Personal Data Processing Policy
(Legal entity – LLC "FIRST FREE LEGAL MUSIC PLATFORM")
1. General Provisions
1.1. This Personal Data Processing Policy establishes the procedure for processing personal data and measures to ensure the security of personal data at LLC "FIRST FREE LEGAL MUSIC PLATFORM" (hereinafter – the Company) in order to protect the rights and freedoms of individuals when processing their personal data, including the right to privacy, personal and family secrets.
1.2. The Personal Data Processing Policy of the Company (hereinafter – the Policy) has been developed in accordance with Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" (hereinafter – FZ-152).
1.3. The following terms and definitions are used in this Policy: state authority, municipal authority, legal entity or individual, independently or jointly with others, organizing and/or carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
- any information relating directly or indirectly to an identified or identifiable individual (personal data subject);
- any action (operation) or a set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
- processing of personal data using computer technology;
- actions aimed at disclosing personal data to an indefinite circle of persons (transfer of personal data) or at familiarizing an unlimited number of persons with personal data, including publication of personal data in the media, placement in information and telecommunication networks, or providing access to personal data in any other way;
- actions aimed at disclosing personal data to a specific person or a specific circle of persons;
- temporary suspension of personal data processing (except in cases where processing is necessary to clarify personal data);
- actions resulting in the impossibility of restoring the content of personal data in the personal data information system and/or resulting in the destruction of tangible media of personal data;
- actions resulting in the impossibility of determining, without additional information, the affiliation of personal data to a specific personal data subject;
- a set of personal data contained in databases and information technologies and technical means ensuring their processing;
- transfer of personal data to the territory of a foreign state to a foreign state authority, a foreign individual, or a foreign legal entity.
1.4. This Policy applies to all personal data of subjects processed by the Company both with and without the use of automation tools.
1.5. Any personal data subject must have access to this Policy.
1.6. The Company has the right to use the phone numbers and email addresses of the personal data subject who submits an application on the Company's websites (https://bubuka.info, https://my.bubuka.info, https://enter.yoga, https://my.enter.yoga, https://market.bubuka.info, https://avtorskoepravo.com, https://bubuchit.ru, https://работавбубуке.рф) for informational mailings and calls related to the services provided by the Company.
2. Principles and Conditions of Personal Data Processing
2.1. The processing of personal data in the Company is based on the following principles:
- legality and fairness;
- limitation of personal data processing to achieving specific, predetermined, and lawful purposes;
- prohibition of processing personal data incompatible with the purposes of personal data collection;
- prohibition of combining databases containing personal data processed for incompatible purposes;
- processing only those personal data that meet the purposes of their processing;
- correspondence of the content and volume of processed personal data to the stated purposes of processing;
- prohibition of processing excessive personal data in relation to the stated purposes of their processing;
- ensuring the accuracy, sufficiency, and relevance of personal data in relation to the purposes of personal data processing;
- destruction or depersonalization of personal data upon achieving the purposes of their processing or in case of loss of necessity to achieve these purposes, if it is impossible for the Company to eliminate violations of personal data, unless otherwise provided by federal law.
2.2. The Company processes personal data only if at least one of the following conditions is met:
- the processing of personal data is carried out with the consent of the personal data subject to the processing of their personal data;
- the processing of personal data is necessary for the achievement of purposes provided by law, for the implementation and performance of functions, powers, and duties imposed by the legislation of the Russian Federation on the operator;
- the processing of personal data is necessary for the performance of a contract to which the personal data subject is a party, beneficiary, or guarantor, as well as for the conclusion of a contract at the initiative of the personal data subject or a contract under which the personal data subject will be a beneficiary or guarantor;
- the processing of personal data is necessary for the exercise of the rights and legitimate interests of the Company or third parties or for the achievement of socially significant purposes, provided that this does not violate the rights and freedoms of the personal data subject;
- the processing of personal data is carried out with respect to personal data made publicly available by the personal data subject or at their request (hereinafter – publicly available personal data);
- the processing of personal data is carried out in accordance with federal law requiring publication or mandatory disclosure.
2.3. The Company and other persons who have access to personal data are obliged not to disclose or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by federal law.
2.4. For informational purposes, the Company may create publicly available sources of personal data of employees, including directories and address books. With the employee’s consent, their surname, first name, patronymic, date and place of birth, position, contact phone numbers, and email address may be included in publicly available sources of personal data. Information about an employee must be excluded from publicly available sources of personal data at any time at the request of the employee or by court decision or other authorized government bodies.
2.5. The Company has the right to entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, based on a contract concluded with this person (hereinafter – the Bank's instruction). The person processing personal data on behalf of the Company must comply with the principles and rules for processing personal data provided by FZ-152.
2.6. The Company may process special categories of personal data relating to race, nationality, political opinions, religious or philosophical beliefs, health status, or intimate life only in the following cases:
- the personal data subject has given written consent to the processing of their personal data;
- the personal data has been made publicly available by the personal data subject;
- the processing of personal data is carried out in accordance with the legislation on state social assistance, labor legislation, legislation of the Russian Federation on state pension provision, labor pensions;
- the processing of personal data is necessary to establish or exercise the rights of the personal data subject or third parties, as well as in connection with the administration of justice;
- the processing of personal data is carried out in accordance with the legislation of the Russian Federation on countering terrorism, countering corruption, enforcement proceedings, criminal executive legislation of the Russian Federation;
- the processing of personal data is carried out in accordance with the legislation on compulsory types of insurance, insurance legislation. The processing of special categories of personal data must be immediately terminated if the reasons for their processing have been eliminated, unless otherwise provided by federal law.
2.7. The Company may process information about criminal records only in cases and in the manner determined in accordance with federal laws.
2.8. Information characterizing the physiological and biological characteristics of a person, on the basis of which their identity can be established – biometric personal data – may be processed by the Company only with the written consent of the employee.
3. Rights of the Personal Data Subject
3.1. The personal data subject decides to provide their personal data and gives consent to their processing freely, of their own will, and in their own interest. Consent to the processing of personal data may be given by the personal data subject or their representative in any form that allows confirmation of the fact of its receipt, unless otherwise provided by federal law. The obligation to provide proof of the receipt of consent from the personal data subject or proof of the grounds specified in FZ-152 rests with the Company.
3.2. The personal data subject has the right to receive information regarding the processing of their personal data, unless this right is restricted in accordance with federal laws. The personal data subject has the right to demand that the Company clarify their personal data, block or destroy it if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing, as well as to take measures provided by law to protect their rights.
3.3. The processing of personal data for the purpose of promoting goods, works, or services on the market by making direct contact with a potential consumer using communication means, as well as for political campaigning, is allowed only with the prior consent of the personal data subject. Such processing of personal data is deemed to be carried out without the prior consent of the personal data subject unless the Company proves that such consent was obtained. The Company must immediately cease processing the personal data of the subject for the above purposes at their request.
3.4. It is prohibited to make decisions based solely on the automated processing of personal data that produce legal consequences for the personal data subject or otherwise affect their rights and legitimate interests, except as provided by federal laws or with the written consent of the personal data subject.
3.5. If the personal data subject believes that the Company processes their personal data in violation of the requirements of FZ-152 or otherwise violates their rights and freedoms, the personal data subject has the right to appeal against the actions or inaction of the Company to the authorized body for the protection of the rights of personal data subjects or in court. The personal data subject has the right to protect their rights and legitimate interests, including compensation for damages and/or moral harm in court.
4. Ensuring the Security of Personal Data
4.1. The security of personal data processed by the Company is ensured by implementing legal, organizational, technical, and software measures necessary and sufficient to meet the requirements of federal legislation in the field of personal data protection.
4.2. To create unfavorable conditions and insurmountable obstacles for violators attempting to gain unauthorized access to personal data for the purpose of acquiring, altering, destroying, infecting with malicious software, substituting, or performing other unauthorized actions, the Company applies the following organizational and technical measures:
- appointment of officials responsible for organizing the processing and protection of personal data;
- restriction and regulation of the number of employees with access to personal data;
- familiarization of employees with the requirements of federal legislation and the Company’s regulatory documents on the processing and protection of personal data;
- ensuring the accounting and storage of physical information media and their handling, excluding theft, substitution, unauthorized copying, and destruction;
- identification of threats to the security of personal data during processing, and the creation of threat models based on them;
- development of a personal data protection system based on the threat model for the relevant class of information systems;
- verification of the readiness and effectiveness of information protection tools;
- implementation of a permit system for user access to information resources, hardware and software for processing and protecting information;
- registration and accounting of user actions in personal data information systems;
- password protection of user access to the personal data information system;
- use of access control tools for communication ports, input/output devices, removable media, and external information storage devices;
- use, when necessary, of cryptographic information protection tools to ensure the security of personal data during transmission over open communication channels and storage on machine media;
- implementation of antivirus control, prevention of the introduction of malicious programs (viruses) and software bookmarks into the corporate network;
- use of firewalls;
- detection of intrusions into the Company’s corporate network that violate or create prerequisites for violating established requirements for ensuring the security of personal data;
- centralized management of the personal data protection system – backup of information;
- ensuring the restoration of personal data modified or destroyed as a result of unauthorized access;
- training of employees using information protection tools applied in personal data information systems, in the rules for working with them;
- accounting for the information protection tools used, operational and technical documentation for them;
- use of information protection tools that have passed the conformity assessment procedure in the prescribed manner;
- monitoring user actions, investigating violations of personal data security requirements;
- placement of technical means for processing personal data within a protected area;
- organization of access control to the Company’s territory;
- maintenance of technical security and alarm systems in constant readiness.
5. Final Provisions
5.1. Other rights and obligations of the Company, as a personal data operator, are determined by the legislation of the Russian Federation in the field of personal data. Officials of the Company found guilty of violating the rules governing the processing and protection of personal data shall bear material, disciplinary, administrative, civil, or criminal liability in accordance with federal laws.