suspension of its processing by the operator at the request of the user if the material is considered inaccurate or improper, in the opinion of the subject of personal data regarding their data.
3.4.2. The operator does not transfer personal data to third parties and does not entrust the processing of personal data to third parties and organizations. The personal data of the site’s users is processed only by the operator's employees (database administrators, etc.), who are allowed by the established procedure to process personal data of users.
3.4.3. Blocking of personal data on the site is carried out on the basis of a written application from the subject of personal data.
3.5. The destruction of personal data.
3.5.1. The destruction of personal data means actions are undertaken as a result of which it is impossible to restore the contents of personal data on the site, and/or as a result of which the physical carriers of personal data are destroyed.
3.5.2. The subject of personal data has the right to demand, in written form, the destruction of their personal data in case if personal data are incomplete, outdated, unreliable, illegally obtained or are unnecessary for the stated aims of processing.
3.5.3. If for some reason it is impossible to destroy the personal data, the operator shall block it instead.
3.5.4. The destruction of personal data is carried out by erasing information using certified software that guarantees its erasure (in accordance with specified characteristics for the installed software to ensure guaranteed destruction).
4. SYSTEM OF PERSONAL DATA PROTECTION
4.1. Measures to ensure the safety of personal data while processing them.
4.1.1. During the processing of personal data, the operator must take the necessary legal, organizational and technical measures to ensure the protection of personal data from unauthorized or accidental access destruction, modification, blocking, copying, provision, and dissemination, as well as other illegal actions in respect of personal data.
4.1.2. Ensuring the security of personal data is achieved, in part, through:
- The identification of threats to the security of personal data as they are processed in personal data information systems;
- The application of organizational and technical measures to ensure the safety of personal data as they are processed in personal data information systems, necessary to fulfill the requirements for the protection of personal data;
- The application of procedures for assessing the compliance of the measures of information security;
- Evaluation of the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of an information system for personal data;
- Accounting for the computer carriers of personal data;
- Detection of unauthorized access to personal data and taking appropriate measures;
- Restoration of personal data modified or destroyed due to unauthorized access to them;
- Establishing rules for access to personal data processed in the personal data information system, as well as ensuring the registration and recording of all actions performed with the personal data in the personal data information system;
- Control over the measures taken to ensure the security of personal data and the level of security of information systems for personal data.
4.1.3. For the purposes of the provisions, threats to the security of personal data are understood as a set of conditions and factors leading to the danger of unauthorized, including accidental, access to personal data, which can result in the destruction, modification, blocking, copying, and distribution of personal data, as well as other improper data actions as they are processed in the information system of personal data. The security of personal data is understood as complex indicator that characterizes the procedures, the implementation of which ensures the neutralization of certain threats to the security of personal data as they are processed in the personal data information system.
4.2. Protected information about the subject of personal data.
The protected data on the subject of personal data on the site includes data allowing for the identification of the subject of personal data and/or to obtain additional information about them, provided for by law and the provisions.
4.3. Protected personal data objects.
4.3.1. Protected personal objects on the site are:
- Objects of informatization and technical means of automated processing of information containing personal data;
- Information resources (databases, files, etc.) containing details on information and telecommunication systems on which personal data circulates, events which occurred with the personal objects, plans for ensuring uninterrupted operation and procedures for transition to emergency management;
- Communication channels that are used to transmit personal data in the form of electronic signals and physical fields;
- Information carriers using magnetic, magnetic-optical and other means, used for the processing of personal data.
4.3.2. Technical information on information systems and elements of the personal data protection system to be protected includes:
- Data on the access control system for objects of information where personal data is processed;
- Control information (configuration files, routing tables, security settings, etc.);
- Technological information on the means of access to control systems (authentication information, access keys and attributes, etc.);
- The characteristics of communication channels used to transmit personal data by way of electronic signals and physical fields;
- Information on the means of protection of personal data, their composition and structure, and the principles and technical solutions for protection;
- Service data (metadata) appearing during the operation of software, messages and interworking protocols, as a result of processing personal data.
4.4. Requirements for the protection of personal data.
The personal data protection system must comply with the requirements of RF Government Resolution No. 781 of November 17, 2007 \"On Approving the Provision on Ensuring the Safety of Personal Data as they are processed in Personal Data Information Systems\".
4.4.1. The personal data protection system should provide:
- Timely detection and prevention of unauthorized access to personal data and (or) transferring them to persons who do not have the right to access such information;
- Preventing automated processing of personal data from being compromised in such a way as a result of which their functioning may be violated;
- The possibility of immediate restoration of personal data, modified or destroyed due to unauthorized access to them;
- Constant control over ensuring the level of protection of personal data.
4.4.2. Means of information protection used in information systems must pass the established procedure the procedure for assessing compliance.
4.5. Methods and methods of information protection in information systems of personal data.
4.5.1. Methods and means of information protection in the information systems holding personal data for the operator should comply with the requirements of FSTEC RF Order No. 58 dated 05.02.2010 \"On approval of the Regulations on methods and methods of information protection in personal data information systems\", as well as requirements of the provision on security of personal data using crypto-technology as they are processed in personal data information systems using automation tools approved by the management of the 8th FSB Center on February 21, 2008 ode No. 149 / 54-144 (in case the operator determines that it is necessary to use cryptographic protection of information to ensure the security of personal data).
4.5.2. The main methods and methods for user’s personal data in information systems are the means and methods of protecting information from unauthorized, including accidental, access to personal data, the result of which can be the destruction, modification, blocking, copying and dissemination of personal data, as well as other unauthorized actions (hereinafter - methods and methods of protecting information from unauthorized access).
4.5.3. The choice and implementation of methods and methods for protecting information on the site is carried out in accordance with the recommendations of regulators in the field of information security – the FSTEC and the FSB of Russia, taking into account the threats of personal data security (threat model) determined by the operator and depending on the class of the information system.
4.5.4. The chosen and implemented means and methods of protecting information on the site should ensure the neutralization of alleged threats to the security of personal data during its processing.
4.6. Measures to protect information that constitutes personal data.
4.6.1. Measures to protect databases containing personal data accepted by the operator must include:
- Determining the list of information constituting personal data;
- Restriction of access to information containing personal data by establishing the procedure for handling this information and monitoring compliance with this procedure.
4.6.2. Measures to protect the confidentiality of information are considered sufficient if:
- Access to the personal data is excluded from any third parties without the consent of the operator;
- It is possible to use information containing personal data without violating the legislation on personal data;
- When working with the user, such an order of action is taken by the operator, which ensures the safety of information containing personal data of the user.
4.6.3. Personal data cannot be used for purposes that contradict the requirements of the federal law and undermine the foundations of the constitutional order, morality, health, rights and legitimate interests of others, the country's defense and state security.
4.7. Responsibility.
4.7.1. All employees of the operator engaged in the processing of personal data are required to keep information containing personal data secret, in accordance with the provisions and the requirements of the legislation of the Russian Federation.
4.7.2. Persons guilty of violating the requirements of the provisions are liable under the laws of the Russian Federation.
4.7.3. Responsibility for the compliance of the regime with respect to personal data located in the databases of the site is the responsibility of the personal data processing.
5. FINAL PROVISIONS
5.1. In the event of a change in the current legislation of the Russian Federation, the introduction of changes to regulatory documents on the protection of personal data, these provisions shall apply in part so as not to contradict the current legislation until it is brought into line with such.
5.2. The terms and conditions of these provisions may be established, amended and canceled by the operator unilaterally without prior notice to the user. From the moment a new edition of the provisions is placed on the site, the previous version is considered invalid. In the event of a significant change in the terms of this agreement, the operator shall notify the users thereof by placing an announcement on the site.
5.3. If the user does not agree with the terms of these provisions, he must immediately delete their profile from the site, otherwise the continued use by the user of the site means that the user agrees with the terms of these provisions.