The CashBackTour project. Website address: https://Cashbacktour.ru 

Regulations on the processing of personal data in the Cashbacktour personal data information systems

Article 1. General provisions

  1. This Regulation defines the procedure for the collection, storage, transfer and any other use of personal data at the facility of informatization of the Limited Liability Company "Cashbacktour" (hereinafter referred to as the Company).
  2. The Company's clients are:
  • individuals (subjects of personal data) who have concluded a written agreement with the Company on the sale of a tourist product, railway tickets and air tickets (hereinafter referred to as the Client)
  • individuals (subjects of personal data) on whose behalf the customer of the tourist product has concluded a written agreement with the Company on the sale of the tourist product.
  1. The purpose of this Provision is to determine the procedure for processing personal data of Employees of the Company and Clients of the Company, whose personal data are subject to processing; ensuring the protection of human and civil rights and freedoms, including the protection of the rights to privacy, personal and family secrets, as well as establishing the responsibility of officials with access to personal data for non–compliance the requirements of the norms governing the processing and protection of personal data.
  2. Personal data may not be used for the purpose of causing property and moral harm to citizens, hindering the exercise of the rights and freedoms of citizens of the Russian Federation. Restriction of the rights of citizens of the Russian Federation based on the use of information about their social origin, racial, national, linguistic, religious and party affiliation is prohibited and punishable in accordance with federal legislation.
  3. These Regulations and amendments thereto are approved by the General Director of the Company and introduced by the order on the core business of Cashbacktour. All Employees of the Company must be familiarized with this Regulation and its amendments under signature. This Regulation is mandatory for all Employees of the Company who have access to personal data.

Article 2. The concept and composition of personal data "Cashbacktour"

  1. Cashbacktour processes personal data of its own Employees and Clients of the Company (Subjects of personal data).
  2. Personal data of Clients is understood as information required by the Company in connection with the fulfillment of its contractual obligations. The composition of the Client's personal data:
  • last name, first name, patronymic
  • year, month, day, place of birth
  • floor
  • registration address
  • the number of the passport certifying the identity of a citizen of the Russian Federation, information on the date of issue and the authority that issued the passport;
  • the number of the foreign passport and its validity period
  • last name and first name, as they are indicated in the passport
  • contact phone number and email address
  • family and social status
  • property status (including information about real estate, the availability of a car, the availability of bank accounts)
  • profession; information (including address, work phone number, position, terms of work, monthly income) about the current place of work and previous places of work
  • other information for the purpose of fulfilling the contract.
  1. If it is necessary to obtain a visa in the interests of the Client at the embassy of the country of planned stay, the composition of personal data specified in paragraph 2. of this article may be supplemented with information requested by the consular services of the embassy of the country of planned visit to consider the issue of a visa.
  2. The composition of personal data of Employees:
  • passport or other identification document
  • employment record
  • insurance certificate of state pension insurance
  • payment account
  • certificate of registration with the tax authority and assignment of an INN
  • military registration documents
  • documents on education, qualifications or availability of special knowledge or special training
  • the T-2 card
  • documents containing information about wages, surcharges and allowances
  • orders on hiring an Employee, his dismissal, as well as on transferring an Employee to another position;
  • documents on the composition of the Employee's family, necessary to provide him with guarantees related to the performance of family duties
  • documents confirming the right to additional guarantees and compensation on certain grounds provided for by the legislation of the Russian Federation;
  1. Documents containing personal data of Employees are created by:
  • copying originals (for example, copies of educational documents, TIN certificate);
  • filling out personal data (on paper and electronic media);
  • providing original documents (workbooks, personal personnel records, employee autobiographies).

Article 3. Confidentiality of personal data

  1. The information listed in Article 2. The Provisions containing information about the personal data of the Subject are confidential. The company ensures the confidentiality of personal data, and is obliged to prevent their dissemination without the consent of the Subject of personal data, or the presence of other legitimate grounds.
  2. All confidentiality measures in the collection, processing and storage of personal data of the Subject apply to both paper and electronic (automated) media.
  3. The confidentiality regime of personal data is lifted in cases of depersonalization or inclusion in publicly available sources of personal data, or if there is a written consent of the Subject that his personal data is publicly available personal data.

Article 4. Rights and obligations of Cashbacktour

  1. The Company has the right to process its personal data without the consent of the Subject in the following cases:
  • the processing of personal data is necessary to achieve the goals provided for by an international treaty of the Russian Federation or a law, to carry out and fulfill the functions, powers and duties assigned to the Company by the legislation of the Russian Federation
  • the processing of personal data is necessary for the administration of justice, the execution of a judicial act, an act of another body or official subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings
  • the processing of personal data is necessary for the execution of an agreement to which the personal data subject is a party or beneficiary or guarantor, as well as for the conclusion of an agreement on the initiative of the personal data subject or an agreement under which the personal data subject will be the beneficiary or guarantor
  • the processing of personal data is necessary to protect the life, health or other vital interests of the personal data subject, if obtaining the consent of the personal data subject is impossible
  • the processing of personal data is necessary to exercise the rights and legitimate interests of the Company or third parties or to achieve socially significant goals, provided that the rights and freedoms of the personal data subject are not violated
  • The processing of personal data is carried out, the access of an unlimited number of persons to which is provided by the subject of personal data or at his request.
  1. Consent to the processing of personal data may be given by the subject of personal data – the Client or his representative in any form that allows confirming the fact of its receipt, unless otherwise established by federal law. In case of obtaining consent to the processing of personal data from a representative of the personal data subject, the authority of this representative to give consent on behalf of the personal data subject is checked by the Company.

Consent to the processing of personal data on the grounds of this clause may be revoked by the Client. The obligation to provide proof of obtaining the Client's consent to the processing of his personal data on the grounds of this paragraph rests with the Company.

  1. In order to ensure human and civil rights and freedoms, the Company and its representatives must comply with the following general requirements when processing personal data of a Subject:

3.1. When determining the volume and content of personal data of the Subject to be processed, the Company must be guided by Federal Law No. 152-FZ of 07/27/2006 "On Personal Data", Federal Law No. 132-FZ of 11/24/1996 "On the basics of tourism activities in the Russian Federation", obligations assumed by the parties under the contract The Company – The client. The Company receives the Subject's personal data to the extent necessary to achieve the goals specified in the contract with the Client.

3.2. The Company has no right to receive and process personal data of the Subject about criminal record, political, religious and other beliefs and private life.

3.3. The Company does not have the right to receive and process personal data of the Subject on membership in public associations or trade union activities, except in cases provided for by federal law.

3.4. The Company should not request information about the health status of the Subject, except for those information that relates to the issue of organizing a safe holiday for Clients.

  1. The Company must ensure the protection of the Subject's personal data from misuse or loss at its own expense in accordance with the procedure established by the legislation of the Russian Federation.

Article 5. Rights and obligations of the Subject

  1. The subject is obliged to transfer to the Company or its representative a set of reliable, documented personal data, the composition of which is established by this Regulation and the obligations assumed by the parties under the Firm – Client agreement.
  2. The subject must inform the Company about the change of his personal data without undue delay.
  3. The Subject has the right to receive information about the Company, its location, whether the Company has personal data related to the Subject, as well as to familiarize himself with such personal data.

The Subject has the right to require the Company to clarify his personal data, block or destroy them if the personal data is incomplete, outdated, unreliable, illegally obtained or are not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect his rights.

3.1. Information about the availability of personal data should be provided to the Subject in an accessible form, they should not contain personal data related to other personal data subjects.

3.2. Access to your personal data is provided to the Subject or his legal representative by the Company upon request or upon receipt of a request from the Subject or his legal representative. The request must contain the number of the main document certifying the identity of the personal data subject or his representative, information about the date of issue of the specified document and the issuing authority, information confirming the participation of the personal data subject in relations with the operator (contract number, date of conclusion of the contract, conditional verbal designation and (or) other information), or information, otherwise confirming the processing of personal data by the operator, the signature of the personal data subject or his representative.

  1. The subject has the right to receive information concerning the processing of his personal data, including information containing:
  • confirmation of the fact of personal data processing by the Company;
  • legal grounds and purposes of personal data processing;
  • the purposes and methods of personal data processing used by the Company;
  • the name and location of the Company, information about persons (with the exception of Employees of the Company) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Company or on the basis of federal law;
  • processed personal data related to the relevant Subject, the source of their receipt, unless another procedure for the submission of such data is provided for by federal law;
  • terms of processing of personal data, including the terms of their storage;
  • the procedure for the exercise by the Subject of the rights provided for by this Federal Law;
  • информацию об осуществленной или о предполагаемой трансграничной передаче данных;
  • the name or surname, first name, patronymic and address of the person who processes personal data on behalf of the Company, if processing is entrusted or will be entrusted to such a person;
  • other information provided by this Federal Law "On Personal Data" or other federal laws.
  1. The subject has the right to withdraw consent to the processing of personal data, restrict the methods and forms of processing personal data, and prohibit the dissemination of personal data without his consent.
  2. The Subject has the right to appeal against the actions or omissions of the Company to the authorized body for the protection of the rights of personal data subjects or in court.
  3. The subject has the right to protect his rights and legitimate interests, including compensation for damages and compensation for moral damage in court.

Article 6. Procedure for obtaining personal data

  1. The Company receives the personal data of the Subject:

1.1. Directly from the Subject of personal data – the Client, on the basis of concluding a written agreement with the Client on the sale of a tourist product and written consent to the processing of personal data.

1.2. From the Client – the customer of the tourist product, who is authorized to represent the interests of tourists within the framework of the agreement on the sale of the tourist product.

1.3. Directly from the Subject of personal data – an Employee of the Company.

  1. Prior to the start of personal data processing, the Company is obliged to provide the Client with written information about the name or surname, first name, patronymic and address of the operator or his representative; about the purpose of personal data processing and its legal basis; about the intended users of personal data; about the rights of the personal data subject established by the Federal Law "On Personal Data"; about the source of personal data.

2.1. If personal data has been received in connection with the performance of an agreement to which the Personal Data Subject is a party or beneficiary or guarantor, the Company is relieved of the obligation to provide the Personal Data Subject with the information provided for in paragraph 2 of this Article.

2.2. The fulfillment of the terms of clauses 2. and 2.1. is optional if the Subject has provided the Company with written consent that, for the duration of the agreement, the Client Company considers his personal data to be publicly available personal data.

Article 7. Processing of personal data

  1. The processing of personal data of the Subject is carried out by the Company solely to achieve the goals defined by the written contract of the Client Company.
  2. The processing of personal data by the Company in the interest of the Subject consists in obtaining, systematizing, accumulating, storing, clarifying (updating, changing), using, distributing, depersonalizing, blocking, destroying and protecting against unauthorized access of the Subject's personal data.
  3. The processing of the Subject's personal data is carried out by the method of mixed (including automated) processing.

Ensuring the security of personal data is achieved, in particular:

  • identification of threats to the security of personal data during their processing in personal data information systems;
  • the application of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems necessary to meet the requirements for personal data protection, the implementation of which ensures the levels of personal data protection established by the Government of the Russian Federation;
  • the use of information security tools that have passed the compliance assessment procedure in accordance with the established procedure;
  • assessment of the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of the personal data information system;
  • taking into account machine-based personal data carriers;
  • detection of unauthorized access to personal data and taking measures;
  • recovery of personal data modified or destroyed due to unauthorized access to them;
  • by establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with personal data in the personal data information system;
  • control over the measures taken to ensure the security of personal data and the level of security of personal data information systems.
  1. Only employees of the Company who are authorized to work with the personal data of the Subject can have access to the processing of personal data of the Subject.
  2. If the Personal data Subject withdraws Consent to the processing of his personal data, the Company is obliged to stop processing them or ensure the termination of such processing (if the processing of personal data is carried out by another person acting on behalf of the Company) and if the storage of personal data is no longer required for the purposes of processing personal data, destroy personal data or ensure their destruction (if the processing of personal data is carried out by another person acting on behalf of the Company) on time, not exceeding thirty days from the date of receipt of the specified review, unless otherwise provided by the Client Company agreement.
  3. If it is not possible to destroy personal data within thirty days, the Company blocks such personal data or ensures their blocking (if personal data is processed by another person acting on behalf of the Company) and ensures the destruction of personal data within a period of no more than six months, unless another period is established by federal laws.
  4. The Company is obliged to notify the Subject of the destruction of personal data, unless otherwise established by the legislation of the Russian Federation or an agreement with the Subject.

Article 8. Transfer of personal data

  1. The transfer of personal data of the Subject is carried out by the Company solely for the purpose of achieving the goals defined by the written contract of the Client Company, in particular for the formation of a tourist product ordered by the Client.
  2. The transfer of the Subject's personal data to third parties is carried out by the Company only on the basis of a relevant agreement, the essential condition of which is the obligation of a third party to ensure the confidentiality of the Subject's personal data and the security of personal data during their processing.

This provision does not apply in the case of depersonalization of personal data and in relation to publicly available personal data.

  1. The transfer of personal data to third parties is carried out using the public Internet and on paper.
  2. The Company carries out cross–border transfer of personal data of the Subject, including on the territory of foreign states that do not adequately protect the rights of personal data subjects, only in fulfillment of the contract of the Company - Subject, or with the appropriate written consent of the Subject.

Article 9. Storage of personal data

  1. The personal data of the Subject can be stored both on paper and in electronic form.
  2. Personal data of the Subject on paper, unless the confidentiality regime is legally removed from them, are stored in specially designated lockable cabinets (safes).

2.1. The keys to the lockers are stored personally by the managers authorized to process the personal data of the Subject, and their copies are kept by the General Director of the Company.

  1. The Subject's personal data is also stored electronically: in the Company's local computer network, in electronic folders and files in the automated workplace The General Director and managers authorized to process the Subject's personal data.
  2. Personal data contained on electronic media is destroyed within three working days from the date of expiration of the limitation period under the contract.
  3. The personal data of the Subject contained on paper media are destroyed by the act in the following terms:
    • stored on paper and not classified as primary accounting documents or other documents subject to storage under the legislation of the Russian Federation, within three working days from the date of expiration of the limitation period under the Client–Company agreement
    • stored on paper and classified as primary accounting documents or documents subject to storage under the legislation of the Russian Federation, within three working days from the date of expiration of their storage period established by the norms of the legislation of the Russian Federation.
  1. The Company is obliged to notify the Subject of the destruction of personal data, unless otherwise established by the legislation of the Russian Federation or an agreement with the Subject.

Article 10. Access to the Client's personal data

  1. The Company has the right to access the personal data of the Subject:
  • The General Director of the Company
  • Managers of the Company who work directly with Clients.
  • Other employees of the Company, in the performance of their official duties, if there is a corresponding order from the General Director
  • The Company's System Administrator
  • The subject of personal data.
  1. The list of employees of the Company who have access to the personal data of the Subject is determined by the order of the General Director of the Company.
  2. The Subject's access to their personal data is provided upon request or upon receipt of the Subject's request. The company is obliged to provide information about the availability of his personal data, as well as provide an opportunity to get acquainted with them within thirty working days from the date of application.
  3. When transferring personal data of a Subject, the Company must comply with the following requirements:
  • do not transfer the Subject's personal data to a third party without the Subject's written consent, except in cases established by federal law;
  • not to transfer personal data of the Subject for commercial purposes without his written consent;
  • to warn the persons receiving the personal data of the Subject that this data can only be used for the purposes for which they are transferred, and to require these persons to confirm that this rule is followed;
  • to allow access to the Subject's personal data only to specially authorized persons, while these persons should have the right to receive only those personal data of the Subject that are necessary to perform specific functions.
  1. The consent of the Subject to transfer his personal data to third parties is not required in cases where it is necessary in order to prevent threats to the life and health of the Subject, and when third parties provide services to the Company on the basis of concluded contracts, as well as in cases established by federal law and this Regulation.
  2. The company maintains a log of the issued personal data of the Subject, which records information about the person to whom the personal data of the Subject was transferred, the date of transfer of personal data or the date of notification of refusal to provide personal data, and also notes which information was transferred.

Article 11. Protection of personal data of Subjects

  1. The personal data of the Subject is subject to protection, unless the confidentiality regime is legally lifted from them.
  2. When processing personal data of a Subject, the Company is obliged to take the necessary organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, dissemination of personal data, as well as from other illegal actions.
  3. The general organization of the protection of personal data of Subjects is carried out by the General Director of the Company.
  4. The HR Manager provides:
  • familiarization of Employees with this Regulation under signature.
  • the requirement from Employees of a written obligation to respect the confidentiality of personal data of the Subject and compliance with the rules of their processing.
  • general monitoring of Employees' compliance with measures to protect personal data of Subjects.
  1. The protection of the Subject's personal data stored in the Company's electronic databases from unauthorized access, distortion and destruction of information, as well as from other illegal actions, is provided by the ISPDn and security administrator.
  2. Employees of the Company who need personal data in connection with the performance of their work duties according to the list of employees authorized to process personal data have access to the personal data of the Subject.
  3. All Employees whose work responsibilities are related to the receipt, processing and protection of personal data of the Subject are required to sign a non-disclosure agreement on personal data.
  4. An employee of the Company who has access to the personal data of the Subject in connection with the performance of work duties:
  • ensures the storage of information containing personal data of the Subject, excluding access to them by third parties.
  • in the absence of an Employee, there should be no documents containing personal data of the Subject at his workplace.
  • when going on vacation, during a business trip and other cases of prolonged absence of an Employee at his workplace, he is obliged to transfer documents and other media containing personal data of the Subject to the person who will be entrusted with the performance of his work duties by a local act of the Company (order, order).

If such a person is not appointed, then documents and other media containing the personal data of the Subject are transferred to another Employee who has access to the personal data of the Subject at the direction of the General Director of the Company.

8.1. Upon dismissal of an Employee who has access to the personal data of the Subject, documents and other media containing personal data are transferred to another Employee who has access to the personal data of the Subject at the direction of the General Director of the Company.

  1. Access to the personal data of Subjects of other Employees of the Company who do not have properly executed access is prohibited.
  2. Documents containing personal data of the Subject are stored in lockable cabinets (safes) that provide protection against unauthorized access.

At the end of the working day, all documents containing personal data of the Subject are placed in cabinets (safes), rooms where documents containing personal data of the Subject are stored are locked and sealed, which provides protection against unauthorized access.

  1. Protection of access to electronic databases containing personal data of the Subject is provided:
  • using licensed antivirus and anti-unauthorized access protection programs that prevent unauthorized access to the Company's local network
  • differentiation of access rights using an account
  • a two-stage password system: at the local computer network level and at the database level. Passwords are set by the Company's ISPDn and security administrator and are communicated individually to Employees who have access to personal data.

11.1. Unauthorized access to the automated control systems, which contain the personal data of the Subject, is blocked by a password, which is set by the administrator of the ISPDN and security.

11.2. All electronic folders and files containing personal data of the Subject are protected by a password, which is set by an employee of the Company responsible for the automated control system and reported to the administrator of the ISPDn and security.

11.3. Passwords are changed by the ISPDn and security administrator at least once every 3 months.

  1. Copying and making extracts of the Subject's personal data is allowed exclusively for official purposes with the written permission of the General Director of the Company.
  2. Responses to written requests from other organizations and institutions about the Subject's personal data are given only with the written consent of the Subject himself, unless otherwise established by the legislation of the Russian Federation. The answers are made in writing, on the Company's letterhead, and to the extent that allows you not to disclose an excessive amount of personal data of the Subject.

Article 12. Responsibility for disclosure of information containing personal data of the Subject

  1. The Company is responsible for the development, introduction and effectiveness of standards that comply with the requirements of the legislation of the Russian Federation governing the receipt, processing and protection of personal data of the Subject. The company establishes the personal responsibility of Employees for compliance with the confidentiality regime established in the organization.
  2. The Head who authorizes the Employee's access to documents containing the Subject's personal data is personally responsible for this permission.
  3. Each Employee of the Company who receives a document containing personal data of the Subject for work is personally responsible for the safety of the carrier and the confidentiality of the information.
  4. Persons guilty of violating the norms governing the receipt, processing and protection of personal data of a Subject are subject to disciplinary, administrative, civil or criminal liability in accordance with the legislation of the Russian Federation.
  5. For non-fulfillment or improper fulfillment by an Employee through his fault of the duties assigned to him to comply with the established procedure for processing personal data of the Subject, the Company has the right to apply disciplinary penalties provided for by the Labor Code of the Russian Federation.
  6. An unlawful refusal to submit documents containing personal data of a Subject collected in accordance with the established procedure, or the late provision of such documents or other information in cases provided for by law, or the provision of incomplete or deliberately false information may entail the imposition of an administrative fine on officials in the amount determined by the Code of Administrative Offenses of the Russian Federation.
  7. The illegality of the activities of public authorities and organizations for the collection and use of personal data may be established in court.

Regulatory and methodological documentation

Regulatory and methodological documentation that must be followed in determining the procedure for processing personal data in Cashbacktour:

  • The Constitution of the Russian Federation
  • Federal Law of the Russian Federation No. 149-FZ dated July 27, 2006 "On Information, Information Technologies and Information Protection"
  • Federal Law of the Russian Federation No. 152-FZ dated July 27, 2006 "On Personal Data"
  • Federal Law of the Russian Federation No. 125-FZ dated October 22, 2004 "On Archival Business in the Russian Federation"
  • Presidential Decree No. 188 dated March 6, 1997 "On approval of the List of confidential information"
  • The Labor Code of the Russian Federation
  • The Civil Code of the Russian Federation
  • The Code of Administrative Offences of the Russian Federation
  • The Criminal Code of the Russian Federation.

Contacts
The project was created with the support of:
  • International Association of Travel Experts - IATEX
  • International rating center TurNeo
  • TurNeo CRM system
© 1999 - 2024 CashBackTour. Все права защищены.
Политика конфиденциальности
Условия пользования сайтом
Правовая информация
en_USEnglish
ru_RURussian en_USEnglish