Privacy and Data Processing Policy

on the website big3.ru
от dated 10.01.2023

Personal Data Processing Policy (PD Policy) defines the policy of LLC «The Big Three» with respect to personal data collected via the big3.ru website and contains information on the requirements for the personal data protection. The name «Personal Data Processing Policy» is identical to the name «Privacy Policy» or «Regulation on Personal Data» in its essence and legal meaning for the fulfilment of the Federal Law-152.

This PD Policy is an inseparable part of the rules of use of the big3.ru website. Acceptance of the PD Policy by confirming it by clicking the button in the notification, or by ticking the appropriate form and (or) form of personal data collection confirms that you have carefully read the text of the Policy, fully and unconditionally accept it and agree to the processing of personal data on the conditions specified below. You must not provide personal data if you disagree with any terms of the Policy.

The terms used in the PD Policy correspond to the terms given in the Website Terms of Use, unless expressly stated otherwise.

1. Terms

1.1. Law on Personal Data, FL-152 - Federal Law of the Russian Federation dated 27.07.2006 No. 152-FL «About Personal Data».

1.2. Website - consists of the website located on the Internet at big3.ru and supporting information technologies, technical means ensuring the functioning of the website.

1.3. Processing of personal data - any action (operation) or set of actions (operations) performed with or without the use of automation means with personal data, including collection, recording, systematisation, accumulation, storage, clarification (update, change), extraction, use, transfer, depersonalisation, blocking, deletion, destruction of personal data.

1.4. The Operator - Limited Liability Company «The Big Three», TIN: 7716668049 Primary State Registration Number (OGRN): 1107746574308, registered office: 121205, Moscow, territory of the Skolkovo Innovation Centre, 42 Bolshoi Boulevard, bldg. 1, floor 4, room 1575, workplace 7 - being the Operator of personal data.

1.5. Personal data - any information relating to a directly or indirectly defined or identifiable individual (subject of personal data).

1.6. PD Policy - this Personal Data Processing Policy.

1.7. User - for the purposes of this PD Policy, a User is every visitor of the website.

2. Personal data processed by the Operator

2.1. The Operator processes personal data provided by Users through the functionality of the website, e.g. by filling in special forms placed on the website or using individual functions of the website.

2.2. The list of processed personal data differs depending on the type of User and the website functionality used. In particular, the Operator may process the following personal data:

• full name or other information specified by the User, e-mail address;
• personal data that may be contained in requests uploaded to the website through the feedback form;
• data received as a result of the User's interaction with the website.

3. Purposes of processing personal data by the Operator

3.1. The Operator collects and processes personal data of Users for a specific, predetermined and legitimate purpose - fulfilment of the obligations imposed on the Operator by the concluded service contract and the rules of the website usage, including, but not limited to, the following possible uses of personal data:

• providing an opportunity to use the website functionality;
• interaction with Users in regard to requests to the Operator, namely: processing requests for return calls, recording conversations with the Operator's support specialists, sending answers to questions, sending important information related to the website and (or) changing policies and other documents posted on the website;
• storing and recording the history of interaction between the User and the Operator;
• sending advertising and information materials, including news, information about the Operator's offers and services;
• maintaining and improving the functionality of the website, the Operator's activities, personalising the experience of using the website by processing statistical information and conducting research.

3.2. The Operator does not collect and does not process personal data that is not required to fulfil the purposes specified above.

4. Legal bases for processing of Users' personal data by the Operator.

4.1. The Operator processes Users' personal data on the following legal bases:

• Personal Data Processing Policy, Agreement on the Use of Cookies.
• Consent to the processing of personal data, which the User gives to the Operator by accepting the terms of this PD Policy and the Agreement on the Use of Cookies - by continuing to use the visited website big3.ru.
• The processing of personal data is necessary for the fulfilment of the rights and legitimate interests of the Operator, provided that the rights and freedoms of the User are not violated.
• The processing of the User's personal data is necessary for statistical or other research purposes, provided that the personal data is anonymised.
• The processing of the User's personal data is necessary for the fulfilment of the duties, functions, powers assigned to the Operator by the current legislation of the Russian Federation.

4.2. The User is solely responsible for the transfer to the website and processing of personal data of his/her representatives without a proper legal basis. The Operator is not responsible for the processing of personal data of the User's representatives without a proper legal basis. The User undertakes to compensate the Operator for losses caused by violation of the terms defined in this clause - including, but not limited to, the amounts of sanctions caused by claims of state authorities.

5. How the Operator processes Users' personal data

5.1. The Operator processes personal data of Users independently, both with the use of automation means and without their use. In individual cases, the Operator has the right to entrust processing to third parties. The Operator does not disclose or distribute personal data of Users without their consent, unless otherwise provided for by federal law and (or) on the basis of a lawful and reasonable request of a court, law enforcement authorities.

6. To whom the Operator transfers personal data

6.1. The Operator does not transfer personal data of Users to third parties.

Personal data of Users may also be transferred to third parties not specified in this PD policy - with the expressed consent of Users when they use certain functions of the website. The specified third parties undertake to process Users' personal data in accordance with the terms of this PD policy.

6.2.You agree that you are properly informed about the possibility of changes in the list of such persons and undertake to check the PD policy at reasonable intervals.

6.3. The transfer of personal data may be carried out in the following possible ways: through the functionality of the website big3.ru - feedback form.

6.4. The Operator has the right to transfer Users' personal data to a third party in the event of reorganisation, merger, sale, joint venture, transfer or liquidation of the Operator, assets in whole or in part (including all of the above in connection with bankruptcy or legal proceedings).

6.5. When the Operator entrusts the processing of personal data to third parties or transfers personal data by the Operator to such third parties, the Operator guarantees that such individuals will be responsible for maintaining the confidentiality of Users' personal data, ensuring their protection and security during processing, as well as other obligations specified in the FL-152.

6.6. The Operator does not transfer Users' personal data to foreign countries. However, some cookies may allow such transfer depending on the specifics of their functioning, which is separately specified in the cookie policy.

7. Period of personal data processing by the Operator

7.1. The Operator processes Users' personal data and stores it in a form that allows Users to be identified, as long as it is required to fulfil the purpose of processing specified in this PD Policy.

Processing of personal data is terminated if one of the following conditions occurs:

• The User has refused the rules of use of the website unilaterally.
• User legal entity terminated its existence as a legal entity or individual entrepreneur.
• The User has withdrawn consent to the processing of personal data by sending an explicit refusal to the Operator.
• The predetermined purpose of personal data processing was achieved.
• Illegal processing of personal data was detected.
• The Operator has stopped supporting the website.
• The Operator has terminated its activity.

7.2. If at least one of the above conditions has occurred, the Operator destroys or anonymises the personal data, unless there are other reasons for processing the personal data (e.g. there are outstanding obligations to the User for the performance of which it is necessary to use his/her personal data).

8. Information on consent to the terms of personal data processing

8.1. The User makes an independent decision to provide his/her personal data to the Operator. The User expresses his/her consent to the terms of personal data processing freely, of his/her own free will and in his/her own interests. By ticking the «tick box» or clicking the «accept» button in the forms posted on the website, the User confirms that he/she agrees to the terms of personal data processing specified in the PD policy. If the User does not agree with these conditions, he/she should not provide his/her personal data and should not tick the «tick» in the forms or click the «accept» button on the website

8.2. Consent is not required if there are other legal reasons, including when the Operator processes Users' personal data in connection with the need to respond to legitimate and reasoned requests from courts, law enforcement, prosecution, security and other authorities empowered to request information in accordance with the legislation of the Russian Federation.

9. Rights of Users as subjects of personal data

9.1. Users have the right to receive their personal data for information and demand from the Operator to clarify, block or destroy them if they are incomplete, outdated, inaccurate, illegally obtained or not required for the stated purpose of processing. Users have the right to receive information that relates to the processing of their personal data. Users have the right to protect their rights and legitimate interests, including compensation for losses incurred and (or) compensation for moral damage in court.

9.2. The User has the right to refuse processing of personal data at any time by contacting the Operator via any communication channel specified in Section 12 of this PD Policy.

9.3. If the User has consented to receive communications by email, telephone or within the website, including notifications, advertising messages, news, reminders, but wishes to cancel their receipt, he/she may do so in any of the following ways:

• click on the link included in each electronic message sent to the User by e-mail, the address of which was previously provided to the Operator;
• contact the Operator by phone number indicated on the website during working days from 9-00 to 18-00 Moscow time;
• use the functionality of cancellation of consent to receive advertising or other messages provided in the personal account on the website.

9.4. Despite the refusal to receive messages by email and/or telephone, the Operator may continue to process the User's personal data if there are other reasons for processing (for example, if the User continues to use the website functionality).

10. Security and protection of personal data

10.1. The Operator takes all necessary measures to protect Users' personal data. The Operator protects data from loss, misuse, unauthorised access, disclosure, alteration, destruction to the extent provided for by applicable law and best practices. However, no system of data storage or transmission via the Internet can objectively guarantee complete security.

If the User has reason to believe that the exchange of information with the Operator is not secure, he/she undertakes to immediately notify the Operator about it using the contacts specified in Section 12 of this PD Policy.

11. Requirements for personal data protection and security fulfilled by the Operator

11.1. The protection of personal data processed by the Operator is ensured by the implementation of legal, organisational and technical measures necessary and sufficient to meet the requirements of the legislation in the personal data protection sector. Specific measures to be implemented by the Operator are specified in the Operator's internal documents and can be provided upon request.

11.2. In selecting these measures, the Operator considers the terms of Art. 18.1 of the Personal Data Law, which, in particular, may include the following:

• Assignment of the person responsible for the organisation of personal data processing.
• Issuance of documents defining the Operator's policy with regard to personal data processing, local acts on personal data processing, as well as local acts establishing procedures aimed at preventing and detecting violations of the law and eliminating the consequences of such violations.
• Regular internal control of compliance of personal data processing with the Personal Data Law FL-152, personal data protection requirements, the Operator's policy on personal data processing and other local acts of the Operator.
• Assessment of the damage that may be caused to the User in case of violation of the legislation on personal data, the correlation between the damage and the measures taken by the Operator.
• Familiarisation of the Operator's employees directly involved in personal data processing with the terms of personal data legislation, including requirements to personal data protection, documents defining the Operator's policy on personal data processing, local acts on personal data processing.
• Education of the Operator's employees directly involved in personal data processing on the rules of working with personal data.

11.3. When selecting data security measures, the Operator considers the measures specified in the terms of Art. 19 of the Law on Personal Data, which may include the following:

• Establishing rules for access to personal data processed in personal data information systems and approving the list of persons whose access is necessary for the performance of their official (employment) duties.
• Ensuring registration and accounting of all actions performed with personal data in personal data information systems.
• Determining threats to the security of personal data during its processing in personal data information systems.
• Applying organisational and technical measures to ensure the security of personal data during its processing in personal data information systems, necessary to meet the requirements for personal data protection.
• Applying information protection means included in application software products, software protection means preventing unauthorised access to personal data, access control to the Operator's facilities and premises.
• Regularly assessing the effectiveness of measures taken to ensure the security of personal data before entering it in the information systems of personal data.
• Accounting of machine carriers of personal data.
• Detecting facts of unauthorised access to personal data and taking measures, including measures to detect, prevent and eliminate the consequences of computer attacks on personal data information systems and to respond to cyber incidents in them.
• Restoring personal data, that is modified or destroyed due to unauthorised access to it.
• Monitoring of the measures taken to ensure the security of personal data and the level of protection of personal data information systems.

12. How to contact the Operator

If you have any questions in connection with the processing of your personal data or this PD policy, you may contact the Operator with a request by any of the following ways:

• by email - info@big3.ru;
• send us a letter to the following address: 121205, Moscow, territory of Skolkovo Innovation Centre, Bolshoi Boulevard, 42, str. 1, floor 4, room 1575, workplace 7;
• call +7 (495) 109-03-05 during working hours in Moscow time zone.

13. Final terms

13.1. The PD Policy applies only to the website. Although the website may contain links to other Internet resources (other websites), the PD Policy does not apply to any of them.

13.2. The website and the Operator's activities are constantly changing. As a result, it becomes necessary to make changes to this PD Policy. The Operator may change it without notice (prior or subsequent). The date of the last change will be indicated at the beginning of the document and will indicate the entry into force date of the revised PD Policy. Any changes to this PD Policy will be effective from the date of publication of the new version of the PD Policy on the big3.ru website.

13.3. Use of the website after the changes have been made means that the User has read and agreed to the terms of the revised PD policy. The User undertakes to periodically review this PD policy, especially before providing any personal data. If the User does not agree with the updated version of the policy, he/she should stop using the website and notify the operator.