Privacy Policy
Policy on the Collection, Storage, Processing, and Protection of Personal Data of Users of the Main Tourist Complex Suzdal Website Located on the Internet at https://gtksuzdal.ru/ (hereinafter referred to as the Website).
This Personal Data Privacy Policy (hereinafter referred to as the Privacy Policy or the Policy) applies to all information that the Website may obtain about the User during use of the Website.
1. DEFINITIONS
The following terms are used in this Policy on the collection, storage, processing, and protection of personal data of the Website Users (hereinafter the Policy):
1.1. Website Administration means authorized employees managing the Website on behalf of OOO Turtsentr (INN 3310006470, OGRN 1113336001294), registered address: Moskva, ul. Lobachevskogo. 94, et. 1, # 6; mailing address: Vladimirskaya Oblast, Suzdal, ul. Korovniki. 45, who organize and/or carry out the processing of personal data and determine the purposes of personal data processing, the composition of personal data subject to processing, and the actions (operations) performed with personal data.
1.2. Personal Data means any information relating directly or indirectly to an identified or identifiable individual (subject of personal data).
1.3. Processing of Personal Data means any action (operation) or set of actions (operations) with personal data performed with or without the use of automation tools, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (dissemination, provision, access), anonymization, blocking, erasure, and destruction of personal data.
1.4. Dissemination of Personal Data means any action aimed at disclosing personal data to a specific group of persons, subject to prior consent and in cases provided for by law and/or this Policy.
1.5. Disclosure of Personal Data means any actions aimed at making personal data available to a specific person or a specific group of persons.
1.6. Blocking of Personal Data means temporary suspension of personal data processing (except when processing is necessary to clarify personal data).
1.7. Destruction of Personal Data means actions that make it impossible to restore the content of personal data in a personal data information system and/or result in the destruction of physical media containing personal data.
1.8. Anonymization of Personal Data means actions which make impossible to determine the ownership of personal data by a specific subject without additional information.
1.9. Confidentiality of Personal Data means the obligation of the Operator or any other person who has obtained access to personal data not to disclose or disseminate such data without the consent of the data subject or other legal grounds.
1.10. Operator means a person or organization independently organizing the processing of personal data and determining the purposes of personal data processing, the personal data subject, and actions performed with personal data.
The Operator is OOO Turtsentr (INN3310006470, OGRN 1113336001294), registered address: Moskva, ul.Lobachevskogo. 94, et. 1, # 6; mailing address: Vladimirskaya Oblast, Suzdal, ul. Korovniki ,45.
1.11. Website User (hereinafter the User) means a person with access to the Website via the Internet who is using the Website, including but not limited to as a Buyer of the Website’s services.
1.12. Automated Processing of Personal Data means processing of personal data using computer technology.
1.13. Personal Data Information System means a set of personal data contained in databases and the information technologies and technical means ensuring their processing.
1.14. Federal Law means Federal Law No. 152-FZ On Personal Data dated July 27, 2006 (hereinafter referred to as the Personal Data Law).
1.15. Cookies means a small piece of data sent by a web server and stored on the user’s computer, which the web client or browser sends back to the web server in an HTTP request when attempting to open a page of the relevant website/application.
1.16. IP address means a unique network address of a node in a computer network built using the IP protocol.
2. GENERAL PROVISIONS
2.1. Use of the Website by the User means agreement with the Policy and the terms of processing the User’s personal data.
2.2. In case of disagreement with the terms of the Policy, the User must stop using the Website.
2.3. The Policy applies only to the Website owned by OOO Turtsentr and does not control or bear responsibility for third-party websites/applications that the User may access through links available on the Website.
2.4. The Website Administration does not verify the accuracy of personal data provided by the User.
2.5. The Policy on the Collection, Storage, Processing and Protection of Personal Data of Website Users (hereinafter the Policy) has been developed to comply with the requirements of the legislation of the Russian Federation to protect personal data and to identify Website Users.
2.6. This Policy was developed in accordance with the Constitution of the Russian Federation, the Civil Code of the Russian Federation, and current Russian legislation on personal data protection.
2.7. The Policy establishes the procedure for processing Users’ personal data: collection, systematization, accumulation, storage, updating, modification, destruction, and anonymization.
2.8. Principles of personal data processing:
- processing must be lawful and fair;
- processing of personal data must be limited to achieving specific, predetermined and lawful purposes. Processing of personal data incompatible with the purposes of collecting personal data is not allowed;
- databases containing personal data processed for incompatible purposes may not be merged;
- only personal data relevant to processing purposes may be processed;
- the content and scope of personal data processed must correspond to the declared purposes. Processed personal data must not be excessive in relation to the stated purposes of its processing;
- when processing personal data, its accuracy, sufficiency, and where necessary, relevance to the purposes of processing personal data shall be ensured;
- storage of personal data shall not exceed the time period required for processing purposes unless otherwise provided by the Federal Law or by a contract to which the User is a party;
- personal data shall be destroyed or anonymized upon achievement of processing purposes or in case of loss of necessity to achieve these purposes unless otherwise provided by the Federal Law.
2.9. Conditions for processing personal data
2.9.1. Processing of personal data of the Website Users is carried out on the basis of the Civil Code of the Russian Federation, the Constitution of the Russian Federation, and the current Russian legislation on personal data protection.
2.9.2. Processing of personal data of the Website Users is carried out in compliance with the Policy and the legislation of the Russian Federation.
2.9.3. Processing of personal data is permitted in the following cases:
- processing of personal data is necessary for the use of the Website, of which the User is a party;
- processing of personal data is necessary to achieve the purposes specified in Section 4 of the Policy;
- processing of personal data is necessary for the exercise of the rights and legitimate interests of the Operator or third parties, or to achieve socially significant goals, provided that the rights and freedoms of the Website Users are not violated;
- processing of personal data is carried out for statistical or research purposes with the User’s consent to the processing of his/her personal data
2.9.4. Processing of personal data
- Processing of personal data of the Website Users is carried out to provide the User with the interaction with the Website and to achieve the purposes specified in Section 4 of the Policy.
- The information that constitutes personal data on the Website is any information relating to an identified or identifiable individual (personal data subject) on the basis of such information.
2.10. Sources of Users’ personal data
- The User is the direct source of all personal data processed by the Operator.
- The source of the User’s personal data is the information obtained as a result of granting the User the access rights to the Website by the Operator.
- Users’ personal data is confidential information with restricted access.
- Confidentiality is not required for anonymized or publicly available personal data.
- The Operator may not collect and process the User’s personal data concerning racial or ethnic origin, political views, religious or philosophical beliefs, or private life except where provided by law.
- The Operator may not collect the User’s personal data concerning membership in public associations or trade union activity except where provided by the Federal Law.
2.11. Methods of processing personal data
- The User’s personal data may be processed by any lawful means, including in personal data information systems with or without automation.
- The User agrees that the Website Administration has the right to transfer personal data to third parties with whom the Operator has concluded an agreement for data processing on the basis of which it entrusts the processing of personal data to a third party; an essential condition of such agreement is the list of actions (operations) with personal data that will be performed by the party processing the personal data, the purposes of processing, the obligation of this party to ensure the confidentiality of personal data and the security of personal data during its processing, as well as the requirements for the protection of processed personal data in accordance with Article 19 of Federal Law No. 152-FZ On Personal Data of 27.07.2006. The transfer of data to such third parties is necessary for the fulfillment of the Website's obligations and achievement of data processing purposes.
- The User’s personal data may be transferred to authorized government bodies of the Russian Federation only on the grounds and in the manner established by the legislation of the Russian Federation.
- In the event of loss or disclosure of the User’s personal data, the Website Administration informs the User about the loss or disclosure of personal data.
- The Website Administration takes necessary organizational and technical measures to protect the User’s personal data from unauthorized or accidental access, destruction, modification, blocking, copying, dissemination, and other unlawful actions of third parties.
- The Website Administration and the User shall jointly take all necessary measures to prevent losses or other negative consequences caused by loss or disclosure of the User’s personal data.
2.12. Rights of personal data subjects (Users)
2.12.1. The User has the right to receive information about the Operator, its place of business, and whether the Operator processes personal data relating to the specific data subject (the User), as well as the right to access and familiarize themselves with such personal data, except in cases provided for by Part 8 of Article 14 of the Law on Personal Data.
2.12.2. The User has the right to receive from the Operator, upon personal request or upon receipt by the Operator of a written request from the User, the following information concerning the processing of his/her personal data, including:
• confirmation of the fact of processing personal data by the Operator and the purpose of such processing;
• legal grounds and purposes for processing personal data;
• purposes and methods of processing personal data used by the Operator;
• name and location of the Operator, information about third parties (except employees of the Operator) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Operator or on the basis of the Federal Law;
• processed personal data relating to the relevant subject of personal data and the source from where it was obtained, unless a different procedure for providing such data is stipulated by the Federal Law;
• time frame of processing personal data, including storage periods;
• the procedure for the exercise of User rights provided for by the Federal Law;
• information on completed or expected cross-border transfer of data;
• name or surname, first name, patronymic, and address of the person processing personal data on behalf of the Operator, if processing is entrusted or will be entrusted to such person;
• other information provided for by the Federal Law or other federal laws;
• request modification, clarification, or deletion of information about oneself;
• appeal unlawful actions or inaction regarding processing of personal data and demand appropriate compensation in court;
• supplement personal data of evaluative nature with a statement expressing one’s own point of view;
• appoint representatives for protection of one’s personal data;
• request that the Operator provide notification of any amendments to, or deletion of, such personal data.
2.12.3. The User has the right to appeal to the authorized body for protection of rights of personal data subjects or to court against actions or inaction of the Operator if he/she believes that the latter processes his/her personal data in violation of the requirements of the Federal Law On Personal Data or otherwise violates his/her rights and freedoms.
2.12.4. The personal data subject has the right to protect his/her rights and legitimate interests, including compensation for losses and/or compensation for moral damage in court if the Operator’s guilt is established by court.
2.13. Personal data confidentiality
2.13.1. The Operator ensures confidentiality and security of personal data during processing in accordance with the legislation of the Russian Federation.
2.13.2. The Operator does not disclose to third parties and does not disseminate personal data without the consent of the subject of personal data, unless otherwise provided by the Federal Law or specified in the Policy.
The User agrees that the Website Administration has the right to transfer personal data to third parties with whom the Operator has concluded an agreement on the basis of which it entrusts processing of personal data to a third party. An essential condition of such agreement is the list of actions (operations) with personal data that will be performed by the third party processing personal data, the purposes of processing, the obligation of the third party to ensure confidentiality of personal data and security of personal data during processing; the requirements for protection of processed personal data in accordance with Article 19 of the Federal Law No. 152-FZ On Personal Data of 27.07.2006 must also be specified. The transfer of data to the aforementioned third parties is necessary for the fulfillment of the Website's obligations and achievement of data processing purposes.
Personal data of the User may be transferred/disclosed to authorized government bodies of the Russian Federation only on grounds and in the manner established by the legislation of the Russian Federation.
In the event of loss or disclosure of personal data, the Website Administration informs the User about the loss or disclosure of personal data.
2.13.3. In accordance with the list of personal data processed on the Website, personal data of the Website Users constitutes confidential information.
2.13.4. Individuals processing personal data are obliged to comply with requirements of the Operator’s regulatory documents regarding ensuring confidentiality and security of personal data.
2.13.5. The Website does not control and is not responsible for third-party websites which the User may access via links available on the Website.
3. SUBJECT OF THE POLICY
3.1. This Policy establishes the obligations of the Website Administration regarding nondisclosure and protection of the personal data the User provided at the request of the Website Administration when making reservations or performing other actions on the Website, and specifies the main terms and conditions for the collection, storage, processing and protection of personal data of the Website Users.
3.2. Personal data permitted for processing by this Privacy Policy is provided by the User by filling out the reservation form, as well as the Subscribe, Ask a Question, Request a Call and Get a Presentation tabs on the Main Tourist Complex Suzdal website, located on the Internet at https://gtksuzdal.ru/, and includes the following information, hereinafter referred to as personal data:
- surname, first name, patronymic (if any);
- contact information (phone number, email address);
- citizenship;
- gender;
- period of stay (check-in date, check-out date, purpose of visit, room number);
- accommodation conditions;
- registered address;
- guest information;
- date of birth (day/month/year);
- identification document details (series, number, issue date, department code, issuing authority, country of birth, region, district, city, locality of birth)
3.3. The Website protects data that is automatically transmitted when viewing advertising blocks and visiting pages which use statistical scripts (pixels):
- IP address;
- information from cookies through internet statistics services (Yandex.Metrica, LiveTex, TravelLine, Top.mail.ru);
- browser information (or other program that accesses advertising blocks);
- access time;
- address of the page containing the advertisement block;
- referrer address (address of the previous page).
3.3.1. Disabling cookies may result in inability to access parts of the Website requiring authorization.
3.3.2. The Website collects statistics about its visitors’ IP addresses. This information is used to identify and solve technical issues and monitor the legality of financial payments.
3.4. Any other personal information not specified above (booking history, browsers and operating systems used, etc.) is subject to secure storage and nondisclosure except in cases provided for in clause 2.13.2. of this Privacy Policy.
3.5. Persons authorized to access personal data
3.5.1. Access to personal data of data subjects is granted only to individuals who are authorized to do so in accordance with their job responsibilities.
3.5.2. The list of persons with access to personal data is approved by the Operator.
3.6. Any other personal information not specified above (browsers and operating systems used, etc.) is subject to secure storage and nondisclosure, except for cases provided for in clause 2.13.2. of this Privacy Policy.
3.7. Legal grounds for processing personal data
3.7.1. The Operator processes the User's personal data only if it is submitted by the User through forms on the Website. By submitting his/her personal data to the Operator, the User expresses his/her consent to this Policy.
3.7.2. The Operator processes anonymized User’s data if this is permitted in the User's browser settings (saving cookie files is enabled).
4. PURPOSES OF COLLECTING USER’S PERSONAL INFORMATION AND LEGAL GROUNDS FOR PROCESSING PERSONAL DATA
4.1. The Website Administration may use the User’s personal data for the following purposes:
• providing the User with access to specific resources of the Website;
• establishing feedback with the User, including sending notifications and requests regarding use of the Website, provision of services, processing requests and orders from the User;
• providing information about marketing events to the User;
• fulfillment of the Operator’s obligations to the User;
• conducting audits and other internal research for the purpose of improving quality of services/goods provided;
• confirmation of accuracy and completeness of personal data provided by the User;
• creating a guest profile on the Website when the User makes a room reservation on the Website;
• providing the User with effective customer and technical support in case of problems related to use of the Website;
• the User’s participation in advertising events;
• informing and providing access to the Website or partner services for the purpose of receiving products, updates, and services;
• informing the User about products and events by sending newsletters and notifications to the User, as well as for the purpose of informing the User through notifications and newsletters about new products/goods, services, special offers, and various events. At the same time, the User always has the right to refuse to receive informational messages/unsubscribe by sending a corresponding notification either to the Operator’s mailing address, or via online chat on the Website, or to the email address booking@gtksuzdal.ru;
• identifying the User making a room reservation on the Website for use of the Website functionality;
• providing the User with access to personalized resources of the Website;
• confirming the accuracy and completeness of personal data provided by the User;
• notifying the User about operation of the Website;
• processing and receiving payments, confirmation of tax or tax benefits, disputing a payment, determining the User’s eligibility for a line of credit.
4.1.1. Anonymized data collected using the Internet statistics services serves to collect information about actions of the Users on the Website and to improve the quality of the Website and its content.
4.2. The Operator processes the User’s personal data only in case it is filled in and/or submitted by the User independently through special forms located on the Website.
4.2.1. By filling out corresponding forms and/or submitting his/her personal data to the Operator, the User expresses consent to the Policy.
4.2.2. The Operator processes depersonalized data about the User if this is permitted in the User’s browser settings (saving of cookie files is enabled).
5. METHODS AND TERMS OF PROCESSING AND STORING OF PERSONAL DATA
5.1. Personal data is processed by lawful means, including in personal data information systems with or without automation.
5.2. Personal data may be transferred to government authorities of the Russian Federation only on the grounds and in the manner established by the legislation of the Russian Federation.
5.3. In the event of loss or disclosure of personal data, the Website Administration informs the User about the loss or disclosure of personal data.
5.4. The Website Administration takes necessary organizational and technical measures to protect the User’s personal data from unlawful or accidental access, destruction, modification, blocking, copying, dissemination, and from other unlawful actions of third parties.
5.5. The time period of processing and storage of personal data of Users on the Website is unlimited and comes into effect from the moment the User accepts the Policy on the Website, remaining effective until the individual (the User) unsubscribes from advertising, news, and informational mailings and notifications. Processing of personal data may be terminated upon request of the personal data subject.
Time periods of processing and storage of the User’s personal data on the Website also remain effective until the User expresses his/her desire to delete his/her personal data from the Website and/or withdraw the https://gtksuzdal.ru/en/agree-en.html. The User has the right to, at any time, withdraw the https://gtksuzdal.ru/en/agree-en.html by sending the Operator (the Website Administration) a notification to the address of the Operator (the Website Administration): OOO Turtsentr (INN 3310006470, OGRN 1113336001294), registered address: Moskva, ul. Lobachevskogo, 94, et. 1, # 6, mailing address: Vladimirskaya Oblast, Suzdal, ul. Korovniki, 45, booking@gtksuzdal.ru, 8-(800)-333-09-08.
The User expresses consent to the terms of this Policy and to the processing of his/ her personal data by accepting this Policy, which is effected by selecting the relevant checkbox(es) on the Website next to the statements "I consent to the processing of my personal data" and "I agree to the terms of the Policy on the Collection, Storage, Processing and Protection of Personal Data (Privacy Policy)," and by clicking the "Submit" button or any other button of similar meaning on the Website, which shall constitute the User's consent.
5.6. In case of data erasure from the Website at initiative of one of the parties, namely termination of use of the Website, personal data of the User is stored in the Operator’s databases for five years in accordance with the legislation of the Russian Federation.
After expiration of the above processing and storage period of the User’s personal data, the User’s personal data is deleted automatically by an algorithm pre-set by the Operator.
The Operator does not process Users’ personal data of on paper media.
5.7. Blocking of personal data.
5.7.1. Blocking of personal data means temporary hold by the Operator of operations for its processing at the request of the User upon detection of inaccuracy of the processed information or, in the opinion of the personal data subject, unlawful actions in relation to his/her data.
5.7.2. The Operator does not transfer personal data to third parties and does not entrust processing of personal data to third-party persons and organizations except in cases specified in clauses 2.13.2 and 5.9 of this Policy, and in case of the User’s consent to transfer his/her personal data for processing by third parties - strategic partners with whom the Operator has concluded an Agreement and to whom the Operator transfers personal data for the purposes specified in this consent, namely: recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (provision, access), anonymization, blocking, erasure, and destruction of personal data. In other cases, personal data of the Website Users is processed only by employees of the Operator (database administrators, etc.) authorized in the established manner to process Users’ personal data.
5.7.3. Blocking of personal data on the Website is carried out on the basis of a written request from the subject of personal data.
5.8. Destruction of personal data.
5.8.1. Destruction of personal data means actions that make it impossible to restore the content of personal data on the Website and/or result in the destruction of physical media containing personal data.
5.8.2. The personal data subject has the right to request in writing the destruction of his/her personal data if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or is not necessary for the stated purpose of processing. The personal data subject has the right to withdraw unilaterally, in written form his/her consent to processing of personal data.
5.8.3. Where the destruction of personal data is not possible, the Operator shall block such personal data.
5.8.4. Destruction of personal data is carried out by erasing information using certified software with guaranteed destruction (in accordance with the specified characteristics for the installed software with guaranteed destruction).
5.9. The User agrees that the Website Administration has the right to transfer personal data to third parties with whom the Operator has concluded an Agreement for purposes of advertising and/or informational mailings, provided that the User consents to receiving of such mailings, and for fulfilling other processing purposes.
5.10. Cross-border transfer of personal data is not carried out.
6. METHODS OF PERSONAL DATA PROTECTION
6.1. The security of personal data is ensured through the following:
6.1.1. Identifying threats to the security of personal data during its processing in personal data information systems.
6.1.2. Applying necessary organizational and technical measures to ensure the security of personal data during its processing in personal data information systems to meet the requirements for personal data protection.
6.1.3. Applying conformity assessment procedures for information security methods in the established manner.
6.1.4. Assessing the effectiveness of measures taken to ensure the security of personal data before putting the personal data information system in operation.
6.1.5. Inventory of machine media of personal data.
6.1.6. Detecting unauthorized access to personal data and taking appropriate measures.
6.1.7. Restoring personal data modified or destroyed due to unauthorized access.
6.1.8. Establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and recording of all actions performed with personal data in the personal data information system.
6.1.9. Monitoring measures taken to ensure the security of personal data and the level of protection of personal data information systems.
6.1.10. Installing certified antivirus software with regularly updated databases.
6.1.11. Detecting unauthorized access to personal data and taking appropriate measures.
6.2. The Operator shall ensure the safety of the transferred personal data and take all possible measures to prevent access to personal data by unauthorized parties.
7. OBLIGATIONS OF THE PARTIES
7.1. The Use shall:
7.1.1. Provide personal data necessary for using the Website, placing an order, making a reservation, buying and selling goods online.
7.1.2. Update and supplement the provided personal data in the event of changes to this information by notifying the Operator via online chat on the Website, email at booking@gtksuzdal.ru or by sending a notification to the Operator's address, indicating which data is outdated and/or needs to be changed, erased/destroyed, and provide correct data.
7.1.3. Independently update his/her personal data if inaccuracies are detected by sending a notification to the Operator's address or notifying the Operator via online chat on the Website or by an email marked "Updating personal data” to booking@gtksuzdal.ru.
7.2. The Website Administration shall:
7.2.1. Use the obtained information solely for the purposes specified in clause 4 of this Privacy Policy.
7.2.2. Keep personal data confidential and not disclose it without the prior written permission of the User and/or except in cases established by the legislation of the Russian Federation; not sell, exchange, publish, or disclose in any other possible way the User’s personal data, except for clauses 5.2., 5.9., 2.13.2. of this Policy.
7.2.3. Take appropriate precautions to protect the confidentiality of the User's personal data according to the procedure commonly used to protect this type of information in current business practice.
7.2.4. Block the User’s personal data for the period of verification from the moment the User or his/her legal representative or the authorized body for the protection of the rights of personal data subjects makes a request or enquiry, in case inaccurate personal data or unlawful actions are detected.
8. LIABILITY OF THE PARTIES
8.1. The Website Administration that fails to fulfil its obligations shall be liable for losses incurred by the User due to the unlawful use of personal data, in accordance with the legislation of the Russian Federation, except in cases provided for in clauses 5.2. and 7.2., 5.9., 2.13.2. of this Policy, provided the guilt of the Website Administration/the Operator is proven.
8.2. In the event of loss or disclosure of confidential information, the Website Administration shall not be liable if this confidential information:
8.2.1. Became publicly available before its loss or disclosure.
8.2.2. Was received from a third party before it was received by the Website Administration.
8.2.3. Was disclosed with the User's consent.
9. DISPUTE RESOLUTION
9.1. Before filing a lawsuit in court regarding disputes arising from the relationship between the Website User and the Website Administration, the claimant must submit a pre-trial claim (a written proposal for voluntary settlement of the dispute).
9.2. The recipient of the claim shall, within 30 calendar days from the date of receipt of the claim, notify the claimant in writing of the results of the review of the claim.
9.3. In the event an agreement is not reached, the dispute shall be referred for resolution to a judicial authority at the Operator's location.
9.4. This Policy and the relationship between the User and the Website Administration are governed by the current legislation of the Russian Federation.
10. ADDITIONAL TERMS
10.1. The Website Administration may amend this Privacy Policy without the User’s consent.
10.2. The new Privacy Policy becomes effective from the moment it is posted on the Website, unless otherwise provided by the new version of the Privacy Policy.
10.3. Any suggestions, comments or questions regarding this Privacy Policy should be submitted via e-mail to: booking@gtksuzdal.ru.
10.4. The current Privacy Policy is available at the Website: https://gtksuzdal.ru/en/privacy-en.html.