For buyers
1. General provisions
This Privacy Policy (hereinafter referred to as the “Policy”) is a document defining the policy of Individual Entrepreneur Gulneva Darya Konstantinovna, TIN 511006260423, OGRNIP 321519000008268 (hereinafter referred to as the “Operator”) regarding the processing of personal data.
The adoption and publication of the Policy are carried out on the basis of and in compliance with Federal Law No. 152-FZ dated July 27, 2006 “On Personal Data” (hereinafter referred to as the “Federal Law”).
2. Scope of the Policy
The scope of the Policy applies to all personal data that the Operator has received or may receive from subjects of personal data (hereinafter referred to as the “Subjects”), as they are understood in the Federal Law, as well as from legal entities or individual entrepreneurs whose representatives are the Subjects.
The scope of the Policy applies to personal data processed by the Operator both in connection with the use of the website located on the Internet at the web address https://mesh-n-flesh.com/ (hereinafter referred to as the “Website”) and on other lawful grounds.
3. Terms and definitions
Automated processing of personal data – processing of personal data using computer equipment.
Blocking of personal data – temporary suspension of the processing of personal data (except in cases where processing is necessary to clarify personal data).
Access to personal data – the possibility of obtaining personal data and their use.
Counterparties – individuals and individual entrepreneurs, legal entities entering into an agreement with the Operator.
Confidentiality of personal data – a requirement mandatory for compliance by the Operator or another person who has gained access to personal data not to allow their dissemination without the consent of the subject of personal data or the presence of another lawful basis.
Unauthorized access – access to information that violates the rules for delimiting access using standard means provided by computer equipment or automated systems.
Processing of personal data – any action (operation) or set of actions (operations) performed using automation tools or without the use of such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (dissemination, provision, access), blocking, deletion, destruction of personal data.
Personal data operator – a state authority, a municipal authority, a legal entity or an individual who independently or jointly with other persons organize and (or) carry out the processing of personal data, as well as determine the purposes of processing personal data, the composition of personal data subject to processing, actions (operations) performed with personal data.
Personal data (PD) – any information relating to a directly or indirectly identified or identifiable individual (subject of personal data).
Website users – individuals visiting the Operator’s Website.
Visitors – individuals visiting the Operator’s office who are not employees of the Operator.
Provision of personal data – actions aimed at disclosing personal data to a specific person or a specific group of persons.
Employees of the Operator – individuals who are in labor relations with the Operator.
Dissemination of personal data – actions aimed at disclosing personal data to an indefinite group of persons.
Job applicants – individuals applying for filling a vacant position.
Former employees of the Operator – individuals who were in labor relations with the Operator.
Destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed.
4. Legal grounds and purposes of personal data processing
4.1. Processing and ensuring the security of personal data processed by the Operator is carried out in accordance with the requirements of the Constitution of the Russian Federation, the Federal Law, the Labor Code of the Russian Federation (hereinafter referred to as the “Labor Code of the Russian Federation”), subordinate regulatory acts, and other legislative acts of the Russian Federation defining cases and features of personal data processing.
4.2. Personal data processing is carried out on the basis of agreements concluded with the Subjects, and corresponding consents provided by the Subjects.
4.3. The purposes of personal data processing, categories and list of processed personal data, categories of Subjects, methods, periods of their processing and storage are set out in the appendix to the Policy (Appendix No. 1).
4.4. Personal data processing is carried out on a lawful and fair basis.
Personal data processing is limited to achieving specific, predetermined and lawful purposes. Processing of personal data that is incompatible with the purposes of their collection is not allowed.
Combining databases containing personal data, the processing of which is carried out for purposes incompatible with each other, is not allowed.
The content and scope of processed personal data correspond to the stated purposes of processing. Processed personal data must not be excessive in relation to the stated purposes of their processing.
5. Procedure for processing personal data
Personal data processing is carried out in a manner that excludes their loss, damage or unlawful use.
For the purpose of ensuring the safety and confidentiality of personal data, all operations related to the execution, formation, maintenance and storage of this information are performed only by authorized employees of the Operator who carry out this work in accordance with their labor duties fixed in their job descriptions.
6. Obligations of the Operator
In accordance with the requirements of the legislation of the Russian Federation, in order to ensure the rights and freedoms of man and citizen, when processing the personal data of the Subject the Operator fulfills the following mandatory requirements:
- processing of personal data is carried out exclusively for the purposes specified in the Policy;
- protection of personal data of the Subjects processed by the Operator from their unlawful use or loss is ensured at the expense of the Operator in the manner established by the local regulatory acts of the Operator;
- when determining the scope and content of processed personal data, the Operator is guided by the Constitution of the Russian Federation, the Labor Code of the Russian Federation, the Federal Law, other federal laws and regulatory legal acts;
- personal data may not be used for the purpose of causing harm to citizens or hindering the exercise of the rights and freedoms of citizens.
The Operator is obliged to observe the confidentiality of personal data transferred by the Subject, ensure their security during processing, take the necessary measures aimed at ensuring the fulfillment of obligations предусмотренных by the Federal Law, comply with the requirements provided for by Part 5 of Article 18 and Article 18.1 of the Federal Law, as well as take measures for their protection specified in Section 9 of the Policy.
Among other things, the Operator is obliged to notify the Subject of cases of establishing the fact of unlawful or accidental transfer (provision, dissemination, access) of personal data that resulted in a violation of the rights of the Subjects.
The Operator is obliged, at the request of the Subject, including before the processing of personal data, to provide him with documents and other information confirming the adoption of measures and compliance with the requirements established in accordance with Article 6 of the Federal Law.
7. Rights of the Operator
The Operator processes personal data in the form of collection, recording, systematization, storage, clarification (updating, modification), extraction, use, transfer (provision, access), blocking, deletion and destruction of personal data. These actions are carried out both using automation tools and with the direct participation of an employee of the Operator authorized to work with personal data. Personal data processing is carried out exclusively using databases located on the territory of Russia. The Operator does not make decisions in relation to the Subject based solely on automated processing of personal data.
The Operator has the right to store personal data of the Subjects in cloud data storage facilities, the use of which by the Operator is governed by concluded agreements, in compliance with the requirements of the legislation of the Russian Federation.
The Operator has the right to provide personal data of the Subjects to third parties provided that such persons comply with the requirements of the Federal Law.
In addition, personal data of the Subject may be transferred to law enforcement, judicial and other state authorities and other persons to whom the Operator is obliged to transfer such data by virtue of the requirements of the legislation.
8. Storage of personal data
Personal data of the Subjects are stored on hard copies (paper media), on external (removable) electronic media and in secure information systems owned by the Operator or used by the Operator on a lawful basis. Access to information systems containing personal data is ensured using means of protection against unauthorized access.
Material carriers containing personal data of the Subjects are stored in safes or metal cabinets locked with a key.
Storage of personal data by the Operator is carried out in a form that allows identification of the Subject no longer than is required by the purposes of their processing and the requirements of regulatory documents of the Russian Federation related to document storage, after which the data are destroyed.
The storage period of documents containing personal data of the Subjects is determined by the nature of the documents containing such data and the purpose of personal data processing in accordance with Appendix No. 1.
9. Measures taken by the Operator to protect personal data
The system of protection measures implemented by the Operator for the personal data of the Subjects includes all organizational and technical measures necessary and sufficient to ensure fulfillment of obligations stipulated by the legislation on personal data protection, determined taking into account current threats to the security of personal data and information technologies used by the Operator. Such measures include, in particular:
- conducting periodic inspections of the conditions of personal data processing,
- documents defining the policy regarding the processing of personal data have been issued,
- application by the Operator of legal, organizational and technical measures to ensure the security of personal data is ensured,
- internal control of compliance of personal data processing with the Federal Law “On Personal Data” and regulatory legal acts adopted in accordance with it, requirements for personal data protection, the operator’s policy regarding personal data processing, and local acts of the operator is carried out.
9.1 Internal protection of personal data includes the following organizational and technical measures:
- placement of the Operator’s information systems and special equipment in premises excluding the possibility of uncontrolled presence of unauthorized persons in them;
- threats to the security of personal data during their processing in personal data information systems have been identified,
- accounting of machine carriers of personal data is ensured,
- control over the measures taken to ensure the security of personal data and the level of protection of personal data information systems is carried out,
- access of unauthorized persons to premises intended for personal data processing is restricted.
9.2 External protection includes the following organizational and technical measures:
- safety of personal data carriers is ensured;
- information protection tools that have passed the conformity assessment procedure with the requirements of the legislation of the Russian Federation in the field of information security are used, in cases where the use of such tools is necessary to neutralize current threats.
9.3 Transfer of personal data during their processing in the Operator’s information systems is carried out via communication channels, the protection of which is ensured by implementing appropriate organizational and technical measures ensuring neutralization of current security threats.
The Operator is prohibited from transferring personal data via open communication channels, computing networks outside the boundaries of the controlled zone and through the international information exchange network (public communication networks, the Internet) without the application of appropriate organizational and technical protection measures.
Transfer of personal data via the international information exchange network (public communication networks, the Internet) is carried out using measures that ensure concealment of information from unauthorized persons (cryptography, encryption).
10. Rights of the Subject
The Subject has the right to access his personal data, including the right to obtain information relating to the processing of his personal data, the right to require clarification of his personal data, the right to withdraw his consent to the processing of personal data, and other rights provided for by the Federal Law.
The Subject may contact the Operator in the following ways:
• using Russian Post (send a request to the address of the Operator);
- using the postal system in the form of an electronic letter (send a request to the e-mail address: meshnflesh@yandex.ru).
In the event of receipt of a written request from the Subject and (or) authorized bodies regarding inaccuracy of personal data, unlawfulness of their processing, withdrawal of consent and access of the Subject to his data, the Operator considers such a request within ten working days from the date of its receipt and notifies the Subject of the decision taken. The specified period may be extended, but not more than for five working days in the event that the Operator sends to the Subject a reasoned notification indicating the reasons for extending the period for providing the requested information.
In the event that the Subject withdraws consent to the processing of his personal data, the Operator has the right to continue processing personal data without the consent of the Subject exclusively if there are grounds provided for by the legislation.
The Subject has the right to appeal against the actions of the Operator to the authorized body for the protection of the rights of subjects of personal data or in court.
When the Operator sends advertising and other mailings to the Subject’s e-mail addresses, SMS and push notifications, as well as makes calls, the Subject has the right to refuse to receive such mailings (notifications, calls) by sending a reply letter or other appeal to the Operator.
11. Final provisions
This Policy is a document regulating the relations arising between the Subjects and the Operator in the processing of personal data by the Operator, including when using the Website. The Policy may be amended by the Operator at any time, while the Subjects must be notified of the fact of such amendment in the ways in accordance with the requirements of the Federal Law.
Any changes to the personal data processing policy by the Operator will be reflected in this document. The Policy is valid indefinitely until it is replaced by a new version.
The current version of the Policy is freely available on the Internet at the following address: https://mesh-n-flesh.com/page/policy
Appendix No. 1 to the Privacy Policy
Purposes of personal data processing, categories and list of processed personal data, categories of personal data subjects, methods, periods of their processing and storage
1. Ensuring compliance with labor legislation of the Russian Federation, maintaining personnel records
Categories of subjects: employees, job applicants, former employees
Categories of personal data: last name, first name, patronymic, year of birth, month of birth, date of birth, place of birth, marital status, income, gender, e-mail address, residential address, registration address, phone number, SNILS, TIN, citizenship, identity document data, bank card details, settlement account number, personal account number, profession, information on labor activity (including length of service, data on current employment indicating the name and settlement account number of the organization), attitude to military duty, information on military registration, information on education, photo and video image of the face; information on previous last name (if any).
Grounds for processing:
- processing is necessary to achieve the purposes provided for by law, for the implementation and fulfillment of the functions, powers and duties imposed on the operator by the legislation of the Russian Federation
- consent.
List of actions with personal data: Collection, Recording, Systematization, Accumulation, Storage, Clarification (updating, modification), Extraction, Use, Transfer (provision, access), Blocking, Deletion, Destruction.
For this purpose, in accordance with clause 4.3 of the Order of the Federal Archival Agency dated 20.12.2019 No. 237 “On approval of the instructions for the application of the List of standard managerial archival documents formed in the course of activities of state bodies, local self-government bodies and organizations, indicating storage periods” (hereinafter referred to as the Order of the Federal Archival Agency), documents containing personal data are stored for the periods of temporary storage of documents (1 year, 3 years, 5 years, 6 years, 10 years, 15 years, 45 years, 50 years and 75 years).
Method of personal data processing – mixed processing.
2. Collection and analytics of statistical data
Categories of subjects: website visitors
Categories of personal data: information contained in cookie files; information containing IP addresses; information about operating systems installed on the website visitor’s device, browser types; languages; information about Flash versions and JavaScript support; information about types of mobile devices, if applicable; information containing the number of website visits and page views; information containing the duration of stay on the website; information containing queries used to access the website; information containing pages from which transitions were made.
Grounds for processing:
- consent.
List of actions with personal data: Collection, Recording, Systematization, Accumulation, Storage, Clarification (updating, modification), Extraction, Use, Transfer (provision, access), Blocking, Deletion, Destruction.
Data retention period – no more than 3 years from the date of data collection.
Method of personal data processing – automated processing.
3. Processing of feedback forms and order forms
Categories of subjects: website visitors
Categories of personal data: last name, first name, patronymic, e-mail address, phone number, bank card details, delivery address.
Grounds for processing:
- consent.
List of actions with personal data: Collection, Recording, Systematization, Accumulation, Storage, Clarification (updating, modification), Extraction, Use, Transfer (provision, access), Blocking, Deletion, Destruction.
Data retention period – 3 years after responding to the Subject’s request.
Method of personal data processing – mixed processing.
4. Informing through message distribution
Categories of subjects: counterparties, representatives of counterparties, clients, website visitors
Categories of personal data: last name, first name, patronymic, e-mail address, phone number.
Grounds for processing:
- consent;
- processing of personal data is necessary for the performance of the contract to which the subject of personal data is a party or beneficiary or guarantor, as well as for the conclusion of a contract at the initiative of the subject of personal data or a contract under which the subject of personal data will be a beneficiary or guarantor.
List of actions with personal data: Collection, Recording, Systematization, Accumulation, Storage, Clarification (updating, modification), Extraction, Use, Transfer (provision, access), Blocking, Deletion, Destruction.
Data retention period – 5 years.
Method of personal data processing – mixed processing.
5. Conclusion and performance of contracts with clients and counterparties
Categories of subjects: counterparties, representatives of counterparties, clients.
Categories of personal data: last name, first name, patronymic, year of birth, month of birth, date of birth, e-mail address, residential address, registration address, phone number, SNILS, TIN, citizenship, identity document data.
Grounds for processing:
- consent;
- processing of personal data is necessary for the performance of the contract to which the subject of personal data is a party or beneficiary or guarantor, as well as for the conclusion of a contract at the initiative of the subject of personal data or a contract under which the subject of personal data will be a beneficiary or guarantor.
List of actions with personal data: Collection, Recording, Systematization, Accumulation, Storage, Clarification (updating, modification), Extraction, Use, Transfer (provision, access), Blocking, Deletion, Destruction.
Data retention period – no more than 10 years from the date of termination of the contract.
Method of personal data processing – mixed processing.
