Regulation on the processing and protection of personal data of guests
LLC “Hotel Strawberry Hills” guarantees that personal data received from a guest is processed in accordance with and in order to comply with Federal Law No. 152-ФЗ dated July 27, 2006 “On Personal Data” and using all necessary organizational and technical measures to ensure the security of personal data within the competence of the hotel, in order to avoid any changes, loss, illegal use and unauthorized access.
LLC “Hotel Strawberry Hills” is responsible for proper confidential handling of guest data transmitted in particular to Internet reservations.
LLC Hotel Strawberry Hills does not disclose to third parties and does not distribute personal data without the consent of the guest (personal data subject), unless otherwise provided by federal law.
When using our site, we collect and process your personal data. If you do not agree that your personal data is processed, then you need to leave the site. Continuation of use of our site is regarded as acceptance of all conditions of the User Agreement.
Regulation on the processing and protection of personal data of guests, accommodating in "Strawberry Hills" Hotel
1. General Provisions
1.1. This Regulation is governed by the Constitution of the Russian Federation and international treaties of the Russian Federation, Federal Law "On Personal Data" No. 152-ФЗ dated July 27, 2006, Federal Law "On Information, Information Technologies and Information Protection" No. 149-ФЗ dated July 27, 2006 year, and other regulations.
1.2. The basic concepts used in the Regulations:
Hotel is a property complex (buildings, part of a building), intended for the provision of hotel rooms, as well as related services for guest services (restaurants, conferences, events, etc.), which is part of the Hotel Strawberry Hills (as a branch or structural unit);
Guest - an individual, a consumer of hotel services, a subject of personal data;
hotel services - a range of services for the provision of temporary hotel accommodation, including related services, the list of which is determined by the Hotel;
website - a website owned by LLC Hotel Strawberry Hills, which hosts information about its activities, as well as the activities of its branches, business units that provide hotel services;
personal data - any information relating directly or indirectly to a specific individual (subject of personal data);
operator - LLC Hotel Strawberry Hills, independently or jointly with other persons, organizes and (or) performs the processing of personal data, as well as determines the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
personal data processing - any action (operation) or a set of actions (operations) performed with the use of automation tools or without using such tools with personal data, including the collection, recording, systematization, accumulation, storage, refinement (update, change), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
distribution of personal data - actions aimed at disclosing personal data to an indefinite circle of persons;
use of personal data - actions (operations) with personal data that are performed by the operator in order to make decisions or perform other actions generating legal consequences in relation to the subject of personal data or other persons or otherwise affecting the rights and freedoms of the subject of personal data or other persons;
confidentiality of personal data - the requirement that the operator or another person having access to personal data must comply with the requirement not to allow their distribution without the consent of the subject of personal data or the availability of other legal grounds;
blocking of personal data - temporary suspension of the processing of personal data (unless it is necessary to process personal data);
destruction of personal data - actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which the material carriers of personal data are destroyed;
Depersonalization of personal data - actions that make it impossible without the use of additional information to determine the identity of personal data to a specific subject of personal data.
1.3. This Regulation establishes the procedure for processing personal data of Guests, for whom the Hotel provides a full range of services for reception and accommodation in the Hotel.
1.4. The purpose of the Regulation is to ensure the protection of the rights and freedoms of a person and citizen in the processing of his personal data.
1.5. Personal data is processed in order to fulfill the contract for the provision of accommodation or temporary accommodation services, of which the Guest is one of the parties. The hotel collects data only in the amount necessary to achieve this goal.
1.6. Personal data cannot be used for the purpose of causing property and moral harm to citizens, hindering the realization of the rights and freedoms of citizens of the Russian Federation.
1.7. This Regulation is approved by the Director General and is mandatory for all employees who have access to the personal data of the Guests.
2. Composition and receipt of personal data of Guests
2.1. The personal data that the Hotel collects and processes includes:
1) personal data (last name, first name, patronymic, date, month, year of birth);
2) passport details;
3) the address of the permanent place of residence;
4) contact phone number;
5) email address;
6) bank card details;
7) information about the place of work (when booking legal entities for travelers).
2.2. Hotel employees receive all personal data directly from the subjects of personal data - Guests and / or their legal representatives, legal entities (regarding dispatched persons) when they fill out a registration card with the latter when checking in at the Hotel or if the Guest has specified their personal data on the Hotel website booking, or when filling out a feedback form, posting feedback on the services provided.
3. Processing and storage of personal data of guests
3.1. The processing of personal data by the Hotel in the interests of the Guests consists in receiving, organizing, storing, recording, storing, refining (updating, changing), using, distributing, depersonalizing, blocking, destroying and protecting the unauthorized access to the personal data of the Guests.
3.2. The consent of the Guests to the processing of personal data is transferred to the representative of the Hotel, since the processing of personal data is carried out in order to fulfill the contract, one of the parties of which is the subject of personal data - Guest.
The guest, registering at the Hotel, undertakes to fill in the Consent to the processing of personal data specified in the Registration Card. Acceptance (acceptance) of the Consent is the Guest registration in the Hotel. The Guest agrees that the Operator processes its personal data specified in the Registration Card, booking application, and other documents under the conditions provided for by these Regulations.
3.3. Only employees of the Hotel who are allowed to work with the personal data of the Guests and who have signed the Non-Disclosure Agreement of the Personal Data of the Guests may have access to the processing of personal data of the Guests.
3.4. The list of Hotel employees who have access to personal data of the Guests is determined by order of the Director General.
3.5. Personal data of the Guests on paper carriers is stored in the structural unit engaged in the registration and accommodation of the Guests in the Hotel.
3.6. Personal data of the Guests in electronic form is stored in the local computer network of the Hotel, in electronic folders and files in personal computers of the head of the structural unit responsible for registration and placement of the Guests, as well as employees allowed to process the Personal data of the Guests.
3.8. The operator receives information about the ip-address of the operator’s website. This information is not used to identify the visitor to the Website.
3.9. If the Guest / Visitor places the Information website directly on the Operator’s Website for public viewing (for example, when posting a review, participating in general chats, which are conducted directly on the Operator’s Website, participating in surveys), the latter is not responsible for information provided by the Guest / Visitor on Web sites in a publicly accessible form. Such information is considered personal data made publicly accessible by the subject of personal data.
3.10. In the case of filling out a feedback form, sending requests, requests to the Operator, using other services of the Operator through the Operator's Websites, the Guest / Visitor is obliged to become familiar with the terms of the User Agreement for the processing of his personal data. Agreement with the terms of the User Agreement is carried out by putting a tick in a special line on the Website. In case of disagreement with any provisions of the User Agreement, the User is recommended to stop using the services and services of the Operator's Websites. The continuation of their use is clearly regarded as acceptance of all the terms of this agreement.
3.11. The storage of personal data should be carried out in a form that allows determining the subject of personal data no longer than the purpose of processing personal data requires, if the period of storage of personal data is not established by applicable law, the contract to which the beneficiary or guarantor is the subject of personal data, this Regulation.
3.12. The processed personal data shall be destroyed or depersonalized upon the achievement of the processing objectives or in the event of the loss of the need to achieve these objectives, unless otherwise provided by applicable law, this Regulation.
3.13. Destruction of media containing personal data is carried out in the following order:
• personal data on paper carriers are destroyed in a way that does not allow recovery of the document (use of shredders - document destroyers);
• personal data located in the memory of personal computers is destroyed by deleting them from the memory of personal computers;
• personal data placed on a flash card, CD, other media, is deleted by deleting the file from the media, if necessary by disrupting the performance of the flash card or CD.
3.14. Requirements for premises in which personal data are processed:
3.14.1. Network equipment, servers should be located in places inaccessible to unauthorized persons (in special rooms, cabinets, boxes);
3.14.2. Personal data of Guests on paper should be stored in lockable cabinets, boxes;
3.14.3. Cleaning of premises and maintenance of technical means of personal data information systems should be carried out under the supervision of those responsible for these premises and technical means of persons in compliance with measures precluding unauthorized access to personal data, information carriers, software and technical means of processing, transmitting and protecting information.
4. Use and transfer of personal data of guests
4.1. The processing of personal data of the Guests is carried out by the Hotel solely for the purpose of providing services, developing new products / services and informing the Guests about these products / services (including by phone / email), sending replies to the Guests' requests, as well as in cases of provision in accordance with the legislation of the Russian Federation data (information) to the executive bodies of state and municipal authorities, as well as with the aim of implementing the current legislation of the Russian Federation.
4.2. When transferring the personal data of the Guests, the Hotel must comply with the following requirements:
4.2.1. Warn persons who receive personal data from Guests that this data can only be used for the purposes for which they are provided, and require these persons to confirm that this rule has been observed. Persons receiving personal data of Guests are required to comply with the confidentiality regime. This provision does not apply in case of anonymization of personal data and in relation to publicly available data.
4.2.2. Allow access to personal data of guests only to specially authorized persons, while these persons should be entitled to receive only those personal data that are necessary to perform specific functions.
4.2.3. In case of cross-border transfer of personal data, the Hotel is obliged to make sure that the foreign state, to the territory of which the transfer of personal data is carried out, ensures adequate protection of the rights of the subjects of personal data.
4.2.4. Cross-border transfer of personal data on the territory of foreign states that do not provide adequate protection of the rights of personal data subjects may be carried out in the following cases:
1) the consent in writing of the Guest;
2) stipulated by international treaties of the Russian Federation on the issuance of visas, international treaties of the Russian Federation on the provision of legal assistance in civil, family and criminal matters, as well as international treaties of the Russian Federation on readmission;
3) provided for by federal laws, if it is necessary to protect the foundations of the constitutional system of the Russian Federation, to ensure the defense of the country and the security of the state;
4) the execution of the contract to which the subject of personal data is party;
5) protection of life, health, other vital interests of the subject of personal data or other persons when it is impossible to obtain written consent of the subject of personal data.
4.3. It is not allowed to answer questions related to the transfer of information containing personal data by phone or fax.
4.4. The hotel has the right to provide or transfer personal data of Guests to third parties in the following cases:
1) if the disclosure of this information is required to comply with the law, the implementation of a judicial act;
2) to assist in the conduct of investigations carried out by law enforcement or other government agencies;
3) to protect the legal rights of Guests and Hotels.
4.5. In case of a revocation by the Guest of consent, the Hotel is entitled to continue processing without the Guest’s consent if there are grounds specified in clause 2-11 of part 1 of article 6, part 2 of article 10 and part 2 of article 11 of Federal Law No. 152-ФЗ “On Personal Data”.
4.6. It is not allowed to merge databases containing personal data that are processed for purposes that are incompatible with each other.
5. Protection of personal data of guests from unauthorized access
5.1. When processing the personal data of the Guests, the hotel is obliged to take the necessary organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, alteration, blocking, copying, distribution of personal data, as well as from other illegal actions.
5.2. To effectively protect the personal data of our Guests, you must:
5.2.1. follow the procedure for obtaining, recording and storing personal data of guests;
5.2.2. apply technical means of protection, alarms;
5.2.3. to conclude an Agreement or other document on non-disclosure of personal data of Guests with all employees associated with the receipt, processing and protection of personal data of the Guests;
5.2.4. bring to disciplinary responsibility employees who are guilty of violating the rules governing the receipt, processing and protection of personal data of guests.
5.3. Access to the personal data of the Guests of the Hotel employees who do not have a properly executed access is prohibited.
5.4. Documents containing personal data of the Guests are stored in the premises of the Accommodation Service, providing protection against unauthorized access.
5.5. Protection of access to electronic databases containing personal data of Guests is provided by:
1) using licensed software products that prevent unauthorized access by third parties to the personal data of the Guests;
2) password system. Passwords are set by the system administrator and communicated individually to employees who have access to the personal data of the Guests.
5.6. Copy and make extracts of personal data of Guests are allowed only for official purposes with the written permission of the head.
5.7. Access of the Company's employees to the personal data of the Guests is terminated from the date of termination of the employment relationship. or the date of the change in official duties of the employee or his exclusion from the list of persons entitled to access personal data. In the event of an employee’s dismissal, all media containing personal data that, in accordance with official duties, were at the disposal of the employee during the period of his work at the Hotel should be transferred to the immediate supervisor.
5.8. Employees of the Hotel are obliged to immediately report to their immediate manager about the loss or shortage of information carriers that make up personal data, attempts by unauthorized persons to obtain personal data from the employee that are processed in the company, as well as the causes and conditions for possible leakage of personal data.
5.9. When collecting and processing personal data by an employee of the Hotel, who, in accordance with his official duties, receives personal data from a Guest or another person, the accuracy of documents containing personal data is checked. The processing of personal data of the Guest is carried out by employees who have access to the relevant personal data of the Guests.
6. Hotel Responsibilities
6.1. The hotel must:
6.1.1. To process the personal data of the Guests solely for the purpose of providing hotel and other related services to the Guests.
6.1.2. Receive the personal data of the Guest directly from him. If the Guest’s personal data can only be obtained from a third party, the Guest should be notified in advance and written consent should be obtained from him. Hotel staff should inform the guests about the objectives, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be received and the consequences of the guest's refusal to give written consent to receive them.
6.1.3. Do not receive and do not process the personal data of the Guests about his race, nationality, political views, religious or philosophical beliefs, health, intimate life, except as required by law, or when the Guest makes this information publicly available.
6.1.4. Provide access to their personal data to the Guest or his legal representative when applying or upon receipt of a request containing the number of the main document certifying the identity of the Guest or his legal representative, information about the date of issue of the specified document and issuing body and the signature of the Guest or his legal representative. The request can be sent in electronic form and signed with an electronic digital signature in accordance with the legislation of the Russian Federation. Information on the availability of personal data should be provided to the Guest in an accessible form and should not contain personal data relating to other subjects of personal data.
6.1.5. Restrict the Guest’s right to access their personal data if:
1) the processing of personal data, including personal data obtained as a result of operational investigative, counterintelligence and intelligence activities, is carried out in order to protect the country, the security of the state and the protection of law and order;
2) personal data is processed by the bodies that detained the personal data subject on suspicion of committing a crime or charged the criminal data subject to the personal data subject, or applied a personal measure to the personal data subject before the accusation, except for cases stipulated by the criminal procedure legislation of the Russian Federation if it is permissible for the suspect or the accused to become familiar with such personal data;
3) the provision of personal data violates the constitutional rights and freedoms of others.
6.1.6. Ensure the storage and protection of personal data of the Guest from their misuse or loss.
6.1.7. In case of detection of inaccurate personal data or illegal actions with them by the Operator when contacting or at the request of the subject of personal data or its legal representative or authorized body to protect the rights of subjects of personal data, the Operator is obliged to block personal data relating to the relevant subject of personal data request or receive such a request for the period of verification.
6.1.8. In case of confirmation of the fact of inaccuracy of personal data, the Operator, on the basis of documents submitted by the subject of personal data or its legal representative or authorized body for protection of the rights of subjects of personal data, or other necessary documents, is obliged to clarify personal data and remove their blocking.
6.1.9. In case of detection of illegal actions with personal data, the Operator is obliged to eliminate the violations within a period not exceeding three working days from the date of such identification. In the event that it is impossible to eliminate the violations committed, the Operator is obliged to destroy personal data within a period not exceeding three working days from the date the unlawfulness of actions with personal data is detected. The operator is obliged to notify the subject of personal data or his legal representative about the elimination of the violations or the destruction of personal data, and also if the request or request was sent by the authorized body for the protection of personal data subjects.
7. Guest Rights
7.1. Guest has the right to:
1) access to information about himself, including the information confirming the fact of the processing of personal data, as well as the purpose of such processing; methods of processing personal data used by the Hotel; information about persons who have access to personal data or who may be granted such access; list of processed personal data and the source of their receipt, the timing of the processing of personal data, including the periods of their storage; information on what legal consequences for the Guest may result in the processing of his personal data;
2) determining the forms and methods of processing his personal data;
3) limiting the methods and forms of processing personal data;
4) a ban on the dissemination of personal data without his consent;
5) change, clarification, destruction of information about itself;
6) appeal against unlawful actions or omissions to process personal data and appropriate compensation in court.
7.2. The Guest can contact the Operator at any time in order to change (update, add) the personal information provided to them or its part, delete their personal information from the database of the Operator and its branches, sending the Operator a corresponding statement in writing by registered letter with notification of Address: 693013 Yuzhno-Sakhalinsk, Solnechnogo sveta,2
8. Confidentiality of Personal Information of Guests
8.1. Information about the personal data of the Guests is confidential.
8.2. The hotel ensures the confidentiality of personal data and is obliged to prevent their distribution to third parties without the consent of the Guests or the availability of other legal grounds.
8.3. Persons who have access to personal data of Guests are required to comply with the confidentiality regime, they should be warned about the need to comply with the secrecy regime. In connection with the confidentiality of personal information, appropriate security measures should be provided to protect data from accidental or unauthorized destruction, from accidental loss, from unauthorized access to, alteration or distribution.
8.4. All confidentiality measures in the collection, processing and storage of personal data of the Guests apply to all media, both paper and automated.
8.5. The mode of confidentiality of personal data is removed in cases of anonymization or inclusion in the publicly accessible sources of personal data, unless otherwise specified by law.
9. Responsibility for violation of the rules governing the processing of personal data of Guests
9.1. The hotel is responsible for the personal information that is at its disposal and establishes the personal responsibility of employees for compliance with the established confidentiality regime.
9.2. Each employee who receives a document containing the personal data of the Guest for work is solely responsible for the safety of the media and confidentiality of information.
9.3. Any person can contact the hotel employee with a complaint about the violation of these Regulations. Complaints and applications for compliance with data processing requirements are considered within three days from the date of receipt.
9.4. Employees of the Hotel are obliged to ensure, at the proper level, the consideration of requests, applications and complaints of Guests, as well as to facilitate the execution of the requirements of the competent authorities.
9.5. Persons guilty of violating the rules governing the receipt, processing and protection of personal data of the Guests are subject to disciplinary, administrative, civil or criminal liability in accordance with federal laws.
10. Final provisions
10.1. This Regulation is an internal document of the Strawberry Hills Hotel LLC, and is to be posted on the Strawberry Hills Hotel’s official website - www.strawberryhills.ru
10.2. Control over the fulfillment of the requirements of this Regulation is carried out by those responsible for ensuring the security of personal data of the Strawberry Hills Hotel LLC.
10.3. The annexes to the Regulations are:
10.3.1. Form Registration Card.
10.3.2. User Agreement (for posting on Web site).
By agreeing to the terms of this User Agreement, you consent to the collection, systematization, accumulation, storage, refinement (update, change), use, transfer to the Hotel, depersonalization, destruction of your personal data: last name, first name, patronymic, e-mail address, phone number, citizenship. The specified personal data is requested in order to provide the Guest with the requested services, to respond to his requests. The data is displayed in responses to requests, accounting, reporting documentation, voucher. Data such as an email address is used to get feedback on the quality of the Hotel service. This consent is provided by the Guest for the implementation of any actions that do not contradict the legislation of the Russian Federation with respect to personal data aimed at achieving the objectives specified in the user agreement, including the online booking by the client of the selected Hotel (if it is done through the feedback form), compiling reporting and accounting documentation, receiving reviews on the quality of service of hotels.
In the case of providing the Guest with advertising and marketing materials, he is also given the opportunity to refuse to receive such materials in the future.
By using the Website of the Hotel Strawberry Hills LLC, making a reservation, sending a request through the specified Website, you agree to the text of this agreement. In case of disagreement with any of the provisions of this document, it is recommended to stop using this Web site. Continued use of the Website is clearly regarded as acceptance of all the terms of this agreement.