We cherish confidence of our guests
Regulation on Processing and Protection of the Personal Data of Guests Residing in the Hotels of the Chain:
1.1. Present Regulation is governed by Constitution of the Russian Federation and international treaties of the Russian Federation, Federal Law No. 152-FZ dated 27.07.2006 “On personal data”, Federal Law No. 149-FZ dated 27.07.2006 “On information, information technology, and protection of information”, as well as other statutory regulations.
1.2. Main terms used in the Regulation:
Hotel means property complex (buildings, part of a building) designated for rendering of the hotel and related hotel services to the guests (restaurant services, arrangement for the conferences, events, etc.), joining OJSC “Slavyanka” Hotel Complex” (as a branch or as a structural subdivision);
Guest is a natural person, customer of hotel services, and subject of personal data;
Hotel Services mean a set of services for assurance of the temporary stay in a hotel, including related services, list of which shall be determined by the Hotel;
Websites mean sites owned by OJSC “Slavyanka” Hotel Complex”, at which information about its activity, as well as activity of its branches and structural subdivisions rendering hotel services (Hotels) is posted;
Personal Data means any information directly or indirectly related to specific natural person (subject of personal data);
Operator means OJSC “Slavyanka” Hotel Complex”, including its branches, which solely or jointly with other persons organizes and/or performs processing of the personal data, content of the processed personal data, and actions (operations) performed with such personal data;
Processing of Personal Data means any action (operation) or a set of actions (operations) performed with the use of automation means or without the use of such means with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, amendment), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of the personal data;
Distribution of the Personal Data means actions aimed at disclosure of the personal data to the undefined number of persons;
Use of Personal Data means actions (operations) with personal data performed by the operator for taking of decisions or for performance of other actions resulting in legal consequences for the subject of personal data or other persons or otherwise affecting the rights and freedoms of the subject of personal data or other persons;
Confidentiality of Personal Data means obligation of the operator or other person entitled to access the personal data mot to allow distribution of such personal data without consent of the subject of personal data or without other legal grounds for doing so;
Blocking of Personal Data means suspension of processing of the personal data (except for the cases when processing is required for clarification of the personal data);
Destruction of the Personal Data means any actions resulting in inability to restore content of the personal data in information system of the personal data and/or resulting in destruction of the tangible media of such personal data;
Depersonalization of the Personal Data means actions making it impossible to determine ownership of such personal data by specific subject thereof without the use of additional information.
1.3. Present Regulation establishes the procedure for processing of the personal data of Guests provided with all range of hotel services.
1.4. Purpose of present Regulation is protection of the rights and freedoms of a person and citizen at processing of his/her personal data.
1.5. Personal data is processed in pursuance of the contract for provision of the services for stay or temporary stay entered into with the Guest. The Hotel collects data only to the extent required for achievement of the above purpose.
1.6. Personal data may not be used for causing any material and moral damage to citizens, to challenge realization of the rights and freedoms of the citizens of the Russian Federation.
1.7. Present Regulation is approved by the General Director (authorized representative) and is binding on all officers provided with access to personal data of the Guests.
2. Content and Reception of Personal Data of the Guests
2.1. Personal data collected and processed by the Hotel include as follows:
1) Application details (surname, name, patronymic, day, month, and year of birth);
2) Passport details;
3) Permanent residence address;
4) contact number;
5) E-mail address;
6) Details of banking card;
7) Employer details (upon booking for business travelers).
2.2. Officers of the Hotel receive all personal data directly from the subjects of such personal data – the Guests and/or their legal representatives, legal entities (regarding business travelers), upon completion by the later of the check-in card upon registration in the Hotel or in case of indication by the Guest of its personal data at booking website of the Hotel or upon completion of the feedback form, posting of feedback on rendered services.
3. Processing and Storage of Personal Data of the Guests
3.1. Processing of personal data in the best interests of the Guests involves Hotel operations for collection, systematization, accumulation, recording, storage, clarification (updating, amendment), use, distribution, depersonalization, blocking, destruction, and protection from the unauthorized access to personal data of the Guests.
3.2. It is required to obtain consent of the Guests for processing of their personal data since such processing if performed in pursuance of the contract entered into with the subject of personal data – the Guest.
During check-in procedure, the Guest shall complete the Consent for Processing of the Personal Data indicated in the Check-In Card. Check-in of the Guest in the Hotel means acceptance of the Consent. The Guest consents to processing by the Operator of his/her personal data indicated in the Check-in Card, booking application, and other documents upon conditions provided for in present Regulation.
3.3. Only officers of the Hotel, which are empowered to use personal data of the Guests and which have signed Non-Disclosure Agreement, may process personal data of the Guests.
3.4. List of officers of the Hotel provided with access to personal data of the Guests shall be determined by Decree of the General Director (his/her authorized officer, head of the branch).
3.5. Paper-based personal data of the Guests shall be kept in the structural subdivision performing check-in and allocation of the Guests in the Hotel.
3.8. The Operator receives information on ip-address of website user. This information shall not be used for identification of website user.
3.9. If the Guest / Visitor of Website posts information directly at the Operator’s Website to make it public (for instance, for placement of feedback, participation in public chats directly maintained at Websites of the Operator, participation in surveys), the later shall not be liable for the information posted by the Guest/ Visitor of Website at Websites in publicly available form. Such information shall be deemed to be personal data made public by the subject of such personal data.
3.10. Upon completion of feedback form, sending of notifications, requests to the Operator, use of other Operator services through Websites of the Operator, Visitor shall acknowledge himself/herself with the terms of the User Agreement for processing of his/her personal data. Visitor consents with terms of the User Agreement by ticking relevant line on Website. It is recommended to stop using any Website services of the Operator if the User disagrees with any terms of the User Agreement. Continued use thereof means acceptance of all terms of the said agreement.
3.11. Personal data shall be stored in form allowing identification of the subject of such personal data, however no longer than it is required for processing of such personal data if term of storage of the personal data is not provided for in the effective law, contract entered into with the subject of personal data as the beneficiary or the principal, and present Regulation.
3.12. Processed personal data shall be destructed or depersonalized upon achievement of the processing objectives or if such processing is not required anymore, unless otherwise is specified in the effective law, present Regulation.
3.13. Destruction of media with personal data shall be done as follows:
• Paper-based personal data shall be destroyed so that to make it impossible to restore the document (use of shredders);
• Personal data stored in memory of personal computers shall be destroyed by deletion thereof from the memory of such personal computers;
• Personal data stored on a flash card, CD, and other media shall be destroyed by deletion of file from the media and, if required, by deactivation of such flash card or CD.
3.14. Requirements to premises where personal data is processed:
3.14.1. Network equipment, servers shall be located in places inaccessible by the unauthorized persons (in special premises, cabinets, and boxes);
3.14.2. Paper-based personal data of the Guests shall be stored in locked cabinets, boxes;
3.14.3. Cleaning of the premises and technical maintenance of the personal data information systems shall be done under supervision of the persons responsible for such premises and equipment with adherence to measures preventing unauthorized access to personal data, information media, and information processing, transfer, and protection software and hardware.
4. Use and Transfer of Personal Data of the Guests
4.1. The Hotel shall process Personal Data of the Guests solely for provision of services, for development of new products/services, for notification of the Guests on such products/services (of which by phone/e-mail), for sending of responses to enquires of the Guests, as well as in cases of disclosure of such data (information) to executive state and municipal bodies according to the law of the Russian Federation and for enforcement of the effective law of the Russian Federation.
4.2. Upon disclosure of the personal data of the Guests, the Hotel shall meet the following requirements:
4.2.1. Warn persons receiving personal data of the Guests that such data may be used only for the designated purposes and claim confirmation of adherence to such a rule from such persons. Persons receiving personal data of the Guests shall keep confidential the received information. It does not apply to depersonalized and publicly available data.
4.2.2. Provide access to personal data of the Guests to specially designated persons only. In such a case, the above persons shall be entitled to receive only such personal data, which is required for fulfillment of specific functions.
1) Upon written consent of the Guest;
2) in cases provided for in the international treaties of the Russian Federation on issues regarding issuance of visas, international treaties of the Russian Federation on rendering of legal assistance in civil, family, and criminal cases, as well as international treaties of the Russian Federation on readmission;
3) In cases provided in the federal laws if it is required for protection of foundations of the constitutional system of the Russian Federation, for assurance of the national defense and safety;
4) For performance of the contract entered into with the subject of the personal data;
5) For protection of life, health, other vital interests of the subject of personal data or other persons if it is impossible to obtain consent of the subject of personal data in written form.
4.3. It is prohibited to answer by phone or by fax any questions related to disclosure of information containing any personal data.
1) If such disclosure is required for adherence to the law, enforcement of the judicial act;
2) For rendering of the assistance in investigations performed by law-enforcement or other state authorities;
3) For protection of the legal rights of the Guests and the Hotel.
4.5. If the Guest waives his/her consent, the Hotel may continue processing without consent of the Guest upon the grounds specified in Clauses 2-11, Part 1, Article 6, Part 2, Article 10, and Part 2, Article 11 of the Federal Law Nr.152-FZ “On personal data”.
4.6. It is prohibited to unify databases with any personal data processed for the non-matching purposes.
5. Protection of Personal Data of the Guests from the Unauthorized Access
5.1. Upon processing of personal data of the Guests, the Hotel shall take necessary organizational and technical measures for protection of such personal data from unauthorized or accidental access, destruction, changing, blocking, copying, distribution, as well as from other wrongful actions.
5.2. In pursuance of the effective protection of personal data of the Guests it is required to:
5.2.4. Take disciplinary action against officers guilty of violation of the provisions governing the collection, processing, and protection of personal data of the Guests.
5.4. Documents containing personal data of the Guests shall be stored in premises of the front deck ensuring protection from the unauthorized access to such personal data.
1) Use of licensed software products preventing unauthorized third party access to personal data of the Guests;
2) password system. Passwords shall be established by the system administrator and shall be notified in person to each officer provided with access to personal data of the Guests.
5.6. It is allowed to copy and to make extracts from personal data of the Guests solely on a need-to-know basis with written permission of the manager.
5.7. Access of officers of the Company to personal data of the Guests shall be terminated simultaneously with termination of the labor relations or changes in the job duties of an officer or expulsion of an officer from the list of persons entitled to access the personal data. Upon dismissal of an officer, all media with personal data possessed and used by such officer on a need-to-know basis during his/her service in the Hotel shall be delivered to his/her direct supervisor.
5.8. Officers of the Hotel shall promptly notify their direct supervisor on loss or shortage of media with personal data, on third party attempts to obtain the processed personal data from any officer of the Hotel, as well as on the reasons and circumstances of possible loss of the personal data.
5.9. Upon collection and processing of the personal data by any officer of the Hotel, who obtains such personal data from the Guest or other person on a need-to-know basis, validity of the documents containing such personal data shall be inspected. Personal data of the Guest shall be processed by officers provided with access to relevant personal data of the Guests.
6. Liabilities of the Hotel
6.1. The Hotel shall as follows:
6.1.1. Process personal data of the Guests solely for rendering of hotel and other related services to the Guests.
6.1.2. Collect personal data directly from the Guest. If personal data of the Guest could be collected from the third party only, the Guest shall be notified on such a fact in advance and shall provide written consent. Officers of Hotel shall notify the Guests on objectives, potential sources, and methods of collection of the personal data, as well as on the nature of collectable personal data and on consequences of the Guest’s denial of provision of the above written consent for collection thereof.
6.1.3. Not collect and not process personal data of the Guests concerning his/her ethnicity, nationality, political views, religious or philosophical beliefs, state of health, and sexual life, except for the cases provided for in the law or when the Guest make this information publicly available.
6.1.4. Provide the Guest or his/her legal representative with access to its personal data upon referral or upon reception of request containing number of the main identity document of the Guest or his/her legal representative, information on issuance date of such document and on the issuing authority, as well as handwritten signature of the Guest or his/her legal representative. Such request may be delivered in electronic form and may be certified by digital signature according to the law of the Russian Federation. Information on availability of the personal data shall be provided to the Guest in an intelligible form and shall not contain any personal data related to other subjects.
6.1.5. Limit the right of the Guest to access its own personal data in the following cases:
1) personal data, including personal data obtained due to operational investigations, counterintelligence and intelligence activities, is processed in pursuance of the national defense, safety, and law enforcement;
2) personal data is processed by authorities arresting the subject of personal data, being accused of a crime, or presenting accusation of crime to the subject of personal data or applying pretrial restriction to the subject of personal data prior to presentment of accusation, except for the cases provided for in the criminal and procedural law of the Russian Federation, if acknowledgment of the suspect or accused with such personal data is permitted;
3) Provision of personal data violates constitutional rights and freedoms of other persons.
6.1.6. Ensure storage and protection of personal data of the Guest against their wrongful use or loss.
6.1.7. If the Operator detects any invalid personal data or wrongful use thereof, the Operator, upon referral or upon request of the subject of personal data or his/her legal representative or authorized body in charge for protection of the rights of subjects of personal data, shall block personal data related to specific subject as of such referral or request during the period of inspection.
6.1.9. Upon detection of any wrongful operations with the personal data, the Operator shall eliminate such violations within no more than three business days. If it is impossible to eliminate such violations, the Operator shall destroy personal data within no more than three days following detection of wrongful operations with the personal data. The Operator shall notify the subject of personal data or his/her legal representative, and the authorized body in charge for protection of the rights of subjects of personal data, if notice or request were served by the above body, on elimination of violations or on destruction of the personal data.
7. Rights of the Guest
7.1. The Guest is entitled to as follows:
1) access to information about himself/herself, including the information confirming processing of the personal data and purpose of such processing; processing methods of the personal data applied by the Hotel; information on persons provided with access to personal data or which may be provided with such access; list of processed personal data and source thereof, processing terms of the personal data, including terms of storage thereof; information on consequences of processing of the personal data for the Guest;
2) determine processing forms and methods of the personal data;
3) limit processing forms and methods of the personal data;
4) Ban distribution of the personal data not requiring consent of the Guest;
5) Amend, clarify, and destroy personal data;
6) Object wrongful actions or omissions related to processing of the personal data and claim relevant indemnification in trial manner.
7.2. The Guest may at any time refer to the Operator to change (update, supplement) his/her personal data or any part thereof, delete his/her personal data from the database of the Operator and its branches, having delivered to the Operator relevant written notification by registered mail with notification upon delivery at address: 129110, Moscow city, Suvorovskaya Square, building 2, block 3.
8.1. Information on personal data of the Guests is confidential.
8.3. Persons having access to personal data of the Guests shall comply with confidentiality policy, shall be notified on the need for compliance with the confidentiality policy. Due to confidentiality nature of the personal data, relevant safety measures for protection of the data from their accidental or unauthorized destruction or loss, and from unauthorized access, modification or distribution shall be established.
8.4. All confidentiality measures upon collection, processing, and storage of personal data of the Guests shall apply to all information media, both paper-based and automated.
8.5. Confidentiality mode of the personal data shall be cancelled in case of depersonalization or inclusion thereof to publicly available sources of personal data, unless otherwise is specified in the law.
9. Responsibility for Violation of the Statutory Provisions Governing Processing Personal Data of the Guests
9.1. The Hotel shall be liable for personal data being in its possession and shall make its officers personally liable for adherence to the established confidentiality mode.
9.2. Each officer, having received any document with personal data of the Guest on a need-to-know basis, shall be solely liable for the safety of media and confidentiality of information.
9.3. Any person may refer to officer of the Hotel with the claim for violation of this Regulation. Any complaints and claims regarding the adherence to processing requirements shall be considered within three days following filing thereof.
9.5. Persons found guilty in violation of the statutory provisions governing collection, processing, and protection of personal data of the Guests shall bear disciplinary, administrative, civil or criminal liability in accordance with the federal law.
10. Final Provisions
10.1. Present Regulation is an internal document of OJSC “Slavyanka” Hotel Complex” and shall be published at the official website of OJSC “Slavyanka” Hotel Complex ” - www.slavhotels.ru, as well as at websites of its branches (Hotels).
10.2. Officers responsible for safety of the personal data of OJSC “Slavyanka” Hotel Complex” shall control the adherence to present Regulation.
10.3. The following are annexes to the Regulation:
10.3.1. Form of Check-in Card
10.3.2. User Agreement (for placement at Websites).
Having agreed with terms and conditions of this User Agreement, you provide consent to collection, systematization, accumulation, storage, clarification (update, modification), use, transfer to the Hotel, depersonalization, destruction of the personal data: surname, name, patronymic, e-mail address, phone number, and citizenship. Such personal data shall be requested for provision of ordered services to the Guest, for responding to enquiries of the Guest. Data shall be reflected in responses to requests, accounting records, statements, and voucher. Such data as e-mail address shall be used for obtainment of feedbacks on quality of the Hotel services. Present consent is provided by the Guest for performance of any operations with personal data, being in line with the law of the Russian Federation, aimed at achievement of objectives indicated in the user agreement, including online booking of the selected Hotel (if it is performed through feedback form), preparation of financial and accounting records, and obtainment of feedbacks on quality of the Hotel services.
If the Guest is provided with any advertizing and marketing materials, he/she is also provided with an opportunity of waiver of such materials in future.
By using Websites of OJSC “Slavyanka” Hotel Complex”, including websites of its branches, by making an order, and by delivering of a request through the above indicated Websites, you accept present agreement. It is recommended to stop using present Website in case of disagreement with any provisions of this document. Continued use of Website means acceptance of all terms and conditions of present agreement.