1. General Provisions
1.1 This policy regarding the processing of personal data (hereinafter – “Policy”) is prepared in accordance with paragraph 2 of Part 1 of Art. 1 of Article 18.1 of the Federal Law of the Russian Federation “On Personal Data” № 152-FZ of July 27, 2006 (hereinafter – the “Law”) and defines the position of “baryatrics.com” and/or its affiliates, (hereinafter – the “Company”) in relation to processing and protection of personal data (hereinafter – the “Data”), respect for human rights and freedoms and in particular the right to privacy, personal and family secrets.
2. Scope of Application
2.1 This Policy applies to Data received both before and after the enactment of this Policy.
2.2 Understanding the importance and value of Data, and taking care to respect the constitutional rights of citizens of the Russian Federation and citizens of other states, the Company ensures reliable protection of Data.
3. Definitions
3.1. Data means any information related to a directly or indirectly identified or identifiable individual (citizen), i.e. such information includes, in particular: name, email, phone number.
3.2. Processing of Data means any action (operation) or a set of actions (operations) with Data performed using automation tools and/or without the use of such tools. Such actions (operations) include: collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of Data.
3.3. Data Security shall mean protection of Data from unauthorized and/or unauthorized access, destruction, change, blocking, copying, provision, distribution of Data, as well as from other unlawful acts in relation to Data.
4. Legal basis and purpose of Data processing
4.1. Processing and security of Data in the Company shall be carried out in accordance with the requirements of the Constitution of the Russian Federation, the Law, the Labor Code of the Russian Federation, by-laws, other federal laws of the Russian Federation defining cases and specifics of Data processing, guiding and methodological documents of FSTEC and FSS of Russia.
4.2. The subjects of Data processed by the Company are:
– customers – consumers, including visitors to the website https://baryatrics.com, owned by the Company, including for the purpose of placing an order on the Site https://baryatrics.com with subsequent delivery to the customer, recipients of services.
4.3. The Company processes data subjects for the following purposes:
– To carry out the functions, powers and duties imposed on the Company by the legislation of the Russian Federation in accordance with federal laws, including, but not limited to: The Civil Code of the Russian Federation, the Tax Code of the Russian Federation, the Labor Code of the Russian Federation, the Family Code of the Russian Federation, the Federal Law of 01.04.1996 № 27-FZ “On individual (personalized) accounting in the mandatory pension insurance system”, the Federal Law of 27.07.2006 № 152-FZ “On Personal Data”, the Federal Law of 28.03.1998 № 53-FZ “On Military Duty and Military Service”, the Federal Law of 26. February 1997 № 31-FZ “On mobilization training and mobilization in the Russian Federation”, Federal Law of 08.02.1998 № 14-FZ “On Limited Liability Companies”, Federal Law of 07.02.1992 № 2300-1 “On Protection of Consumer Rights”, Federal Law of 21.11.1996 № 129-FZ “On Accounting”, Federal Law of 29.11.2010 № 326-FZ “On Mandatory Medical Insurance in the Russian Federation”.
– Customers – consumers in order to: provide information on goods/services, ongoing promotions and special offers; analyze the quality of services provided by the Company and improve the quality of services for the Company’s customers.
5. Principles and conditions of Data processing
5.1. When processing Data, the Company shall adhere to the following principles: the Data shall be processed legally and fairly; the Data shall not be disclosed to third parties or disseminated without the consent of the Data subject, except in cases requiring the disclosure of Data at the request of authorized state bodies, legal proceedings; the determination of specific legitimate purposes before the beginning of data processing (including collection); only the Data that is necessary and sufficient for the stated processing purpose shall be collected; the integration of databases of data subjects shall be carried out.
5.2. The Company may include subjects’ Data in publicly available sources of Data, with the Company taking the subject’s written consent to the processing of their Data, or by expressing consent through a website form (checkbox), by clicking which the subject of personal data expresses their consent.
5.3 The Company does not process any Data related to race, ethnicity, political views, religious, philosophical and other beliefs, intimate life, membership in public associations, including trade unions.
5.4. The Company does not process biometric data (information that characterizes the physiological and biological characteristics of a person, based on which it is possible to identify him or her, and which is used by the operator to identify the data subject).
5.5. The Company does not transfer Data across borders.
5.6. The Company shall be entitled to transfer Data to third parties (federal tax service, state pension fund and other state bodies) in cases stipulated by the legislation of the Russian Federation.
5.7. The Company shall be entitled to entrust the processing of Data of Data subjects to third parties with the consent of the Data subject, on the basis of an agreement concluded with such persons, including by agreeing to the user agreement and the personal data processing policy posted on the website.
5.8. The persons who process Data on the basis of a contract concluded with the Company (commissioned by the operator) shall be obliged to comply with the principles and rules of data processing and protection stipulated by the Law. For each third party, the contract shall define the list of actions (operations) with the Data to be performed by the third party processing the Data, the purpose of processing, establish the obligation of such person to respect the confidentiality and security of the Data when processing it, specify the requirements for the protection of the processed Data in accordance with the Law.
5.9. In order to fulfill the requirements of the current legislation of the Russian Federation and its contractual obligations, the Company processes Data both with and without the use of automation tools. The set of processing operations includes collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (provision, access), depersonalization, blocking, deletion, destruction of Data.
5.10. The Company shall not make decisions based solely on the automated processing of Data that produce legal consequences in relation to the Data subject or otherwise affect their rights and legitimate interests, except in cases stipulated by the legislation of the Russian Federation.
6. Rights and obligations of Data subjects, as well as of the Company in terms of Data processing
6.1. The subject, whose Data is processed by the Company, has the right:
– Receive from the Company:
confirmation of the fact of Data processing and information on the availability of Data pertaining to the relevant Data subject;
Information about the legal basis and purpose of Data processing;
Information about methods of Data processing used by the Company;
Information about the Company’s name and location;
Information about persons (excluding the Company’s employees) who have access to Data or to whom Data may be disclosed on the basis of a contract with the Company or on the basis of federal law;
A list of the Data processed, which relates to the Data subject, and information about the source of their obtaining, unless another procedure for providing such Data is provided for by the federal law;
information about the term of Data processing, including the term of their storage;
Information about the procedure for exercising the Data subject’s rights stipulated by the Law;
Name (full name) and address of the person processing the Data on behalf of the Company;
other information provided for by the Law or other regulations of the Russian Federation;
– Require from the Company:
clarify its Data, block or destroy it if the Data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing;
Withdraw his consent to Data processing at any time; demand the elimination of improper actions of the Company in relation to his Data;
To complain against the Company’s acts or omissions to the Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Media (Roskomnadzor) or in court, in case the Data subject considers that the Company is processing his Data in violation of the Law or otherwise violates his rights and freedoms.
– To protect their rights and legitimate interests, including compensation for damages and/or compensation for moral harm in court.
6.2. In the course of Data processing, the Company shall
– Provide to the Data subject at his or her request information concerning the processing of his or her Personal Data, or legally provide a waiver within thirty days from the date of receipt of the Data subject’s or his or her representative’s request;
– Explain to the Data subject the legal consequences of the refusal to provide Data, if the provision of Data is mandatory under the federal law;
– Prior to the commencement of Data processing (if the Data is not received from the Data subject) provide to the Data subject the following information, except in the cases provided for in Article 18(4) of the Law
1) the name or surname, first name, patronymic and address of the Company or its representative;
2) the purpose of Data processing and its legal basis;
3) the intended users of the Data;
4) the rights of the Data subjects established by the Law;
5) the source of obtaining the Data.
– Take the necessary legal, organizational and technical measures or ensure their adoption to protect Data from unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution of Data, as well as from other unlawful actions in relation to Data;
– Publish in the Internet and ensure unrestricted access via the Internet to the document defining its policy with regard to Data processing, information on the implemented requirements for Data protection;
– Provide Data subjects and/or their representatives with an opportunity to become acquainted with Data free of charge upon request within 30 days from the date of receipt of such request;
– Block unlawfully processed Data related to the Data subject or ensure its blocking (if the Data processing is carried out by another person acting on behalf of the Company) from the moment of addressing or receiving the request for the inspection period, in case of detecting unlawful processing of Data upon request of the Data subject or his representative or upon request of the Data subject or his representative or the authorized body for protection of the personal data subjects’ rights
– Refine the Data or ensure their clarification (if the Data processing is carried out by another person acting on behalf of the Company) within 7 working days from the date of data submission and unblock the Data, in case of confirmation of the fact of inaccurate Data based on the information provided by the Data subject or his representative;
– cease the unauthorized data processing or ensure the cessation of unauthorized data processing by a person acting on behalf of the Company, in case of revealing the unauthorized data processing carried out by the Company or by a person acting on the basis of a contract with the Company, within a period not exceeding 3 working days from the date of this revealing
– terminate the Data processing or ensure its termination (if the Data processing is carried out by another person acting under a contract with the Company) and destroy the Data or ensure its destruction (if the Data processing is carried out by another person acting under a contract with the Company) upon achieving the purpose of the Data processing, unless otherwise provided by the contract, to which the Data subject is a party, beneficiary or guarantor, in case the purpose of the Data processing is achieved
– Terminate the Data processing or ensure its termination and destroy the Data or ensure its destruction in case the Data subject withdraws consent to Data processing, if the Company is not entitled to process the Data without the consent of the Data subject;
– Keep a log of applications of Data subjects, which shall record the requests of Data subjects to receive Data, as well as the facts of providing Data on these requests.
7. Requirements for Data Protection
7.1. When processing Data, the Company shall take the necessary legal, organizational and technical measures to protect Data from unlawful and/or unauthorized access to it, destruction, change, blocking, copying, provision, distribution of Data, as well as from other unlawful acts in relation to Data.
7.2. Such measures in accordance with the Law, in particular, include:
– Appointment of a person responsible for organizing the processing of Data and a person responsible for ensuring the security of Data;
– development and approval of local acts on the processing and protection of Data;
– Application of legal, organizational and technical measures to ensure Data security: identification of threats to Data security during their processing in personal data information systems; application of organizational and technical measures to ensure Data security during their processing in personal data information systems, necessary for compliance with Data protection requirements, implementation of which ensures the levels of Data security as established by the Government of the Russian Federation; application of the duly completed
– Control over the measures taken to ensure Data security and the level of protection of personal data information systems;
– Assessment of harm that may be caused to the Data subjects in case of violation of the requirements of the Law, the ratio of the said harm and the measures taken by the Company to ensure the fulfillment of the obligations stipulated by the Law;
– Compliance with the conditions that exclude unauthorized access to the tangible media of the Data and ensure the safety of the Data;
– familiarization of the Company’s employees directly engaged in Data processing with the provisions of the legislation of the Russian Federation on Data, including the requirements to Data protection, local acts on the processing and protection of Data, and training of the Company’s employees.
8. Terms of Data processing (storage)
8.1. The term of processing (storage) of Data shall be determined based on the purpose of Data processing, in accordance with the term of the contract with the Data subject, the requirements of federal laws, the requirements of Data operators on whose behalf the Company carries out Data processing, the basic rules of the archives of organizations, the statute of limitations.
8.2. Data whose processing (storage) period has expired shall be destroyed, unless otherwise provided for by federal law. Storage of Data after the termination of its processing shall only be allowed after its depersonalization.
9. Procedure for obtaining explanations on the processing of Data
9.1. Persons whose Data is processed by the Company may obtain explanations on the processing of their Data by contacting the Company in person or by sending a corresponding written request by e-mail.
9.2. If an official request is sent to the Company, the text of the request must include:
– surname, first name, patronymic of the Data subject or his representative;
– number of the main identity document of the Data Subject or his representative, information about the date of issue of the said document and the issuing authority;
– Information confirming the Data subject’s relationship with the Company;
– Information for feedback in order for the Company to send a response to the request;
– Data subject’s (or his representative’s) signature. If the request is sent electronically, it shall be in the form of an electronic document and signed by electronic signature in accordance with the laws of the Russian Federation.
10. Features of processing and protection of Data collected by the Company using the Internet
10.1. The Company shall process the Data coming from the users of the Site from the resource: https://baryatrics.com (hereinafter jointly – the Site), as well as coming to the Company’s phone number, the Company’s e-mail address.
10.2. Data collection
There are two main ways in which the Company obtains Data via the Internet:
10.2.1. Providing Data (self-entered data): name, email, phone number.
10.2.2. By Data Subjects by entering the Company’s telephone number, e-mail address of the Company.
10.3. Automatically Collected Information
The Company may collect and process information which is not personal data:
– information about the interests of users on the Site based on the search queries entered by users of the Site about products sold and offered for sale by the Company in order to provide relevant information to the Company’s customers when using the Site, as well as generalization and analysis of information about which sections of the Site and products are in the greatest demand among the Company’s customers;
– Processing and storage of search queries of Site users in order to generalize and create client statistics on the use of Site sections.
The Company automatically receives certain types of information obtained through user interaction with the Site, email correspondence, etc. This refers to technologies and services, such as web protocols, cookies, web memos, as well as applications and tools of the specified third party. However, web tags, cookies and other monitoring technologies do not automatically receive the Data. If a user of the Site provides his/her Data at his/her discretion, for example, when filling out a feedback form or sending an email, only then the processes of automatic collection of detailed information for the convenience of using the websites and/or for improving the interaction with users are triggered.
10.4. Use of Data
The Company shall be entitled to use the provided Data in accordance with the stated purposes of its collection, subject to the consent of the Data subject, if such consent is required in accordance with the requirements of the legislation of the Russian Federation in the field of Data. The obtained Data in a generalized and depersonalized form may be used to better understand the needs of customers of goods and services sold by the Company and to improve the quality of service.
10.5. Data transfer
The Company may assign Data processing to third parties solely with the consent of the Data subject. The Data may also be transferred to third parties in the following cases:
a) As a response to lawful requests from authorized public authorities, in accordance with laws, court decisions, etc.
b) The Data shall not be communicated to third parties for marketing, commercial or other similar purposes, unless the Data subject has given his prior consent.
10.6. The Site contains links to other web resources, which may contain useful and interesting information for users of the Site. However, this Policy does not apply to such other sites. Users clicking on the links to other sites are recommended to read the policies on data processing posted on such sites.
10.7. The Website User may withdraw his consent to the processing of Data at any time by sending a message, by calling the Company phone number, to the Company email address. Upon receipt of such a message, the processing of the User’s Data will be terminated and his Data will be deleted, except in cases where the processing can be continued in accordance with the law. Final provisions This Policy is a local regulation of the Company. This Policy is publicly available. Public availability of this Policy is ensured by publishing it on the Company’s Website. This Policy may be revised in any of the following cases:
– In the event of changes in the legislation of the Russian Federation in the field of processing and protection of personal data;
– In cases where orders are received from competent state authorities to eliminate inconsistencies affecting the scope of the Policy;
– By decision of the Company’s management;
– In case of changes in the purposes and terms of Data processing;
– Changes in the organizational structure, the structure of information and/or telecommunications systems (or the introduction of new ones);
– In the application of new technologies for data processing and protection (including transfer, storage);
– If there is a need to change the Data processing process related to the Company’s activities. In case of non-compliance with the provisions of this Policy, the Company and its employees shall be liable in accordance with the applicable laws of the Russian Federation. Compliance with the requirements of this Policy is monitored by those responsible for organizing the processing of Company Data, as well as for the security of personal data.