PERSONAL DATA PROCESSING POLICY

1. General Provisions
This Policy for the processing of personal data (hereinafter referred to as the Policy) has been developed in accordance with the requirements of Federal Law No. 152-FZ "On personal data" and defines the procedure for processing, storing and protecting the personal data of clients of the Ozerkovskaya Hotel of JSC "CSTE" (holding) (OGRN 1027739038326, INN 7705010473, KPP 770501001, address: 115054, Moscow, Ozerkovskaya embankment, 50, building 1, floor 4, room I, room 3A, hotel address: 115054, Moscow, Ozerkovskaya embankment, 50, building 2).
The purpose of processing personal data is to ensure the organization’s activities, fulfill obligations to clients, partners, employees and other subjects of personal data.

2. Basic concepts
- Personal data - any information relating directly or indirectly to a specific or identifiable individual (subject of personal data).
- Processing of personal data is any action (operation) or set of actions performed with or without the use of automation tools, including collection, systematization, storage, clarification, use, distribution, depersonalization, blocking and destruction of personal data.
- The operator is an organization or person who, independently or jointly with other persons, determines the purposes and means of processing personal data.

3. Purposes of personal data processing
Processing is carried out for the following purposes:
- fulfillment of contractual obligations;
- provision of services/products;
- maintenance of internal records and document flow;
- marketing research and mailings;
- ensuring information security;
- mailings of an advertising nature and other actions related to advertising;
- compliance with legal requirements.

4. Categories of personal data processed
As part of the organization’s activities, the following categories of personal data are processed:
- identification data: full name, date of birth, sex, passport details;
- contact details: telephone, email, registered address of residence and actual address of residence;
- financial details: bank accounts, payment details.

5. Sources of obtaining personal data
Personal data may be obtained:
- directly from personal data subjects (clients, employees);
- from open sources;
- from third parties by agreement or on the basis of legislation.

6. Measures to ensure the security of personal data
The organization takes the necessary legal, organizational and technical measures to protect personal data from unauthorized access, destruction, modification, blocking or distribution.
Measures include:
- restricting access to data;
- using encryption tools;
- regular training of employees on information security issues;
- maintaining processing logs.

7. Rights of personal data subjects
Subjects have the right:
- to receive information about their personal data;
- to clarify or update their data;
- to delete their data (the right to be forgotten);
- to limit processing;
- to object to processing in certain cases.

8. Transfer of data to third parties
In order to provide services and improve their quality, we transfer information about you to the following third parties:
LLC "Business Analytics", INN: 7709973919, KPP: 770901001, Legal address: 109004, Moscow, Alexandra Solzhenitsyna St., 23a, building 1, room III, off. 1 
LLC "Tilda Publishing", INN: 7722391042, KPP: 770701001, Legal address: 109544, Moscow, Entuziastov Blvd., 2nd floor, 13, rooms 8-19
TRAVEL LINE PRO LLC, INN: 1215183934, checkpoint: 121501001, Legal address: 424031, Republic of Mari El, Yoshkar-Ola, Krasnoarmeyskaya st., 43, premises. 11 
LLC "VK", INN: 7743001840, checkpoint: 997750001, Legal address: 125167, Moscow, Leningradsky prospect, 39, building 79
LLC "Yandex", INN: 7736207543, checkpoint: 770401001, Legal address: 119021, Moscow, st. Lev Tolstoy, 16

9. Personal data storage periods
Personal data is stored no longer than the period necessary to achieve the purposes of their processing or in accordance with the requirements of the Russian Federation legislation.
Upon expiration of the storage periods, the data is subject to destruction or depersonalization.

10. Responsibility for Violation of Policy
Officers shall be held responsible for violation of the requirements of this Policy in accordance with the internal regulations of the organization and the legislation of the Russian Federation.

11. Final Provisions
The Policy is subject to revision and updating in the event of changes in legislation or the organization's operating conditions.
All employees are required to comply with the provisions of the Policy when processing the personal data of clients.