Approved:
Director of LLC «Dom Hotel»
Shashkina L.A.___________
10.01.2017
The Regulation on the Protection of Personal Data of the Customer, staying in a hotel chain of LLC “Dom hotel” (Dom hotel “Classic”, Dom hotel “Neo”, Dom Hotel “Apart”)
-
General Regulations
This Regulation is governed by the Constitution of the Russian Federation, Federal law “On Information, Informational Technologies and Information Protection” №149-FL from 27.07.2006, the Federal law “On Personal Data “ №152-FL from 27.07.2006 and other normative legal acts.
-
Basic definitions, used in Regulation:
-
Hotel – an organization, that provides hotel services to the Customer;
-
Customer – private individual, a consumer of hotel services, a subject of personal data;
-
Hotel services – Hotel actions for accommodation of Customers at the accommodation facility, as well as other activities related to accommodation, which includes basic and additional services, provided to the Customer;
-
Personal data – information, stored in any format relating to a certain individual (subject of personal data), which combination with other information available to the hotel, allows the identification of the Customer identity;
-
Processing of personal data – actions (operations) with personal data, including collection, systematization, accumulation, storage, updating (modification), usage, distribution, depersonalization, blocking and destruction of personal data;
-
Distribution of personal data – actions, which refer to the transfer of personal data to certain people (transfer of personal data) or for acquaintance with personal data of an unlimited number of people, including the disclosure of personal data in mass media, placement in information and telecommunications networks or providing access to personal data in any other way;
-
Use of personal data – actions (operations) with personal data, made by the operator for the purpose of making decisions or performing other actions that generate legal consequences in respect of the subject of personal data or other people;
-
Confidentiality of personal data – a requirement for the operator or other person who has an access to a personal data not to allow their distribution without consent of the subject of personal data or the presence of other legal grounds.
-
This Regulation establishes the procedure of processing personal data of the Customers for which the Hotel provides the full range of services for accommodation at the Hotel.
-
The purpose of the Regulation is to ensure the protection the political rights and freedoms if individual during processing his personal data.
-
Personal data are processed for the purpose of executing a contract for the provision of services for accommodation or temporary accommodation. The hotel collects data only in the amount which necessary to achieve this goal.
-
Personal data cannot be used for the purpose of causing property and moral harm to citizens, difficulties in realizing political rights and freedoms of citizens of the Russian Federation.
-
This regulation is approved by the Director and be a must for all employees who have access to the Customers personal data.
2. Structure and receiving Client personal data
2.1 Personal data, gathering and processing of which is realized by the hotels of the chain “Dom Hotel”, contains:
-
personal details;
-
passport data;
-
registered address;
-
residence address;
-
telephone number;
-
e-mail;
-
place of employment.
2.2 All personal data employees of the hotels receive directly from subjects of personal data – Clients.
3. Processing and storage of Client personal data
3.1 Processing of personal data by hotels on behalf of Clients consist of receiving, arrangement, accumulation, storage, specification (updating, modification), usage, spreading, depersonalization, blocking, destruction and security from Clients data trespass.
3.2 Client agreement for processing of personal data is not required, as long as processing of personal data is carried out for purpose of performing contract, one of the parties of which is subject of personal data is Client.
3.3 Processing of personal data is carried out in way of miscellaneous treatment.
3.4 Access to processing of Client personal data is only provided to employees of the hotels, who are admitted to work with Client personal data and who signed Client personal data Confidential Agreement.
3.5 List of positions of employees that are provided with the access to Client personal data and responsible for its processing, is defined by the order of the director: Hotel manager of Dom Hotel “Classic”; Hotel manager of Dom Hotel “Neo”; Senior receptionist of Dom Hotel “Apart”.
3.6 Client personal data in print format is stored in front office.
3.7 Client personal data in electronic format is stored in hotel local computer network, electronic folders and files in personal computers of Hotel managers of hotel chain “Dom Hotel” and employees that are provided with the access to processing of Client personal data.
4. The use and transferring of Clients’ personal data
4.1 The use of personal data of clients is carried out to achieve the goals, defined by the agreement between the client and hotels, in particular, for the provision of services for accommodation or temporary accommodation, and additional services.
4.2 When transferring the personal data of the Hotel Customers, the following requirements must be observed:
4.2.1 Warn people who receive personal data from customers that these data can only be used for the purposes for which they are reported and require these individuals to confirm that this rule is observed. People, receiving personal data of customers are required to comply with the confidentiality regime. This provision does not apply in the case of depersonalization of personal data and with respect to publicly available data.
4.2.2 Permit access to personal data of clients only to specially authorized people, and these people should have the right to receive only those personal data that are necessary for performing specific functions.
4.2.3 When cross-border transfer of personal hotel data are required to make sure that the foreign state, оn the territory of which the transfer of personal data is carried out, adequate protection of the rights of subjects of personal data is provided.
4.2.4 Trans boundary transfer of personal data on the territory of foreign states that do not provide adequate protection of the rights of subjects of personal data may be carried out in the following cases:
-
Availability of consent in writing to the client;
-
Stipulated by the international treaties of the Russian Federation on the issue of visas, international treaties of the Russian Federation on the provision of legal assistance in civil, family and criminal cases, as well as the international treaties of the Russian Federation on readmission;
-
Provided for by federal laws, if necessary in order to protect the foundations of the constitutional system of the Russian Federation, ensure the country's defense and state security;
-
Execution of a contract to which the subject of personal data;
-
Protection of life, health, other vital interests of the subject of personal data or other persons, and the impossibility of obtaining consent in the written form of the subject of personal data;
4.3 It is not allowed to answer the questions related to the transfer of information containing personal data by phone or fax
4.4 Hotels have the right to provide or transfer personal data to third parties in the following cases:
-
If the disclosure of this information is required to comply with the law, the performance of the judicial act
-
To assist in the conduct of investigations carried out by law enforcement or other government bodies
-
To protect the legitimate rights of the client and the hotels of “Dom Hotel”.
5. Protection of the Clients’ personal data from the unauthorized access.
5.1 While processing the clients’ personal data, hotels have to take appropriate organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, distribution of personal data, as well as other unlawful actions.
5.2 For effective customers’ personal data protection, it is required:
5.2.1. to comply with the procedure of receiving, accounting and storage of Clients’ personal data;
5.2.2. make use of technical means of protection, alarm systems;
5.2.3. to conclude a Nondisclosure agreement with all the employees related to receiving, processing and protection of personal data of the Customer;
5.2.4. to bring employees, responsible for violations of the rules regulating receiving, processing and protection of personal data of the Client, to disciplinary responsibility.
5.3. It is prohibited to give access to Customers’ personal data to Hotel employees, who do not have the right for this access.
5.4. Documents containing Customers’ personal data are stored in the Front Office and are provided with the protection from unauthorized access.
5.5. Protection of access to electronic databases, containing Clients’ personal data, is provided by:
• usage of licensed software preventing unauthorized access of third parties to Clients’ personal data;
• password system. Passwords are set by the system administrator and reported individually to employees who have access to personal Clients’ data.
5.6. Copying and making extracts from Clients’ personal data is permitted only for official purposes with the written permission of the Head.
6. Hotels duties
6.1. Hotels are obliged:
6.1.1. To process Clients' personal data only for the purpose of providing legal services to Clients.
6.1.2. To receive Client’s personal data directly. If it is possible to get Client’s personal data only from a third party, the Client must be notified in advance and there shall be given a written agreement. The Hotel staff should inform Clients about the purposes, expected sources and ways of receiving personal data and about the nature of the receivable personal data and consequences of the Client’s refusal to give written agreement for receiving it.
6.1.3. Not to receive and not process Client’s personal data on his race, national origin, political opinions, religious or philosophical beliefs, health, sexual life, except for the cases provided by law.
6.1.4. To provide access for their personal data to the Client or his legal representative when you receive a request containing the number of the basic document proving the Client’s or his lawful representative’s identity; information on date of issuance of the document; the issuing authority and the Client’s or his legal representative’s handwritten signature. The request may be sent electronically and signed by electronic signature according to the law of Russian Federation. Information on availability of personal data should be provided to the Client in an accessible form and should not contain personal data relating to other subjects of personal data.
6.1.5. To limit the Client's right to access their personal data if:
• the processing of personal data, including personal data obtained as a result of operational-investigative, counterintelligence and intelligence activities, is carried out in order to the country's defense, state security and law enforcement;
• the processing of personal data is carried out by government authority, that accomplishes the detention of the subject on suspicion in commission a crime or indicts the subject of personal data for accusation in criminal case or applies to the subject of personal data a preventive punishment to a charge, except provided by the criminal procedural legislation of the Russian Federation cases, if it is allowed to the suspect or to the accused to consult with such personal data;
• the providing of personal data violates the constitutional rights and freedoms of others.
6.1.6. To ensure the storage and protection of Clients’ personal data from unauthorized use or loss.
6.1.7. In case of identification inaccurate personal data or wrongful operator’s actions with them, subject’s request for his personal data or his legal representative or authorized body on protection of the rights of subjects personal data the operator is obliged to carry out blocking of personal data relating to that data subject, since such treatment or getting of such request for a checking period.
6.1.8. In the case of confirmation of the fact of unauthenticity of personal data the operator on the basis of documents submitted by the personal data subject or his legal representative or authorized body on protection of the rights of subjects of personal data or other necessary documents is obliged to specify the personal data and to remove their blocking.
6.1.9. In case of revealing of wrongful actions with personal data the operator in time, not exceeding three working days from the date of such revealing, is obliged to eliminate the violations. In case of impossibility of elimination the violations, the operator in a period not exceeding three working days from the date of revealing the illegitimacy of actions with personal data, is obliged to destroy personal data. On elimination of the violations or destruction the personal data the operator is obliged to notify the personal data subject or his legal representative, and in case the appeal or request was sent by the authorized body on protection of the rights of subjects of personal data, also the specified body.
7. Rights of a Client
7.1. A Client has a right to:
• Access to information about oneself, including information that confirms the fact of processing personal data, and the purpose of such processing; methods of processing personal data used by the Hotel; information on people who have access or are able to get access to personal data; the list of processed personal data and the source of their receipt, the processing of personal data, including the time of their storage; information on what legal consequences for the Client may entail the processing of his personal data;
• Definition of forms and ways of processing personal data;
• limiting of the ways and forms of processing personal data;
• Prohibition of the dissemination of personal data without his agreement;
• change, refinement, destruction of information about oneself;
• appealing against illegal actions or omissions in the processing of personal data and appropriate compensation in court.
8. Confidentiality of Clients’ personal data
8.1. Information about Clients’ personal data is confidential.
8.2. The hotel ensures the confidentiality of personal data and is obliged not to allow their distribution to third parties without Clients’ agreement or other legal grounds.
8.3. People who have access to Clients’ personal data are obliged to comply with the confidentiality regime, they must be warned about the need to comply with the secrecy regime. In connection with the confidentiality regime of personal information, appropriate security measures should be provided to protect data from accidental or unauthorized destruction, from accidental loss, from unauthorized access to it, alteration or distribution.
8.4. All confidentiality measures for the collection, processing and storage of personal data of the Clients apply to all media, both paper and automated.
8.5. The privacy mode of personal data is removed in cases of depersonalization or inclusion in publicly available sources of personal data, unless otherwise provided by law.
9. Liability for violation of the rules governing the processing of personal data of clients
9.1. The hotels of the "Dom Hotel" company are responsible for the personal information that is at their disposal and fixes the personal responsibility of the employees for observing the established privacy regime.
9.2. Every employee who receives a document containing Client’s personal data is solely responsible for the safety of the media and the confidentiality of information.
9.3. Any person can apply to the employee of the Hotel with a complaint about violation of this Regulation. Complaints and statements regarding compliance with data processing requirements are considered within three days from the date of receipt.
9.4. Employees of the Hotels are obliged to ensure, at the proper level, the consideration of requests, applications and complaints from the Clients, and also to promote the fulfillment of the requirements of the competent authorities.
9.5. People guilty of violating the rules governing the receipt, processing and protection of the personal data of the Clients shall bear disciplinary, administrative, civil or criminal liability in accordance with federal laws.