Policy of the website “LUX VIP AUTOS” regarding the processing of personal data

1. General Provisions

1.1. This Policy on the processing of personal data (hereinafter referred to as the Policy) has been drawn up in accordance with paragraph 2 of part 1 of article 18.1 of the Federal Law of the Russian Federation “On Personal Data” No. 152-FZ of July 27, 2006 and applies to all personal data processed in LUX VIP AUTOS (hereinafter referred to as the “Operator”).

1.2. The purpose of developing this Policy is to determine the categories of personal data processed by the Operator, as well as the basic principles that the Operator follows when processing personal data.

1.3.

The provisions of this Policy are mandatory for all employees of the Operator, organizations receiving or providing personal data to the Operator, as well as individuals in contractual relations with the Operator.

1.4. The following concepts are used in this Policy:

– personal data – any information relating to a directly or indirectly identified or identifiable individual (subject of personal data);

– personal data operator (operator) — a state body, municipal body, legal entity or individual that independently or jointly with other persons organizes and (or) carries out the processing of personal data, as well as determines the purposes of processing personal data, the composition of personal data subject to processing, actions (operations) performed with personal data;

– personal data processing — any action (operation) or set of actions (operations) with personal data, performed with or without the use of automation tools. Personal data processing includes, among other things:

• collection;
• recording;
• systematization;
• accumulation;
• storage;
• clarification (update, change);
• extraction;
• usage;
• transfer (distribution, provision, access);
• blocking;
• removal;
• destruction.

– automated processing of personal data – processing of personal data using computer technology;

– dissemination of personal data – actions aimed at disclosing personal data to an indefinite number of persons;

– provision of personal data – actions aimed at disclosing personal data to a specific person or a specific group of persons;

– blocking of personal data – temporary cessation of processing of personal data (except in cases where processing is necessary to clarify personal data);

– destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed;

– personal data information system – a set of personal data contained in databases and information technologies and technical means that ensure their processing;

– cross-border transfer of personal data – transfer of personal data to the territory of a foreign state to a foreign government body, a foreign individual or a foreign legal entity.

– confidentiality of personal data — the obligation of the Operator and other persons who have gained access to personal data not to disclose to third parties or distribute personal data without the consent of the subject of personal data, unless otherwise provided by federal law.

1.5. Subjects of personal data or their legal representatives have the right to::

– receive complete information about your personal data and the processing of this data (including automated processing);

– exercise free access to their personal data, including the right to receive copies of any record containing the personal data of the subject, except in cases stipulated by federal legislation of the Russian Federation;

– demand the exclusion or correction of incorrect or incomplete personal data, as well as data that is being processed in violation of Russian legislation;

– if the Operator or a person authorized by him refuses to exclude or correct the personal data of the subject, state his disagreement in writing, providing the relevant justification;

– require the Operator or a person authorized by it to notify all persons who were previously provided with incorrect or incomplete personal data of the subject of all changes made to them or exclusions from them;

– appeal in court any illegal actions or inactions of the Operator or a person authorized by him, carried out during the processing and protection of the personal data of the subject.

1.6. Subjects of personal data or their legal representatives are obliged to:

– provide the Operator with personal data that corresponds to reality;

– promptly notify the Operator of all changes in personal data.

1.7. The Operator has the right to process personal data provided that there are legal grounds, the processing processes comply with the stated purposes of processing and the requirements of the legislation of the Russian Federation, the provisions of this Policy and other local acts of the Operator.

1.8. The operator is obliged:

– at their own expense, ensure the protection of personal data from unlawful use or loss in accordance with the procedure established by the legislation of the Russian Federation;

– provide the subject of personal data, upon his request, with information concerning the processing of his personal data, or, on legal grounds, provide a refusal;

– provide the subject with free access to his personal data, including the right to receive copies of any record containing his personal data, except in cases stipulated by the legislation of the Russian Federation;

– at the request of the personal data subject, clarify the personal data being processed, block or delete it if the personal data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing;

– maintain a Log of requests from personal data subjects, which must record requests from personal data subjects to obtain personal data, as well as the facts of providing personal data in response to these requests;

– notify the subject of personal data about the processing of personal data in the event that the personal data were not received from the subject of personal data;

– if the purpose of processing personal data is achieved, immediately stop processing personal data and destroy the relevant personal data within a period not exceeding thirty days from the date of achieving the purpose of processing personal data, unless otherwise provided by federal legislation of the Russian Federation;

– if the subject sends a request to terminate the processing of his personal data, terminate the processing of personal data and destroy the personal data within a period not exceeding ten working days from the date of receipt of the said request. The said period may be extended, but not more than by five working days if the operator sends to the subject of personal data a reasoned notice indicating the reasons for extending the period for providing the requested information. The operator has the right to continue processing personal data in the cases provided for in paragraphs 2–11 of Part 1 of Article 6, Part 2 of Article 10 and Part 2 of Article 11 of Federal Law No. 152-FZ “On Personal Data”;

– provide personal data of the subject only to authorized persons and only to the extent necessary for them to perform their work duties in accordance with this Regulation and the legislation of the Russian Federation.

2. Purposes of personal data processing

2.1. For each category of personal data, the Operator has defined and approved specific processing purposes. Processing of personal data that is incompatible with the approved purposes is not permitted.

2.2. The purposes, categories of subjects, their scope and legal grounds for processing personal data, within the framework of which the Operator carries out the processing, are provided in Appendix No. 2 to this “Personal Data Processing Policy”.

2.3. The processing of personal data provided in Appendix No. 2, among other things, is carried out in accordance with the requirements of the Tax Code of the Russian Federation, Federal Law No. 402-FZ “On Accounting”, Federal Law No. 125-FZ “On Archival Affairs in the Russian Federation”, Order of Rosarchive dated 20.12.2019 No. 236 “On Approval of the List of Standard Management Archival Documents Generated in the Process of Activities of State Bodies, Local Government Bodies and Organizations, Indicating Their Storage Periods”, the Civil Code of the Russian Federation, and other Federal Laws and regulatory legal acts adopted on their basis that govern relations related to the activities of the Operator, as well as other regulatory legal acts of the Russian Federation, within the framework of the implementation and performance of the functions, powers and obligations imposed on the Operator by the legislation of the Russian Federation.

2.4. Processed personal data are subject to destruction or depersonalization upon expiration of the storage period, achievement of the processing purposes, or in the event of loss of the need to achieve these purposes, unless otherwise provided by law.

3. Procedure and conditions for processing personal data

3.1. The Operator receives all personal data directly from the subject of the personal data, from his representative or from the person who has instructed the Operator to process the personal data, except for cases stipulated by the legislation of the Russian Federation.

3.2. Personal data shall be processed with the consent of the personal data subject, except for cases stipulated by the legislation of the Russian Federation. Consent may be expressed in various forms that allow confirmation of the fact of its receipt, including in implicative actions, in writing in the form of a separate document, or as part of any document signed by the subject. Consent may be given by a representative of the subject upon providing evidence of his/her authority.

3.3. Consent to the processing of personal data may be revoked by the personal data subject. In cases stipulated by the legislation of the Russian Federation, the processing of personal data may be continued even after the subject has revoked consent to processing.

3.4. When making decisions affecting the interests of the subject, the Operator never relies on the personal data of the subject obtained solely as a result of their automated processing or electronic receipt.

3.5. Personal data shall not be used for the purpose of causing property and/or moral harm to citizens, hindering the exercise of the rights and freedoms of citizens of the Russian Federation.

3.6. Access to personal data is granted to the Operator’s employees who need the personal data in connection with the performance of their official duties.

3.7. The transfer of personal data of the Operator’s employee to third parties is carried out only with the written consent of the subject, except for cases stipulated by the legislation of the Russian Federation.

3.8. The Operator has the right to transfer personal data to inquiry and investigation bodies, other authorized bodies on the grounds stipulated by the current legislation of the Russian Federation.

3.9. The Operator has the right to create publicly available sources of personal data, which may include the personal data of the subject of personal data with his written consent.

3.10. The transfer of personal data of the subject for commercial purposes without his written consent is not carried out.

3.11. If the Operator needs to transfer personal data to third parties, it is carried out only after signing an agreement on non-disclosure of confidential information between the Operator and the third party, except for cases stipulated by the legislation of the Russian Federation.

3.12. Personal data shall be processed both using computer technology and without using such means.

3.13. The terms for processing personal data by the Operator are generally determined in accordance with the terms established by Federal Law No. 152-FZ of 27.07.2006 “On Personal Data”; the term of the relevant agreement; the terms specified in the instruction for processing personal data; the validity periods of documents established by Federal Law No. 125-FZ “On Archival Affairs in the Russian Federation”; Order of Rosarchive No. 236 of 20.12.2019 “On Approval of the List of Standard Management Archival Documents Generated in the Process of Activities of State Bodies, Local Governments and Organizations, Indicating Their Storage Periods”, the limitation period; the validity period of the consent given by the subject of personal data for their processing; as well as other requirements of the legislation of the Russian Federation.

3.14. Personal data, when processed without the use of automation tools, are separated from other information, in particular by recording them on separate tangible personal data carriers (hereinafter referred to as tangible carriers), in special sections or in the fields of forms (blanks).

3.15. When recording personal data on tangible carriers, it is not allowed to record on one tangible carrier personal data, the purposes of processing of which are obviously incompatible. For processing different categories of personal data, carried out without the use of automation tools, a separate tangible carrier is used for each category of personal data.

3.16. Persons processing personal data without the use of automation tools must be informed of the fact that they are processing personal data, the processing of which is carried out by the operator without the use of automation tools, the categories of personal data being processed, as well as the features and rules for carrying out such processing.

3.17. When using standard forms of documents filled in by the subject of personal data personally, the nature of the information in which implies or allows the inclusion of personal data in them (hereinafter referred to as a standard form), the following conditions are met:

– a standard form or related documents (instructions for filling it out, cards, registers and journals) must contain information about the purpose of processing personal data carried out without the use of automation tools, the name (title) and address of the operator, the last name, first name, patronymic and address of the subject of personal data, the source of obtaining personal data, the terms of processing personal data, a list of actions with personal data that will be performed in the process of their processing, a general description of the methods of processing personal data used by the operator;

– the standard form must include a field in which the subject of personal data can indicate his/her consent to the processing of personal data carried out without the use of automation tools – if it is necessary to obtain written consent to the processing of personal data;

– the standard form must be drawn up in such a way that each of the subjects of personal data contained in the document has the opportunity to familiarize themselves with their personal data contained in the document without violating the rights and legitimate interests of other subjects of personal data; the standard form must exclude the combination of fields intended for entering personal data, the purposes of processing of which are obviously incompatible.

3.18. Personal data are subject to destruction upon achievement of the processing purposes, in case of loss of need to achieve them, upon expiration of the storage period, upon detection of the fact of unlawful processing or at the request of the person who has instructed the processing of personal data within a period not exceeding ten working days from the date of achievement of the purpose of processing personal data, or receipt of a response to their processing. The specified period may be extended, but not more than by five working days if the operator sends a reasoned notice to the subject of personal data indicating the reasons for extending the period for providing the requested information. Destruction is carried out in the presence of the commission. Based on the results, a destruction report is drawn up.

3.19. Cross-border transfer is carried out by the Operator to the following countries: USA, Spain, Germany, Belarus, Kazakhstan, Israel, Ireland.

4. Protection of personal data

4.1. The Operator ensures the protection of the personal data of the subject from unauthorized or accidental access to them, destruction, modification, blocking, copying, distribution of personal data, as well as from other illegal actions.

4.2. The protection of personal data is ensured by the Operator in the manner established by the current legislation of the Russian Federation and local acts of the Operator, by implementing a set of organizational and technical measures to ensure their security.

4.3. All measures of protection during the collection, processing, storage and transfer of personal data of the subject apply to both paper and electronic (automated) information carriers.

5. Updating, correcting, deleting and destroying personal data

5.1. The Operator has the right to enter, supplement, change, block or delete personal data in accordance with the Federal Law of the Russian Federation.

5.2. At the request of the subject of personal data, the Operator is obliged to:

– provide information about the operator’s possession of the subject’s personal data;

– provide the opportunity to become familiar with the personal data of the subject (except for Federal Law No. 152, Article 14, Part 5) and provide information regarding the processing of his personal data in accordance with Federal Law No. 152;

– clarify inaccurate or changed personal data;

– block or destroy personal data if they were obtained illegally, are not necessary for the stated purpose of processing, or the consent of the subject has been revoked.

5.3. The request of the personal data subject must be sent to the Operator in paper form and contain the number of the main document certifying the identity of the personal data subject or his/her legal representative, information about the date of issue of the said document and the issuing authority, and the handwritten signature of the personal data subject or his/her legal representative. A standard request form is provided in Appendix 1 to this Policy.

5.4. The request may be sent in electronic form and signed with an electronic digital signature in accordance with the legislation of the Russian Federation to the e-mail address: luxvipautos@gmail.com.

5.5. Upon receipt of a request from subjects, the responsible employee of the Operator is obliged to register such a request in the registration log of requests from subjects.

5.6. A response or a reasoned refusal must be sent within ten working days from the date of receipt of the request from the personal data subject. The specified period may be extended, but not more than by five working days, if the operator sends a reasoned notice to the personal data subject stating the reasons for extending the period for providing the requested information. The response must be in the form in which the relevant request or appeal was sent, unless otherwise specified in the request or appeal, and contain specific and comprehensive information regarding the essence of the issue.

6. Changes to Policy

6.1. The Operator has the right to make changes to this Policy. When making changes, the date of the last update of the version is indicated in the heading of the Policy. The new version of the Policy comes into force from the moment it is posted on the Operator’s website, unless otherwise provided by the new version of the Policy.

6.2. The law of the Russian Federation shall apply to this Policy and the relations between personal data subjects and the Operator.

7. Feedback

7.1. Email address: luxvipautos@gmail.com

7.2. Contact phone number: +46-72-346-00-77