PRIVACY POLICY AND PERSONAL DATA PROCESSING
1. General Provisions
1.1. This Privacy Policy and Personal Data Processing Policy (hereinafter referred to as the "Policy") defines the procedure and conditions for the processing of information about an individual, which may be received by the Individual Entrepreneur Mikhailova Irina Yuryevna, TIN: 682966385852, OGRNIP: 323774600606180 (hereinafter referred to as the "Operator"), from this individual or from his/her legal representative (hereinafter referred to as the "User", "Data Subject"), when the following relationships arise with the Data Subject:
a) when using the functions of the website: https://osa-art.com/course and all its domains, subdomains, and pages, their content, as well as Internet services and software offered by the Operator for use on these websites (hereinafter collectively referred to as the "Website");
b) when the Operator exercises the rights and obligations established by agreements/contracts, of which the Operator is a party;
c) when processing requests, complaints, inquiries, messages sent by the Operator and the Data Subject to each other.
1.2. The purpose and objective of this Policy is to ensure the proper legal regime of personal data. The Policy shall not contain provisions that restrict the rights and freedoms of the Data Subject, establish cases of processing of personal data of minors, unless otherwise provided by the legislation of the Russian Federation, as well as provisions that allow, as a condition for concluding an agreement/expressing consent, inaction on the part of the Data Subject.
2. Legal Basis for Personal Data Processing
2.1. The legal basis for processing personal data is:
a) consent to the processing of personal data, expressed in the manner prescribed by law and this Policy;
b) agreements concluded between the Operator and the User;
c) local regulations of the Operator in the field of personal data.
2.2. The Data Subject makes a decision to provide his/her personal data and gives consent to their processing freely, of his/her own free will, and in his/her own interest. Inaction on the part of the Data Subject cannot be construed as consent. Consent to the processing of personal data must be specific, subject-matter-related, informed, conscious, and unambiguous. Consent to the terms of the Policy may be expressed by the Data Subject by performing any of the following actions:
a) concluding an agreement with the Operator, provided that the User is given the opportunity to familiarize themselves with the full text of this Policy in each place where personal data is collected;
or
b) placing a checkmark (in the input field) on the Website next to the text, provided that the User is given the opportunity to familiarize themselves with the full text of this Policy in each place where personal data is collected.
2.3. In accordance with the requirements of Part 2 of Article 18.1 of the Law on Personal Data, this Policy is published in the public domain on the Internet websites of the Operator: https://osa-art.com/course.
3. Procedure and Conditions for Personal Data Processing
3.1. The Operator processes personal data in accordance with the requirements of the legislation of the Russian Federation.
3.2. Personal data is processed with the consent of the Data Subjects to the processing of their personal data, as well as without such consent in cases provided for by the legislation of the Russian Federation.
3.3. Consent to the processing of personal data is provided when filling out special data collection forms on the Operator's Website, when submitting an application for the conclusion of the relevant service agreement (acceptance of a public offer) or directly when making payments for services under the specified agreement (acceptance of a public offer) by checking the box in a special "checkbox."
3.4. Consent to the processing of personal data permitted by the Data Subject for distribution is executed separately from other consents of the Data Subject to the processing of his/her personal data.
3.5. Transfer of personal data to third parties is prohibited. Exceptions include:
3.5.1. Transfer with the User's consent.
3.5.2. Transfer to authorized bodies in accordance with the law.
3.5.3. Transfer of personal data to contractors engaged to implement the Operator's projects.
3.5.4. Transfer of personal data to the Operator's service providers - companies that process personal data pursuant to a special document-instruction from the Operator.
3.5.4.1. LLC "System Getcourse", TIN: 9731055900, OGRN: 1197746675170, legal address: Moscow, territory of the Skolkovo Innovation Center, Bolshoy Boulevard, 42, building 1, room 1122, mailing address: 123022, Moscow, Trekhgorny Val Street, 14, building 5; contacts: support@getcourse.ru, +7 (800) 555-47-03.
3.6. The recipient of the Operator's services or a visitor to the Website, as a Data Subject, is notified and gives consent to the objective necessity arising in the process of the Website's operation and receiving the Operator's services to allow access to their personal data for the Operator's software and third parties (contractors or service providers of the Operator). This access is provided solely for the purposes specified in this Policy.
3.7. Transfer of personal data to investigative and preliminary investigation bodies, to the Federal Tax Service, the Pension Fund, the Social Insurance Fund, and other authorized executive bodies and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.
3.8. The Operator carries out both automated and non-automated processing of personal data.
3.9. The Operator does not intentionally process personal data of minors. The Performer recommends using the Website to individuals who have reached the age of 18. Responsibility for the actions of minors, including the purchase of services on the Website, lies with the legal representatives of minors. All visitors under the age of 18 must obtain permission from their legal representatives before providing any personal information about themselves.
If the Operator becomes aware that it has received personal information about a minor without the consent of the legal representatives, such information will be deleted as soon as possible.
3.10. Data Accuracy and Capacity
In general, the Operator does not verify the accuracy of the personal information provided by Data Subjects and does not monitor their legal capacity. The risk of providing inaccurate personal data, including providing data of third parties as their own, is borne by the Data Subject.
3.11. Assumptions
The Operator assumes that:
3.11.1. Data Subjects provide accurate and sufficient personal information in a current state.
3.11.2. Data Subjects are familiar with this Policy and express their informed and conscious consent to it.
3.12. The Operator takes necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, dissemination, and other unauthorized actions, including:
• Identifying threats to the security of personal data during processing.
• Adopting local regulations and other documents regulating relations in the field of personal data processing and protection.
• Appointing individuals responsible for ensuring the security of personal data in the Operator's structural units and information systems.
• Creating the necessary conditions for working with personal data.
• Organizing the registration of documents containing personal data.
• Organizing work with information systems where personal data is processed.
• Storing personal data in conditions that ensure their preservation and prevent unauthorized access.
4. Purposes of Personal Data Processing
4.1. Only personal data that meets the purposes of its processing shall be processed. The Operator processes personal data to achieve the following purposes:
4.1.1. Purpose: Preparation, Conclusion, and Performance of a Civil Law Agreement
Categories and List of Processed Data: Last name, first name, patronymic; year of birth; month of birth; date of birth; gender; email address; residential address; registration address; phone number; TIN; citizenship; details of identity documents; bank card details; account number; profession; position; information about employment (including work experience, data on current employment with the name and account number of the organization); information about education.
Categories of Data Subjects whose personal data is processed: Applicants; Counterparties; Representatives of Counterparties; Clients; Legal Representatives.
Methods of Processing: Collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, depersonalization, transfer (access, provision), blocking, deletion, destruction of personal data.
Processing and Storage Period: Until the Data Subject requests the cessation of processing/withdrawal of consent or 10 (ten) years.
Procedure for Destruction of Personal Data Upon Achievement of the Purpose of Processing or Upon the Occurrence of Other Legal Grounds: The person responsible for processing personal data shall erase the data by overwriting (replacing all storage units with "0") with the preparation of an act on the destruction of personal data.
4.1.2. Purpose: Website Registration
Categories and List of Processed Data: Last name, first name, patronymic; email address; phone number; information collected through metric programs.
Categories of Data Subjects whose personal data is processed: Clients; Website Visitors.
Methods of Processing: Collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, depersonalization, blocking, deletion, destruction of personal data.
Processing and Storage Period: Until the Data Subject requests the cessation of processing/withdrawal of consent or 10 (ten) years.
The procedure for the destruction of personal data upon the achievement of the purpose of their processing or the occurrence of other legal grounds: the person responsible for the processing of personal data shall perform data erasure by overwriting (replacing all information storage units with "0") with the compilation of a record of the destruction of personal data.
4.1.3. Purpose: Processing applications submitted through the registration form on the Website.
Categories and List of Processed Data: Last name, first name, patronymic; email address; phone number.
Categories of Data Subjects: Clients; Website Visitors; Legal Representatives.
Methods of Processing: Collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, anonymization, transfer (access, provision), blocking, deletion, and destruction of personal data.
Processing and Storage Period: Until the Data Subject submits a request to cease processing/withdraw consent or for a period of 10 (ten) years, whichever occurs first.
Procedure for Destroying Personal Data upon Achieving the Purpose of Processing or Other Legal Grounds: The person responsible for processing personal data will erase the data by overwriting (replacing all information storage units with "0") and creating an act of personal data destruction.
4.1.4. Purpose: Making calls from the Operator, engaging in correspondence with the Operator to clarify application details.
Categories of Data Subjects: Clients; Website Visitors; Legal Representatives.
Categories and List of Processed Data: Last name, first name, patronymic; email address; phone number.
Methods of Processing: Collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, anonymization, transfer (access, provision), blocking, deletion, and destruction of personal data.
Processing and Storage Period: Until the Data Subject submits a request to cease processing/withdraw consent or for a period of 10 (ten) years, whichever occurs first.
Procedure for Destroying Personal Data upon Achieving the Purpose of Processing or Other Legal Grounds: The person responsible for processing personal data will erase the data by overwriting (replacing all information storage units with "0") and creating an act of personal data destruction.
4.1.5. Purpose: To obtain feedback, reviews, and recommendations from the Data Subject, conduct surveys, and facilitate effective communication with current and potential customers of the Operator.
Categories and List of Processed Data: Last name, first name, patronymic; email address; phone number; message content (if the message content contains personal data); data from the User's social media accounts; image data: photographs, videos, and other technical recordings of the face and body.
Categories of Data Subjects: Clients; Legal Representatives.
Methods of Processing: Collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, anonymization, transfer (access, provision), blocking, deletion, destruction, and dissemination of personal data.
Processing and Storage Period: Until the Data Subject submits a request to cease processing/withdraw consent or for a period of 10 (ten) years, whichever occurs first.
Procedure for Destroying Personal Data upon Achieving the Purpose of Processing or Other Legal Grounds: The person responsible for processing personal data will erase the data by overwriting (replacing all information storage units with "0") and creating an act of personal data destruction.
4.1.6. Purpose: To carry out informational and promotional mailings.
Categories and List of Processed Data: Last name, first name, patronymic; email address; phone number.
Categories of Data Subjects: Counterparties; Representatives of Counterparties; Clients; Legal Representatives.
Methods of Processing: Collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, anonymization, transfer (access, provision), blocking, deletion, and destruction of personal data.
Processing and Storage Period: Until the Data Subject submits a request to cease processing/withdraw consent or for a period of 10 (ten) years, whichever occurs first.
Procedure for Destroying Personal Data upon Achieving the Purpose of Processing or Other Legal Grounds: The person responsible for processing personal data will erase the data by overwriting (replacing all information storage units with "0") and creating an act of personal data destruction.
4.1.7. Purpose: To select Performers for service agreements.
Categories and List of Processed Data: Last name, first name, patronymic; year of birth; month of birth; date of birth; gender; email address; phone number; profession; job title; employment history (including work experience, current employment data with the name and account number of the organization); education information.
Categories of Data Subjects: Job Seekers; Legal Representatives.
Methods of Processing: Collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, anonymization, transfer (access, provision), blocking, deletion, and destruction of personal data.
Processing and Storage Period: Until the Data Subject submits a request to cease processing/withdraw consent or for a period of 10 (ten) years, whichever occurs first.
Procedure for Destroying Personal Data upon Achieving the Purpose of Processing or Other Legal Grounds: The person responsible for processing personal data will erase the data by overwriting (replacing all information storage units with "0") and creating an act of personal data destruction.
4.1.8. Purpose: Processing communications, claims, complaints, requests, messages exchanged between the Operator and the Data Subject.
Categories and List of Processed Data: Last name, first name, patronymic; email address; residential address; registration address; phone number; identity document details; bank card details; bank account number.
Categories of Data Subjects: Counterparties; Representatives of Counterparties; Clients; Website Visitors; Legal Representatives.
Methods of Processing: Collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, anonymization, transfer (access, provision), blocking, deletion, and destruction of personal data.
Processing and Storage Period: Until the Data Subject submits a request to cease processing/withdraw consent or for a period of 10 (ten) years, whichever occurs first.
Procedure for Destroying Personal Data upon Achieving the Purpose of Processing or Other Legal Grounds: The person responsible for processing personal data will erase the data by overwriting (replacing all information storage units with "0") and creating an act of personal data destruction.
4.2. The Operator's Website uses cookies and visitor data from website traffic analytics services (IP address; information from cookies, browser information, access time, page address where the advertising block is located, referrer (previous page address), and other data). This data is used to collect information about visitors' actions on the Website in order to improve its content, enhance its functionality, and ultimately create high-quality content and services for visitors.
The Data Subject can modify their browser settings at any time to block all cookies or receive notifications about their sending. However, the Data Subject must understand that some functions and services of the Operator may not work properly as a result.
5. Storage and Destruction of Personal Data
5.1. The Operator will store personal data in a form that allows identification of the Data Subject for no longer than necessary to achieve the purposes of processing personal data, unless the storage period is established by federal law, contract, or agreement.
5.2. Data Subjects' personal data may be received, further processed, and stored both on paper and in electronic form.
5.3. Personal data recorded on paper media will be stored in locked cabinets or locked rooms with restricted access.
5.4. Personal data of Data Subjects processed using automated means for different purposes will be stored in separate folders.
5.5. It is prohibited to store and place documents containing personal data in open electronic directories (file sharing services) within the personal data information system.
5.6. Personal data stored in a form that allows identification of the Data Subject will be stored no longer than necessary to achieve the purposes of processing and will be destroyed upon achieving those purposes or if the need to achieve them is lost.
5.7. In case of a request for deletion, revocation of consent to processing, or upon achieving the purpose of processing personal data, the Operator undertakes to cease processing and destroy the personal data within a period not exceeding 10 calendar days from the date of consent revocation or achievement of the purpose of processing personal data.
5.8. The period may be extended, but no more than 5 working days, in case of a reasoned notification specifying the reasons for the extension.
5.9. Methods of Destruction: Personal data will be destroyed by deleting it from the database, formatting the media, or mechanically damaging hard drives.
If personal data was processed in a non-automated manner, it can be destroyed by burning, shredding (grinding), or chemical decomposition.
The procedure for documenting the destruction of personal data will be determined by the Operator independently.
5.10. Destruction of Personal Data shall occur in the following cases:
• Upon the User providing evidence that the Personal Data was obtained unlawfully or is not necessary for the stated purpose of processing: within 7 working days of submission of such evidence (Article 14, Part 1; Article 20, Part 3 of Law No. 152-FZ);
• Upon identification of unauthorized processing of Personal Data: within 10 working days (Article 21, Part 3 of Law No. 152-FZ);
• Upon withdrawal of Personal Data by the Data Subject: within 30 days (Article 21, Part 5 of Law No. 152-FZ);
• Upon achievement of the purpose of Personal Data processing: within 30 days (Article 21, Part 4 of Law No. 152-FZ);
• Upon expiration of the Personal Data storage period: within 30 days (Article 21, Part 4 of Law No. 152-FZ).
5.11. In the event of the Data Subject withdrawing consent to Personal Data processing, or upon expiration of the consent validity period, or upon the Data Subject submitting a request to cease processing of Personal Data, the Operator may block the data and process it in an archived format for a period of 3 (three) years.
6. Protection of Personal Data
6.1. The Personal Data Protection System complies with the requirements of the Decree of the Government of the Russian Federation dated November 1, 2012, No. 1119 "On Approval of Requirements for the Protection of Personal Data during Processing in Personal Data Information Systems." In accordance with regulatory requirements, the Operator has established a Personal Data Protection System (PDPS), consisting of legal, organizational, and technical protection subsystems.
6.2. The legal protection subsystem encompasses a complex of legal, organizational-dispositional, and regulatory documents that ensure the creation, functioning, and improvement of the PDPS.
6.3. The organizational protection subsystem includes the organization of the PDPS management structure, authorization system, information protection when working with partners and third parties.
6.4. The technical protection subsystem encompasses a complex of technical, software, and hardware tools that ensure the protection of Personal Data.
6.5. The primary Personal Data protection measures employed by the Operator are as follows:
6.5.1. Appointment of a Person Responsible for Personal Data processing, who shall organize the processing of Personal Data, provide training, and conduct briefings.
6.5.2. Determination of current threats to the security of Personal Data during processing in the Personal Data Information System and the development of measures and activities for Personal Data protection.
6.5.3. Development of a Personal Data processing policy.
6.5.4. Establishment of access rules to Personal Data, as well as ensuring the recording and tracking of all actions performed with Personal Data.
6.5.5. Utilization of information security tools that have passed the established conformity assessment procedure.
6.5.6. Certified anti-virus software with regularly updated databases.
6.5.7. Compliance with conditions ensuring the safety of Personal Data and preventing unauthorized access.
6.5.8. Detection of unauthorized access to Personal Data and taking corrective measures.
6.5.9. Restoration of Personal Data that has been modified or destroyed due to unauthorized access.
6.5.10. Implementation of internal control and audits.
7. Rights of the Data Subject and Obligations of the Operator
7.1. The Data Subject has the right to:
• Obtain personal data relating to them and information regarding its processing.
• Request correction, blocking, or deletion of their personal data if it is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the stated purpose of processing.
• Withdraw their consent to the processing of personal data.
• Protect their rights and legitimate interests, including seeking compensation for damages and moral harm through legal proceedings.
• Appeal against the actions or inaction of the Operator to the authorized body for the protection of the rights of data subjects or through legal proceedings.
7.2. To exercise their rights and legitimate interests, data subjects have the right to contact the Operator or submit a request in person or through a representative. The request must contain the information specified in Part 3 of Article 14 of the "Law on Personal Data."
7.3. The request shall include:
• The number of the main document certifying the identity of the data subject or their representative, information about the date of issuance of the said document and the issuing body.
• Information confirming the participation of the data subject in relations with the Operator (contract number, date of contract conclusion, conditional verbal designation, and/or other information), or information otherwise confirming the fact of the Operator's processing of personal data.
• The signature of the data subject or their representative.
7.4. The request may be submitted in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.
If the application (request) of the data subject does not contain all the necessary information in accordance with the requirements of the Law on Personal Data, or the subject does not have the right to access the requested information, then a reasoned refusal shall be sent to them.
7.5. The right of the data subject to access their personal data may be limited in accordance with Part 8 of Article 14 of the Law on Personal Data, including if access by the data subject to their personal data violates the rights and legitimate interests of third parties.
7.6. Upon the identification of inaccurate personal data upon application by the data subject or their representative, or upon their request or a request from Roskomnadzor, the Operator shall block personal data relating to that data subject from the moment of such application or receipt of the request, for the period of verification, if blocking the personal data does not violate the rights and legitimate interests of the data subject or third parties.
7.7. If the inaccuracy of personal data is confirmed, the Operator, based on the information provided by the data subject or their representative, or Roskomnadzor, or other necessary documents, shall clarify the personal data within seven working days of the submission of such information and unblock the personal data.
7.8. In case of the identification of unlawful processing of personal data upon application (request) of the data subject or their representative, or Roskomnadzor, the Operator shall block unlawfully processed personal data relating to that data subject from the moment of such application or receipt of the request.
8. Responsibility of the Parties
8.1. The Operator, failing to fulfill its obligations, shall be liable for damages incurred by the User due to the unlawful use of personal data, in accordance with the legislation of the Russian Federation.
8.2. In case of a personal data leak of the data subject, the Operator is obliged to notify the relevant state bodies about the leak and the results of the investigation into this leak within the timeframes stipulated by the current legislation of the Russian Federation.
9. Final Provisions
9.1. The Operator has the right to make changes to this Policy without the consent of data subjects.
9.2. The new Policy shall come into force from the moment of its posting on the Website, unless otherwise provided by the new edition of the Privacy Policy.
9.3. The Person Responsible for processing personal data is Individual Entrepreneur Mikhailova Irina Yuryevna.
10. Operator Details
Individual Entrepreneur
Mikhailova Irina Yuryevna
TIN: 682966385852
OGRNIP: 323774600606180
Current Account: 40802810520000112445
Correspondent Account: 30101810745374525104
Bank Name: LLC "Bank Tochka"
BIC: 044525104
Email Address: support@osa-art.com