POLICY

PLEASE READ THIS POLICY CAREFULLY. BY USING THE SITE WWW. MKH. RU, YOU, THE SUBJECT OF PERSONAL DATA, THEREBY ACCEPT THIS POLICY AND THE TERMS OF PROCESSING OF YOUR PERSONAL DATA DESCRIBED THEREIN. IF YOU DO NOT ACCEPT, DO NOT USE THE SITE.

1. General Provisions

1.1. This Policy regarding the processing of personal data on mkh. ru has been developed in accordance with clause 2, Part 1, Article 18.1 of the Federal Law of the Russian Federation «On Personal Data» No. 152-FZ dated July 27, 2006 and defines the position of the Limited Liability Company Moskva — Krasnye Holmy regarding the processing and protection of personal data, respect for the rights and freedoms of each personal data subject within the framework of functioning of the website www. mkh. ru.

1.2. Limited liability company Moskva — Krasnye Holmy, incorporated under the laws of the Russian Federation (PSRN: 1157746609701, TIN: 9705043183) and having its legal address at bld. 11, 52 Kosmodamianskaya Nab., Moscow, 115035, the Russian Federation, is the personal data operator.

1.3. The policy of Moskva- Krasnye Holmy, LLC regarding the processing of personal data is that personal data should be processed only in cases and in accordance with the procedure established by applicable law on a lawful and fair basis. The observance and protection of the rights and legitimate interests of personal data subjects is a top priority for Moskva — Krasnye Holmy, LLC.

1.4. For the purposes of this Policy regarding the processing of personal data on www. mkh. ru, the following terms are used, which can be capitalized or uncapitalized.

«Updating of personal data» means actions to clarify, update and change personal data aimed at ensuring the relevance of personal data in relation to the purposes of their processing.

«Blocking of personal data» means temporary termination of the processing of personal data (except in cases where processing is necessary to clarify personal data).

«Data» means personal data processed by the Company in accordance with this Policy.

«Web analytics data» means information about sites previously visited by Users, the version and type of browsers, operating systems and devices of Users, language settings, time zone, displays and other settings of Users’ devices, the supported version of the Flash plugin, the availability and support of JavaScript, the content of cookies, geographical regions from where Users log in to the Site, the intended interests of Users, page views, time spent on the Site, downloading files and other similar data collected using Web Analytics Services

«Law» means the Federal Law No. 152-FZ dated July 27, 2006 «On Personal Data».

«Information system» means the totality of personal data contained in databases and information technologies and technical means that ensure their processing.

«Company» means the Limited Liability Company Moskva — Krasnye Holmy, which is the operator of personal data.

«Confidentiality of personal data» means a mandatory requirement for a person who has gained access to personal data not to transfer such information to third parties without the consent of its owner.

«Processing of personal data» means any action (operation) or set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, modification), extraction, use, transfer (provision, access), blocking, deletion, destruction personal data.

«Operator» means a state body, a municipal body, a legal entity or an individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of the processing of personal data, the composition of personal data to be processed, actions (operations) performed with personal data.

«Personal data» means any information related directly or indirectly to a specific or identifiable individual (subject of personal data).

«Users» means subjects of personal data whose Data is subject to collection or other processing using the Website.

«Policy» means this Policy regarding the processing of personal data.

«Provision of personal data» means actions aimed at disclosing personal data to a certain person or a certain circle of persons.

«Roskomnadzor» means the authorized body for the protection of the rights of personal data subjects.

«Website» means the Internet site owned by the Company, accessible by domain name www. mkh. ru.

«Personal data collection» means a purposeful process of obtaining personal data from a personal data subject.

«Web analytics services» means web analytics tools, online ratings and other tools used to evaluate Website traffic, the popularity of the Website as a whole and its individual sections among the target audience, study consumer preferences and solve other similar marketing and analytical tasks.

«Personal data subject» means an individual to whom personal data relates.

«Cross—border transfer of personal data» means the transfer of personal data to the territory of a foreign state to a foreign operator.

«Destruction of personal data» means actions as a result of which it becomes impossible to restore the content of personal data in the information system and (or) as a result of which the material carriers of personal data are destroyed.

«Personal data storage» is a process involving finding personal data in a systematic form at the disposal of the Company.

1.5. User Rights

The User has the following main rights:

The right to receive information concerning processing of his Data;
The right to require clarification of Data, their blocking or destruction if they are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the stated purpose of processing;
The right to appeal against actions (inaction) of the Company, including in court;
The right to protection of rights and legitimate interests, including compensation for damages and/or compensation for moral damage in court or according to another procedure provided for by applicable law;
Other rights established by applicable law.

1.6. The Company, as the Data Operator, has the right to process Data only in cases in order to achieve the goals and in compliance with other conditions established by Law.

1.7. Company Responsibilities

The Company has the following main responsibilities:

When collecting Data, provide the User, at his request, with the information provided for in Part 7 of Article 14 of the Law;
To explain to the User the legal implications of refusing to provide his Data, if the provision of Data is mandatory in accordance with the law;
To take measures necessary and sufficient to ensure the fulfillment of obligations provided for by the Law and regulatory legal acts adopted in accordance with it;
To publish this Policy and information about the implemented requirements for the protection of personal data on the Internet, as well as to provide access to the specified document using the Internet;
To take the necessary legal, organizational and technical measures or ensure their adoption to protect Data from unauthorized or accidental access to it, destruction, modification, blocking, copying, provision, distribution of Data, as well as from other illegal actions in relation to Data;
To respond to User requests and requests from Roskomnadzor and provide them with information related to Data processing in accordance with the procedure established by Law;
To eliminate violations of the law committed during Data processing, clarify, block and destroy Data (or ensure that these actions are performed by a person acting on behalf of the Company);
To notify the authorized body for the protection of the rights of personal data subjects in cases and within the time limits established by the legislation of the Russian Federation, from the moment the Company, the authorized body for the protection of the rights of personal data subjects or other interested person identifies the fact of unlawful or accidental transfer (provision, distribution, access) of personal data, which resulted in violation of the rights of personal data subjects;
Prior to the start of personal data processing, notify Roskomnadzor of its intention to process personal data, except in cases established by law;
To appoint an Officer in charge of organizing personal data processing;
The Company bears other obligations stipulated by law in connection with Data processing.

2. Goals and legal grounds of Data processing

2.1. Data processing should be limited to achieving specific, predetermined and legitimate goals. Data processing incompatible with the purposes of personal data collection is not allowed.

3. Volume and Categories of Processed Data, Categories of Data Subjects

3.1. The content and volume of the processed Data must correspond to the stated purposes of processing. The processed Data should not be redundant in relation to the stated purposes of their processing.

3.2. The Company does not process special categories of personal data of Users (for example, information about race, nationality, political views, religious or philosophical beliefs, health status).

3.3. Below is information about the main categories and volume of User Data processed in relation to the purposes, legal grounds and processing time.

2.2. The legal basis for the processing of personal data is a set of legal acts, pursuant to which and in accordance with which the operator processes personal data.

2.3. The Company processes Data on legal grounds and to achieve the goals as specified in clause 3.3 of the Policy.

User (Personal Data Subject) Categories	User Data Categories	Purposes of Processing	Time of Processing	Legal Grounds of Processing
Users	Surname, name, patronymic E-mail address Telephone number Content of the message	Business correspondence	Until the end of business correspondence (no longer than 90 days from the date of receipt of the last message from the User)	Consent of the personal data subject: Sub-clause 1, part 1, Article 6 of the Law; Implementation of the contract (User agreement) to which the User is a party (sub-clause 5, part 1, Article 6 of the Law)
Users	Web analytics data	Marketing	Until the User withdraws consent to the processing of his Data	Consent of the personal data subject: Sub-clause 1, Part 1, Article 6 of Federal Law No. 152-FZ dated July 27, 2006 «On Personal Data»; Implementation of the contract (User agreement) to which the User is a party (sub-clause 5, Part 1, Article 6 of the Law)
Users	Web analytics data	Ensuring the functioning of the Website	Until the User withdraws consent to the processing of his Data	Consent of the personal data subject: Sub-clause 1, Part 1, Article 6 of Federal Law No. 152-FZ dated July 27, 2006 «On Personal Data»; Implementation of the contract (User agreement) to which the User is a party (sub-clause 5, Part 1, Article 6 of the Law)

4. Procedure and Conditions of Data Processing

4.1. For all the above purposes (except Web Analytics Data), the Company processes Data using automation tools (including computers) and without using automation tools (including paper media). The company processes Web Analytics Data using automation tools. The Company may perform the following actions (operations) and/or a set of actions (operations) with Data:

Collection;
Recording;
Systematization;
Accumulation;
Storage;
Clarification (update, change);
Extraction;
Use;
Transfer (provision, access);
Blocking;
Removal;
Destruction.

4.2. The Company always proceeds from the following:

All Data belongs to the User personally;
The user is legally capable and of legal age;
The User provided reliable and up-to-date Data.

4.3. User Data is processed until the purpose of their processing is achieved or until the User withdraws consent to the processing of his Data, unless there are other grounds established by law for continuing data processing.

4.4. The User hereby agrees that the Company may entrust the processing of Data (within the framework set out in paragraph 3.3 above) to third parties by concluding an agreement with them to commission the processing of personal data.

4.5. The User hereby agrees that, subject to the conditions established by law, the Company may transfer web analytics data to the owners of relevant social networks and other web resources providing web analytics services for further independent processing in accordance with the policies regarding the processing of personal data (privacy policies) established by these persons.

4.6. The Company may use the phone number and/or e-mail address provided by the User to make direct contacts with the User to conduct correspondence on the subject of the relevant User’s request.

4.7. The Company may transfer Data to courts, law enforcement, supervisory authorities, other authorized authorities and officials if there are grounds provided for by applicable law.

4.8. The Company recognizes the Data as strictly confidential information. The Company and other persons who have gained access to the Data do not disclose or distribute the Data to third parties without the consent of the relevant personal data subject, unless otherwise provided by federal law.

4.9. Pursuant to Part 2 of Article 18.1 of the Law, the Company publishes this Policy, as well as information on the implemented Data protection requirements (Annex to the Policy) on the Website page and provides constant, free and free of charge access to them for all Users.

4.10. The Company takes the necessary legal, organizational and technical measures or ensures their adoption to protect Data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of Data, as well as from other illegal actions in relation to Data. Ensuring Data security is achieved, in particular:

By identifying threats to Data security during their processing in information systems;
The application of organizational and technical measures to ensure Data security during their processing in personal data information systems necessary to meet data protection requirements, the implementation of which ensures the levels of personal data protection established by the Government of the Russian Federation;
The use of information security tools that have passed the compliance assessment procedure in accordance with the established procedure;
Assessment of the effectiveness of the measures taken to ensure data security prior to the commissioning of the personal data information system;
Record of machine data carriers;
Detection of unauthorized access to Data and taking measures;
Recovery of Data modified or destroyed due to unauthorized access to them;
Establishing rules for access to Data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with Data in the personal data information system;
Control over the measures taken to ensure data security and the level of security of personal data information systems.

4.11. The condition for termination of Data processing may be the achievement of Data processing goals, expiration of consent or revocation of consent of the personal data subject to the processing of his Data (if applicable), as well as the identification of illegal Data processing.

4.12. Data storage is carried out in a form that allows identifying the subject of personal data for no longer than the purposes of data processing require, except in cases where the Data storage period is not established by federal law, an agreement to which the subject of personal data is a party, beneficiary or guarantor.

4.13. When collecting Data, the Company is obliged to ensure the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except in cases established by Law.

4.14. The Company ensures Data storage conditions that preclude unauthorized or accidental access to them by implementing physical data protection measures, as well as carrying out appropriate organizational measures.

5. Web Analytics Data

5.1. The Website is connected to Web Analytics Services in a strictly regular manner, which is provided for by the rules of the relevant Web Analytics Service. In most cases, the program code (script) provided by the Web Analytics Service is added to the Website program code for this purpose. The script provides the Web Analytics Service with the ability to directly collect the information necessary for the work. The Company does not independently collect and transfer information for processing to Web Analytics Services in any other way.

5.2. The principle of operation of Web Analytics Services is to collect information about Website visits and User activity.

5.3. Web Analytics Data should be collected only in an impersonal form and processed in an aggregated (generalized) form, i. e. web analytics data cannot be attributed directly or indirectly to a specific or identifiable individual. In order to exclude the possibility of identifying Users as specific individuals, the Company never discloses to Web Analytics Services personal data of Users that may be known to the Company.

5.4. The Company may access Web Analytics Data through personal accounts provided by Web Analytics Services. At the same time, Web Analytics Data is provided to the Company in a processed and aggregated (generalized) form in the form of reports.

5.5. Web Analytics Services may use various technical means to obtain Web Analytics Data, including cookies and other similar technologies (web beacons, IP addresses, Java scripts, etc.). Cookies are small text files that are stored on the device used by the User to work with Website (personal computer, smartphone, tablet computer, etc.). These files may contain information that is necessary for the operation of Web Analytics Services or the Website. For example, information about browser settings, pages viewed, Website interface settings, etc. Web Analytics Services usually use cookies for technical tasks (ensuring the operation of the Web Analytics Service) and analytical tasks (researching the behavior and interests of the Website audience, as well as other indicators characterizing the Website position on the market). More detailed information about cookies can be found here: https://yandex. ru/support/browser/personal-data-protection/cookies. html .

5.6. Below is information about cookies that can be accepted by the User’s device when visiting the Site:

Cookie File Type	Description	Owner	How to Reject Its Acceptance / Storing
Analytical	Description: https://yandex.ru/support/metrica/general/cookie-usage.html	YANDEX, LLC	Information about refusal of Yandex. Metrika: https://yandex.ru/support/metrica/general/opt-out.html

5.7. The User has the right, at his own wish, to refuse to accept cookies on his device. To do this, the User can follow the instructions given at the links in the table above, refuse to use the Website or enter the appropriate settings in his browser. Most modern browsers and Internet security software support the ability to completely, partially or selectively block cookies and other technical means used to obtain Web Analytics Data, as well as delete previously stored cookies. In this regard, the User is recommended to examine the security settings on his device and independently select the preferred options. Settings can be implemented differently in each browser. The user should contact the «Information» or «Help» section of his browser, as well as check the settings of the firewall program (if available). In case of refusal to accept cookies and the use of other technical means, the Company, for technical reasons, cannot guarantee Users that they will have a constant opportunity to use all the functions of the Website.

Descriptions of the settings of the most popular browsers are available at the following links:

Google Chrome:
https://support.google.com/chrome/answer/95647?hl=ru&co=GENIE.Platform=Desktop

Microsoft Edge:
https://support.microsoft.com/ru-ru/help/4468242/microsoft-edge-browsing-data-and-privacy-microsoft-privacy

Yandex Browser:
https://browser.yandex.ru/help/personal-data-protection/personal-data-protection.html

6. Updating, correcting, deleting and destroying Data, responding to requests from subjects for access to Data

6.1. In case of establishing of inaccuracy of the Data, they are subject to updating. If the fact of illegal Data processing is established, such processing must be stopped.

6.2. In case of establishing the fact of illegal or accidental transfer (provision, distribution, access), which has led to a violation of the rights of the personal data subjects, the Company is obliged to notify Roskomnadzor from the moment such an incident is detected by the Company, Roskomnadzor or another interested person:

Within twenty-four hours about the incident that occurred, about the alleged causes that led to the violation of the rights of personal data subjects, and the alleged harm caused to the rights of personal data subjects, about the measures taken to eliminate the consequences of the relevant incident, as well as provide information about the person authorized by the operator to interact with Roskomnadzor on issues related to the identified incident;
Within seventy-two hours on the results of the internal investigation of the identified incident, as well as provide information about the persons whose actions caused the identified incident (if any).

6.3. Upon achievement of the purposes of Data processing, as well as in the case of withdrawal by the subject of personal data of consent to their processing, the Data shall be destroyed if:

Otherwise is not provided for in the agreement to which the personal data subject is a party, beneficiary or guarantor;
The Company has no right to process personal data without the consent of the subject on the grounds provided for by Law or other federal laws;
Otherwise is not provided for by another agreement between the Company and the subject of personal data.

6.4. In case a personal data subject contacts the Company with a request to terminate Data processing, the Company is obliged, within a period not exceeding ten working days from the date of receipt of the relevant request, to terminate Data processing or ensure the termination of such processing (if such processing is carried out by the person processing personal data), except in cases established by Law. The specified period may be extended, but not more than five working days if the Company sends a reasoned notification to the personal data subject stating the reasons for extending the period for providing the requested information.

6.5. The Company is obliged to provide the personal data subject or his representative with the information about the processing of personal data of such subject at the request of the latter.

6.6. For each of the processing purposes specified in clause 3.3 of the Policy, the following procedure is established for the destruction of personal data upon achievement of the purposes of their processing or upon the occurrence of other legal grounds. Personal data processed without the use of automation tools is destroyed by shredding the material carriers of this personal data (for example, documents). Personal data processed using automation tools are destroyed by removing them from the personal data information systems in which they are processed using the standard means of these information systems.

7. Regulations for Responding to Requests/Applications from Personal Data Subjects and Their Representatives, Authorized Bodies Regarding the Inaccuracy of Personal Data, the Illegality of Their Processing, Revocation of Consent and Access of the Personal Data Subject to Their Data

7.1. Users, being subjects of personal data, have the right to obtain information concerning the processing of their Data, including information containing:

Confirmation of the fact of Data processing in the Company;
Legal grounds and purposes of Data processing;
The Company’s Data processing methods;
The name and location of the Company, information about persons who have access to the Data or to whom the Data may be disclosed on the basis of an agreement with the Company or on the basis of federal law;
The processed Data relating to the relevant personal data subject, the source of their receipt, unless another procedure for the submission of such data is provided for by federal law;
Terms of data processing, including the terms of their storage;
The procedure for the exercise by the subject of personal data of the rights provided for by the legislation of the Russian Federation in the field of Data;
Information about the trans-border Data transfer that has been carried out or is expected to be carried out;
The name of the organization or the surname, first name, patronymic and address of the person processing the Data on behalf of the Company, if processing is or will be entrusted to such an organization or person;
Information on the ways in which the operator performs the duties established by Article 18.1 of the Law;
Other information provided by the legislation of the Russian Federation in the field of personal data.

To obtain this information, Users have the right to contact the Company using the contact details specified in clause 7.14 below. The Company provides the information specified above to the personal data subject or his representative in the form in which the relevant request or application was sent, unless otherwise specified in the request or application.

7.2. Personal data subjects have the right to require the Company to clarify their Data, block or destroy them if the Data is incomplete, outdated, inaccurate, illegally obtained or is not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect their rights.

7.3. The above information must be provided to the personal data subject by the Company in an accessible form, and it must not contain Data related to other personal data subjects, except in cases where there are legitimate grounds for disclosure of such Data.

7.4. The information specified in this section is communicated to the personal data subject or his representative, and they are also given the opportunity to familiarize themselves with the relevant Data when contacting within ten working days from the moment of contacting or receiving a request from the personal data subject or his representative by the Company. The specified period may be extended, but not by more than five working days if the Company sends a reasoned notification to the personal data subject stating the reasons for extending the period for providing the requested information. The request must contain:

The number of the main identity document of the personal data subject or his representative, information about the date of issue of the specified document and the issuing authority;
Information confirming the participation of the personal data subject in legal relations with the Company, or information otherwise confirming the fact of processing personal data in the Company, the signature of the personal data subject or his representative. The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.

7.5. If the information specified in this section, as well as the processed Data, were provided to the personal data subject for review upon his request, the personal data subject has the right to contact the Company again or send a second request in order to obtain the specified information and familiarize himself with such Data no earlier than thirty days after the initial request or sending the initial request, unless a shorter term is established by a federal law, a regulatory legal act adopted in accordance with it or an agreement, a party to which, a beneficiary or a guarantor of which is the subject of personal data.

7.6. The subject of personal data has the right to contact the Company again or send a repeated request in order to obtain the above information, as well as to familiarize himself with the processed Data before the expiration of the period specified in the previous paragraph, if such information and (or) the processed Data were not provided to him for review in full according to the results of the consideration of the initial request. The repeated request must contain a justification for sending the repeated request.

7.7. The Company has the right to refuse the subject of personal data to fulfill a repeated request that does not comply with the conditions established by law. Such a refusal must be reasoned.

7.8. The right of a personal data subject to access his Data may be restricted in accordance with federal laws, including if the access of a personal data subject to his Data violates the rights and legitimate interests of third parties.

7.9. The Company shall provide Roskomnadzor, upon request of this body, with the necessary information within thirty days from the date of receipt of such a request.

7.10. All incoming requests and applications are registered as incoming correspondence, and are also recorded in the relevant Company logs.

7.11. Requests and applications are considered by the Person in charge of the organization of personal data processing. Should the Person in charge of organizing the processing of personal data have questions or need to clarify the content of the request, he contacts the person who sent the request / application using the contact information available in it.

7.12. The response to the request / application is made in the same form in which the corresponding request / application was received (for example, by e-mail or in writing), unless otherwise expressly established by the legislation of the Russian Federation or another request is contained in the request / application.

7.13. Responses to requests and applications are recorded in the relevant Company logs.

7.14. The request / application is sent in free form (subject to the requirements specified in clause 6.4 above) to the following address:
Moskva — Krasnye Holmy, LLC
To the attention of the Person in charge of organizing the processing of personal data
Postal address: Bld.11, 52 Kosmodamianskaya Nab., Moscow, 115035, Russian Federation

Annex. Information About the Implemented Requirements for the Protection of Personal Data.

As necessary and taking into account the threats relevant to the information system used by the Company for Data processing, the Company implements the Data protection requirements listed below at least the third level of personal data protection, and/or ensures their implementation by persons involved in data processing:

a) the organization of a security regime for the premises in which the information system is located, preventing the possibility of uncontrolled entry or stay in these premises of persons who do not have the right of access to these premises;

b) ensuring the safety of personal data carriers;

c) approval by the CEO of the operator of a document determining the list of persons whose access to personal data processed in the information system is necessary for the performance of their official (labor) duties;

d) the use of information security tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in the case when the use of such tools is necessary to neutralize current threats;

e) appointment of an official (employee) responsible for ensuring the security of personal data in the information system.