PERSONAL DATA PROCESSING POLICY OF SUN LINE LLC1. General Provisions 1.1. This Personal Data Processing Policy (hereinafter referred to as the "Policy") sets forth the policy of Sun Line LLC, OGRN 1152308010140, INN 2308224261, registered under the laws of the Russian Federation at: 350000, Krasnodar, Chapaeva St. 94, Unit 23 (hereinafter referred to as the "Operator") regarding the processing and security of personal data. It applies to all personal data that the Operator may collect from individuals when they contact the Operator directly (via phone call, message, etc.) or through the Operator’s website:
http://www.bluesun.one (hereinafter referred to as the "Website"), as well as from other operators, and during the registration of personal data subjects on the website and order placement. The Policy also includes information on the implemented requirements for the protection of personal data.
1.2. The Policy is designed to meet the requirements of the legislation on personal data processing and security, aiming to protect the rights and freedoms of individuals when their personal data is processed by the Operator.
1.3. The Policy covers all processes involved in the collection, recording, systematization, accumulation, storage, updating (modification, revision), extraction, use, transfer (dissemination, provision of access), anonymization, blocking, deletion, and destruction of personal data, whether automated or manual.
1.4. The provisions of this Policy are mandatory for all employees of the Operator who have access to personal data.
1.5. The Policy must be reviewed and followed by all individuals authorized to process personal data within the personal data information system.
1.6. The Policy applies to data received both before and after its approval.
1.7. The current version of the Policy is available on the Operator’s website and takes effect from the moment it is posted unless otherwise stated in a revised version of the Policy.
1.8. Using the Operator’s Website indicates acceptance of this Policy and the conditions for processing the User’s personal data.
1.9. If the User disagrees with the terms of the Policy, they must cease using the Website.
2. List of Regulatory Documents The processing of personal data by the Operator is carried out on a legal and fair basis, with the following legal grounds for processing:o The Constitution of the Russian Federation;
o The Labor Code of the Russian Federation;
o Federal Law No. 152-FZ "On Personal Data" dated July 27, 2006 (hereinafter referred to as the "Federal Law on Personal Data");
o Government Resolution No. 687 dated September 15, 2008, "On Approval of the Regulations for the Processing of Personal Data Not Requiring Automation";
o Government Resolution No. 512 dated July 6, 2008, "On Approval of Requirements for Physical Media of Biometric Personal Data and Technologies for Storing Such Data Outside of Personal Data Information Systems";
oGovernment Resolution No. 1119 dated November 1, 2012, "On Approval of Requirements for the Protection of Personal Data Processed in Personal Data Information Systems";
o FSTEC Order No. 21 dated February 18, 2013, "On Approval of the Composition and Content of Organizational and Technical Measures for Ensuring the Security of Personal Data Processed in Personal Data Information Systems";
o Roskomnadzor Order No. 996 dated September 5, 2013, "On Approval of Requirements and Methods for Anonymizing Personal Data";
o Other regulatory legal acts of the Russian Federation and normative documents from executive bodies of state power.
3. Terms and Definitions The Policy uses terms and definitions as defined in Federal Law No. 152 "On Personal Data":1) Personal Data - any information related to an identified or identifiable individual (personal data subject);
2) Processing of Personal Data - any action (operation) or set of actions (operations) performed with personal data, whether automated or manual, including collection, recording, systematization, accumulation, storage, updating (revision, modification), extraction, use, transfer (dissemination, provision of access), anonymization, blocking, deletion, destruction of personal data;
3) Automated Processing of Personal Data - processing of personal data using computing technology;
4) Dissemination of Personal Data - actions aimed at disclosing personal data to an unspecified group of individuals;
5) Provision of Personal Data - actions aimed at disclosing personal data to a specific individual or group of individuals;
6) Blocking of Personal Data - temporary cessation of processing personal data (except when processing is necessary for updating personal data);
7) Destruction of Personal Data - actions that make it impossible to restore the content of personal data in the personal data information system and/or that result in the destruction of physical media containing personal data;
8) Anonymization of Personal Data - actions that make it impossible to determine the ownership of personal data to a specific individual without additional information;
9) Personal Data Information System - a set of personal data contained in databases and the technologies and technical means ensuring their processing;
10) Personal Data Subject - an identified or identifiable individual, including Website Users;
11) User - any person who accesses the Website, applications, services, and information posted on the Website via the Internet and uses the Website;
12) Cookies - a small piece of data sent by a web server and stored on a user's computer, which the web client or browser sends back to the server in HTTP requests each time the user tries to open a page of the website;
13) IP Address - a unique network address of a node in a computer network built according to the IP protocol.
4. Core Principles of Personal Data Processing4.1. The Operator processes Personal Data based on the following principles:
o Legality of the purposes and methods of processing Personal Data;
o Good Faith of the Personal Data Operator, achieved by adhering to the requirements of the Russian Federation’s legislation regarding Personal Data processing;
o Relevance of the composition and scope of processed Personal Data, as well as the methods of processing, to the stated purposes of processing;
o Accuracy and adequacy, and, where necessary, up-to-dateness of Personal Data concerning the stated purposes of processing;
o Destruction of Personal Data upon achieving the processing goals in a manner that prevents its recovery;
o Prohibition of combining databases containing Personal Data processed for incompatible purposes.
4.2. Employees of the Operator who have access to Personal Data must:
a) Be aware of and strictly adhere to: - The legislation of the Russian Federation regarding Personal Data; - This Policy; - The Operator’s internal regulations on Personal Data processing and security;
b) Process Personal Data only within the scope of their official duties;
c) Not disclose Personal Data processed by the Operator;
d) Report any actions by others that could lead to a breach of this Policy;
e) Notify the person responsible for organizing Personal Data processing at the Operator of any known violations of this Policy.
4.3. The security of Personal Data is ensured by implementing agreed measures aimed at preventing (neutralizing) and eliminating threats to Personal Data security, minimizing potential damage, and restoring data and the operation of Personal Data Information Systems in the event of a threat.
5. Purposes of Personal Data Processing5.1. The Operator collects and stores only the personal information necessary to provide services, works, or fulfill agreements and contracts with Personal Data Subjects, except where legislation requires the mandatory retention of personal information for a specified period.
5.2. The Operator processes Personal Data for the following purposes:
o Conducting transactions and providing services/performing work/selling goods in accordance with the Operator’s Charter;
o Entering into any contracts with Personal Data Subjects and their subsequent fulfillment;
o Conducting promotions, surveys, and research by the Operator;
o Identifying Personal Data Subjects registered on the Website to provide services and perform work;
o Granting Personal Data Subjects access to personalized resources on the Website;
o Establishing feedback with Personal Data Subjects, including sending notifications and requests related to the use of the Website, provision of services/work/goods, and handling requests and applications from Personal Data Subjects;
o Determining the location of Personal Data Subjects to carry out transactions and provide services/perform work/sell goods in accordance with the Operator’s Charter;
o Verifying the accuracy and completeness of Personal Data provided by Personal Data Subjects;
o Creating an account if the Personal Data Subject has consented to account creation;
o Notifying Personal Data Subjects about the Website;
o Establishing feedback with Personal Data Subjects, including sending notifications and requests concerning provided services and Website use;
o Processing requests and applications from Personal Data Subjects, preparing and sending responses to such requests and applications;
o Providing effective customer and technical support to Personal Data Subjects encountering issues related to Website use;
o Conducting advertising activities with the consent of Personal Data Subjects;
o Providing information to Personal Data Subjects about the services rendered and works performed by the Operator;
o Informing Personal Data Subjects about offers for products and services from the Operator;
o Managing HR and organizing the accounting of the Operator’s employees;
o Recruiting and selecting candidates for employment with the Operator;
o Preparing statistical and other reports submitted to government authorities;
o Conducting administrative and economic activities of the Operator;
o Achieving the goals specified in international agreements of the Russian Federation or legislation, for the performance and fulfillment of functions, powers, and responsibilities assigned to the Operator by the legislation of the Russian Federation.
6. Classification of Personal Data and Personal Data Subjects6.1. Personal Data includes any information related to an identified or identifiable individual (Personal Data Subject) processed by the Operator for achieving pre-defined goals.
6.2. The Operator does not process special categories of Personal Data related to racial and ethnic origin, political opinions, religious or philosophical beliefs, intimate life, or criminal convictions of individuals, unless otherwise stipulated by the legislation of the Russian Federation.
6.3. The Operator processes Personal Data of the following categories of Personal Data Subjects:
o Individuals who are job candidates;
o Individuals who are employees of the Operator;
o Individuals who perform work/provide services and have entered into a civil-law contract with the Operator;
o Individuals who are part of the Operator’s management bodies;
o Individuals who have purchased or intend to purchase the Operator’s services/works, or third-party services through the Operator, or who do not have a contractual relationship with the Operator, provided their Personal Data is included in the Operator’s automated systems in connection with the Operator’s provision of services/performing work for its clients and is processed in accordance with Personal Data legislation;
o Individuals who are not clients of the Operator but who have entered into or intend to enter into contractual relations with the Operator in connection with the Operator’s administrative and economic activities, provided their Personal Data is included in the Operator’s automated systems and processed in accordance with Personal Data legislation;
o Individuals who have made their Personal Data publicly available, provided that such processing does not violate their rights and complies with the requirements of Personal Data legislation;
o Other individuals who have consented to the processing of their Personal Data by the Operator or whose Personal Data processing is necessary for the Operator to achieve goals specified in international agreements of the Russian Federation or legislation for the performance and fulfillment of functions, powers, and responsibilities assigned to the Operator by the legislation of the Russian Federation.
6.4. Personal Data permitted for processing under this Policy using the Website is provided by the Subject through filling out forms on the Website and includes:
o The Subject’s surname, first name, and patronymic;
o The Subject’s organization name;
o The Subject’s position in the organization;
o The Subject’s email address;
o The Subject’s contact phone number;
o The Subject’s city of residence.
6.5. The Operator securely stores, does not distribute or disclose any Data automatically transmitted during visits to the Website pages where a statistical system script (“pixel”) may be installed, including:
o IP address;
o information from cookies;
o Information about the browser (or other program used to access advertisements);
o access time;
o referrer (previous page’s address). Disabling cookies may result in restricted access to certain parts of the Website.
7. Organization of Personal Data Processing Management System 7.1. The processing of Personal Data by the Operator is carried out with the consent of the Data Subject, or without such consent if the processing of Personal Data is necessary for the execution of a contract in which the Data Subject is a party, beneficiary, or guarantor, or for concluding a contract at the initiative of the Data Subject, or in other cases provided by the Law on Personal Data.
7.2. The Operator, with the Data Subject's consent, unless otherwise provided by federal law, is entitled to entrust the processing of Personal Data to a third party, including but not limited to LLC "Blue Line", OGRN 1132367000017, INN 2317068918, registered under the laws of the Russian Federation at: 350000, Krasnodar, Chapaeva 94. 2, Unit 8. Such Personal Data processing is carried out only under a contract between the Operator and the third party, which must specify:
- the list of actions (operations) involving the Personal Data to be performed by the third party;
- the purposes of Personal Data processing;
the obligation of the third party to maintain the confidentiality of the Personal Data and ensure its security during processing, as well as compliance with the requirements for protecting the processed Personal Data.
7.3. The Operator transfers Personal Data to government authorities within their legal powers, in accordance with Russian law.
7.4. The Operator is responsible to the Data Subject for the actions of third parties to whom it entrusts the processing of the Data Subject’s Personal Data.
7.5. Access to the processed Personal Data is granted only to the Operator's employees who need it in connection with their job responsibilities, in accordance with the principles of personal accountability.
7.6. The processing of Personal Data ceases once the processing objectives are achieved, or upon the expiration of the terms established by law, contract, or the Data Subject’s consent. If the Data Subject withdraws consent to the processing of their Personal Data, processing is limited to what is necessary to execute contracts with them and to achieve objectives prescribed by Russian law.
7.7. Personal Data processing is carried out with confidentiality, meaning it is prohibited to disclose or distribute Personal Data to third parties without the consent of the Data Subject unless otherwise provided by Russian law.
7.8. The Operator ensures the confidentiality of the Data Subject's Personal Data on its own behalf, on behalf of its affiliates, and on behalf of its employees who have access to Personal Data. The Operator ensures that the Personal Data is used solely for purposes that comply with the law, contract, or agreement made with the Data Subject.
7.9. The security of the processed Personal Data is ensured by the Operator through a comprehensive system of organizational, technical, and legal measures aimed at protecting information constituting a commercial secret, in accordance with the Law on Personal Data and related regulatory legal acts. The Operator's information security system is continuously evolving, based on international and national information security standards, as well as best practices.
8. Rights of the Data Subject 8.1. The Data Subject has the right to receive information regarding the processing of their Personal Data, including:
- confirmation of whether the Operator is processing their Personal Data;
- the legal grounds and purposes for processing their Personal Data;
- the purposes and methods used by the Operator for processing Personal Data;
the Operator's name and location, and information about persons (except for the Operator's employees) who have access to the Personal Data or to whom the Personal Data may be disclosed based on an agreement with the Operator or based on federal law;
the Personal Data being processed that relates to the Data Subject, the source from which it was obtained unless a different procedure for providing such data is established by federal law;
the terms of Personal Data processing, including the period for which it will be stored;
the procedure for exercising the Data Subject's rights under the Federal Law "On Personal Data";
- information on any cross-border transfers of Personal Data that have been carried out or are planned;
- the name or surname, first name, and patronymic, and address of the person responsible for processing Personal Data on behalf of the Operator if such processing has been entrusted or will be entrusted to that person;
- other information provided by the Federal Law "On Personal Data" or other federal laws.
8.2. The Data Subject's right to receive information about the processing of their Personal Data may be restricted in cases provided by the Federal Law "On Personal Data."
8.3. The Data Subject may revoke consent for the processing of Personal Data. If consent is revoked, the Operator is entitled to continue processing the Personal Data without the Data Subject's consent under the grounds specified in the Federal Law "On Personal Data."
8.4. The Data Subject also has other rights established by the Federal Law "On Personal Data."
9. Source of Personal Data 9.1. The Personal Data processed by the Operator may be obtained directly from the Data Subject or from publicly available sources of Personal Data (including directories, address books).
9.2. Personal Data obtained from third parties may only be processed by the Operator with the prior consent of the Data Subject.
10. Obligations of the Operator 10.1. In cases established by Russian law on Personal Data, the Operator is obliged to provide the Data Subject or their representative, upon request, the information specified in section 8.1 of this Policy.
10.2. When collecting Personal Data, including via the Internet, the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of the Personal Data of Russian citizens using databases located in the territory of the Russian Federation, except as provided by the Federal Law "On Personal Data."
10.3. The Operator has other obligations established by the Federal Law "On Personal Data."
11. Information on Implemented Personal Data Protection Requirements 11.1. A key condition for the Operator's activities is ensuring an adequate level of security for information systems processing Personal Data, safeguarding the confidentiality, integrity, and availability of processed Personal Data, and maintaining the security of storage media containing Personal Data throughout all stages of processing.
11.2. The conditions and protection regime for information designated as Personal Data, as established by the Operator, ensure the security of processed Personal Data.
11.3. In accordance with Russian law, the Operator has: 11.3.1. Developed and implemented a comprehensive set of organizational, regulatory, functional, and planning documents governing and ensuring the security of processed Personal Data.
11.3.2. Introduced security measures for processing and handling Personal Data, as well as a security regime for premises where Personal Data storage media are processed and stored.
11.3.3. Appointed a person responsible for organizing and ensuring Personal Data security.
11.3.4. Established personnel requirements, and defined the responsibilities of employees to ensure Personal Data security.
11.3.5. Familiarized employees engaged in processing Personal Data with Russian legislation on Personal Data security and requirements for Personal Data protection, as well as documents outlining the Operator's policy on Personal Data processing and internal regulations regarding Personal Data. Periodic training on Personal Data processing rules is conducted for these employees.
11.3.6. Taken necessary and sufficient technical measures to ensure the security of Personal Data from accidental or unauthorized access, destruction, modification, blocking of access, and other unauthorized actions:
- A system of access control has been implemented.
- Protection against unauthorized access to automated workstations, information networks, and Personal Data databases has been established.
Protection against malicious software and mathematical impacts has been implemented.
Regular backups of information and databases are carried out.
Information transmitted over public networks is encrypted.
11.3.7. Organized a system to monitor Personal Data processing and security. Regular checks of the Personal Data protection system are planned, as well as audits of the security level of Personal Data in information systems, the functionality of information protection measures, and the identification of changes in the Personal Data processing and protection regime.
12. Responsibility 12.1. Control over compliance with this Policy is carried out by the person responsible for organizing Personal Data processing.
12.2. Persons found guilty of violating the regulations governing Personal Data processing and the protection of Personal Data processed by the Operator are liable under Russian law.
13. Dispute Resolution 13.1. Before filing a lawsuit over disputes arising from the relationship between the Website User and the Operator, a written claim (a proposal for voluntary dispute resolution) must be submitted.
13.2. The claim recipient shall notify the claimant in writing of the results of the claim review within 30 calendar days of receiving the claim.
13.3. If no agreement is reached, the dispute shall be referred to the court in accordance with the laws of the Russian Federation.
13.4. This Privacy Policy and the relationship between the User and the Operator are governed by the current laws of the Russian Federation.
14. Third-Party Resources 14.1. The Operator’s Website may contain links to third-party websites and services, whose privacy policies may differ from those of the Operator.
14.2. If the Data Subject submits personal information to any third-party websites or services, such information will be governed by the privacy statements posted on those websites or services.
15. Additional Provisions 15.1. The Operator reserves the right to amend this Policy without the User's consent.
15.2. The new version of the Policy becomes effective upon its publication on the Website unless otherwise provided by the updated Policy.
15.3. Withdrawal of consent for personal data processing, requests for information about personal data processing, as well as any suggestions or questions regarding this Policy, should be directed to:
LLC "Sun Line"
Legal and postal address: 350000, Krasnodar, Chapaeva St. 94, Office 23
+7 499 685-14-89
one@bluesun.onehttp://www.bluesun.one