PROCESSING POLICY
PERSONAL DATA






POLICY OF LLC "HOTEL NEVSKY" REGARDING THE PROCESSING OF PERSONAL DATA
1. GENERAL PROVISIONS

1.1. This Policy regarding the processing of personal data (hereinafter referred to as the "Policy") is made in accordance with the Constitution of the Russian Federation, the Federal Law No. 152-FZ dated of July 27, 2006 "On Personal Data" (hereinafter referred to as the "Federal Law 152-FZ"), the Federal Law "On Information, Information Technologies and on the protection of information" No. 149-FZ dated of July 27, 2006, and other federal laws and regulations that determine the requirements for processing of personal data, ensuring the security and confidentiality of such processing.

1.2. This Policy determines the procedure for the collection, processing of personal data and measures to ensure the security of personal data in "Otel Nevski" Limited Liability Company (Principal State Registration Number (OGRN): 1207800127875, Taxpayer's Identification Number (INN): 7839131818, hereinafter referred to as the "Hotel") in order to protect the rights and freedoms of a person and a citizen while processing of their personal data, including protection of the rights to privacy, private and family secrecy, and is approved, inter alia, to protect against unauthorized access to personal data of the Guests.

1.3. This Policy applies to its full extent to all Guests of the Hotel who have taken actions to book rooms in order to receive hotel services or have taken the necessary actions in order to obtain other services provided by the Hotel, to all personal data of the Guests and to information processed by the Hotel, automatically or without use of automatic tools.

1.4. The Hotel shall be obliged to publish or otherwise provide unlimited access to this Policy regarding the processing of personal data, in accordance with the clause 2 of Art. 18.1 of the Federal Law 152-FZ.

2. SCOPE OF APPLICATION
2.1. This Policy shall apply to the personal data of the Guests of the Hotel, obtained by the Hotel:
on the official Website of the Hotel "www.kravtnevsky.ru";
via applications for computers and mobile devices;
via accounts in social medias managed by the Hotel;
by sending e-mails and during the course of communication with the Guest online or personally;
with the help of third parties and from other sources such as public databases;
in the event of a visit or accommodation as a Guest at the Hotel or any other offline interaction.
By using any of the methods specified in clause 2.1 of this Policy, Guests agree to the terms of this Policy.

TERMS

3.1. In this Policy the following principal terms shall be used:
automatic processing of personal data –processing of personal data using computer technologies;
blocking of personal data – a temporary suspension of the processing of personal data (unless the processing is necessary to clarify personal data);
guest – a visitor of the website "www.kravtnevsky.ru", as well as a Guest of the Hotel who has taken actions to book rooms in order to receive hotel services or have taken the necessary actions in order to obtain other services provided by the Hotel;
information system of personal data – a set of personal data stored in databases, as well as information technologies and technical means providing their processing;
use of personal data – actions (transactions) with personal data performed by the Operator in order to make decisions or perform other actions that generate legal consequences in relation to the subject of personal data or other persons, or otherwise affect the rights and freedoms of the subject of personal data or other persons;
confidentiality of personal data – a mandatory requirement for the operator or other party who obtained the access to personal data, to prohibit their disclosure without the consent of the subject of personal data or any other legal grounds;
non-automatic processing of personal data – processing of personal data with the use of hard copies;
depersonalization of personal data – actions, as a result of which it is impossible to determine, without the use of additional information, the belonging of personal data to a specific subject of personal data;
processing of personal data – any action (transaction) or a set of actions (transactions) performed with personal data with the use automatic tools or without using such tools, including obtaining, recording, systematization, accumulation, storage, clarification, (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
operator – a legal entity, "Otel Nevski" Limited Liability Company (Principal State Registration Number (OGRN): 1207800127875, Taxpayer's Identification Number (INN): 7839131818), independently or jointly with other parties organizing and (or carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (transactions) performed with personal data;
personal data – any information relating directly or indirectly to a specific or identifiable individual (subject of personal data);
provision of personal data – actions aimed at disclosing personal data to a certain person or a certain group of persons;
policy – this Policy for the processing of personal data of the Guests of the Hotel;
disclosure of personal data – actions aimed at disclosing personal data to an indefinite group of persons (transfer of personal data) or at acquaintance with the personal data of an unlimited number of persons, including the disclosure of personal data in the media, posting in informational and telecommunication networks, or providing access to personal data by any other way;
website – the official website of the Hotel "www.kravtnevsky.ru";
subjects of personal data – directly the Guests of the Hotel;
cross-border transfer of personal data – transfer of personal data to the territory of a foreign state to the authority of a foreign state, to a foreign individual or a foreign legal entity;
destruction of personal data – actions as a result of which it is impossible to restore the content of personal data and (or) as a result of which material carriers of personal data are destroyed.

4. PRINCIPLES, PURPOSES AND CONDITIONS OF PROCESSING OF PERSONAL DATA
4.1. Principles of processing of personal data
The processing of personal data by the Operator shall be carried out according to the following principles:
- legality and fair basis;
- restrictions on the processing of personal data to achieve specific, predetermined and legitimate purposes;
- preventing the processing of personal data incompatible with the purposes of collecting of personal data;
- preventing the unification of databases containing personal data, the processing of which is carried out for purposes incompatible with each other;
- processing only such personal data that meet the purposes of their processing;
- compliance of the content and volume of processed personal data with the stated processing objectives;
- preventing the processing of personal data that is redundant in relation to the stated purposes of their processing;
- ensuring the accuracy, sufficiency and relevance of personal data in relation to the purposes of processing personal data;
- destruction or depersonalization of personal data upon achievement of the goals of their processing or in case of loss of the need to achieve such goals, if the Operator cannot eliminate the breach of personal data, unless otherwise provided by the federal law.
4.2. Purposes of processing of personal data
4.2.1. The processing of personal data by the Operator shall be carried out in order to:
- provide the hotel services in the Hotel on the basis of the Public Offer for the provision of hotel services by "Otel Nevski" LLC, which is posted on the official website of the Operator www.kravtnevsky.ru (hereinafter referred to as the "Website"), in accordance with the category assigned to the hotel;
- booking of the hotel rooms;
- entering into agreements with the subject of personal data for the provision of hotel services, the provision of such services;
- entering into civil relations, accounting, tax accounting in accordance with the Federal Law 152-FZ;
- organization of marketing and / or advertising campaigns and other events;
- fulfillment of obligations under civil law contracts, including through third parties and / or via the Website;
- provision of other services to subjects of personal data;
- promotion of the Operator's services on the market by making direct contacts with personal data subjects using various means of communication (by telephone, e-mail, mailing lists, in social networks in the informational and telecommunication network "Internet", etc.);
- making of the exclusive personal offers, accrual of scores for bonus programs;
- for sending the news, promotions and special offers (with the consent of the Guest to receive such information). The Website and the form of the registration card provide for obtaining the consent of the Guest to send news, information about promotions and special offers;
- conducting surveys and questionnaires in order to improve the quality of service at the Hotel. After or upon the check-out of the Guest from the Hotel, the Hotel may send the Guest a letter or a questionnaire with a suggestion to reflect the impressions of the Hotel and evaluate the quality of the services. Filling out such questionnaires shall be exclusively the right of the Guest;
- for other purposes not prohibited by federal legislation, international agreements of the Russian Federation.
4.2.2. In order to properly fulfill its obligations as a Personal Data Operator, the Hotel processes the following personal data necessary for the proper fulfillment of contractual obligations:
- personal data of individuals entered intp contractual, civil law relations with the Hotel, consumers of hotel services, members of the the loyalty program and other promotions.
4.3. Personal data processing conditions
The Operator shall process personal data in case of at least one of the following conditions:
- processing of personal data shall be carried out with the consent of the subject of personal data to the processing of his personal data, which can be provided by one of the following ways:
being a user of the Website, the Guest provides the Hotel with his personal data and gives full and unconditional consent to their processing,
the Guest may provide his personal data and consent to their processing upon check-in at the Hotel,
directly upon the check-in of the Guest at the Hotel, the Guest provides the Hotel with his personal data and gives full and unconditional consent to their processing, including by signing the Guest's registration card,
Obtaining the Guest's consent to the processing of his personal data shall be a necessary condition for making a booking. The booking shall be impossible and shall not be completed without obtaining the consent of the Guest to process their personal data;
- the processing of personal data shall be necessary to achieve the purposes provided for by an international agreement of the Russian Federation or by the law, for the implementation and execution of the functions, powers and duties imposed on the Operator by the legislation of the Russian Federation;
- the processing of personal data shall be necessary for the administration of justice, the execution of a judicial act, an act of any other body or official, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings;
- the processing of personal data shall be necessary for the execution of a contract, a party to which, a beneficiary or a guarantor of which the subject of personal data, as well as for entering into an agreement under the initiative of a subject of personal data shall be a beneficiary or guarantor;
- processing of personal data shall be necessary to exercise the rights and legitimate interests of the operator or third parties or to achieve socially significant goals, provided that this shall not violate the freedoms of the subject of personal data;
- processing of personal data, to which an aces of unlimited number of persons was provided by the subject of personal data or at their request (hereinafter – publicly available personal data);
- processing of personal data subject to publication or mandatory disclosure in accordance with the federal law.
4.4. Composition of personal data.
4.4.1. The Hotel shall process the following categories of personal data of consumers of hotel services:
- First Name, Last Name, Patronymic;
- Address at the place of registration;
- Contact phone number;
- E-mail address;
- Passport data (series, passport number, where and when issued);
- Information about citizenship;
- Information about sex;
- Visas and migration cards data;
- Dates of registration at the Hotel.
4.4.2. Inless frequent cases, the Hotel shall have the right to obtain:
- biometric data;
- images, as well as video and audio data, using security cameras installed in public places, for instance, at the entrance or in the lobby of the Hotel.
4.4.3. Personal preferences data.
The Hotel may obtain personal preference data in order to improve the quality of the services, including information about interests, feedback on the Hotel services, due to which the Hotel may improve them, and certain restrictions related to nutrition or health. The Hotel may also obtain personal preference data, which may include significant dates (such as birthdays or wedding anniversaries) and hobbies.
4.4.4. Biometric personal data
Information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to identify their identity (biometric personal data) may be processed by the Operator only with the consent of the subject of personal data in writing.
4.5. The employees of the Hotel shall receive all personal data directly from the subject of personal data - the Guest. The Guest shall be independently fully responsible for providing false personal data, as well as personal data of other persons.
If the Guest provides any Personal Data about other persons to the Hotel or the providers of the services of the Hotel (for instance, in case of booking for another person), the Guest confirms that he shall have such right and shall allow the use of such data in accordance with this Policy.
4.6. Processing of personal data of the Guests
4.6.1. The processing of personal data of the Guests shall be carried out by the method of mixed processing (non-automatic processing, automatic processing).
4.6.2. Only the employees of the Hotel who are allowed to work with the personal data of the Guests can have access to the processing of personal data of the Guests.
4.6.3. Personal data of the Guests in hard copies shall be stored in a specially designated room of the Hotel.
4.6.4. Personal data of the Guests in electronic form shall be stored in the local computer network of the Hotel, in the electronic systems of the Hotel.
4.7. Confidentiality of personal data
4.7.1. Personal data shall be confidential and information protected in accordance with the law.
4.7.2. The Operator and other parties who have gained access to personal data shall be obliged not to disclose to third parties and not to distribute personal data without the consent of the subject of personal data, except for cases when it is necessary in order to prevent threats to life and health, as well as in cases set forth in the federal laws.
4.7.3. Upon a reasoned request, personal data without the consent of the subject of personal data can be transferred:
- to the judicial authorities according to the administration of justice;
- to the state security bodies;
- to the prosecutor's office;
- to the police;
- to the investigating authorities;
- to the migration service;
- to other bodies in the cases set forth by regulatory legal acts having binding force.
4.7.4. Personal data can be transferred via informational systems using computer programs.
4.7.5. Hotel employees shall not answer questions related to the transfer of personal data by phone or fax.
4.7.6. To develop and implement specific measures to ensure the security of personal data during their processing in the information system of the Hotel, a responsible employee shall be appointed.
4.7.7. The Hotel shall keep a record of persons, who have access to personal data processed in the information system in order to perform their official (labor) duties.
4.7.8. The Hotel shall not provide personal data to third parties without the consent of the subject of personal data, except as otherwise provided by law.
4.7.9. All parties who have gained access to personal data shall be obliged not to disclose to third parties and not to distribute personal data without the consent of the subject of personal data, unless otherwise provided by law.
4.7.10. Parties who have access to the personal data of the Guests shall be obliged to comply with the confidentiality regime, they must be warned about the need to comply with the secrecy regime. In connection with the confidentiality regime for information of a personal nature, appropriate security measures must be provided to protect data from accidental or unauthorized destruction, from accidental loss, from unauthorized access, change or distribution.
4.7.11. All confidentiality measures during the obtaining, processing and storage of personal data of the Guests shall apply to all information carriers, both hard copies and automatic.
4.7.12. The confidentiality regime of personal data shall finish in case of depersonalization or their inclusion in publicly available sources of personal data, unless otherwise specified by the law.
4.7.13. In the event of loss or disclosure of confidential information, the Operator shall not responsible if such confidential information:
Became public domain before its loss or disclosure.
Was received from a third party prior to its receipt by the Operator.
Was disclosed with the consent of the subject of personal data.
Was disclosed due to the actions of third parties not related to the Operator.
4.8. Ordering the processing of personal data to another party
The Operator shall have the right to order the processing of personal data to another party with the consent of the subject of personal data, unless otherwise provided by the federal law, on the basis of an agreement entered into with such person. A person who processes personal data on behalf of the Operator shall be obliged to comply with the principles and rules for processing of personal data provided by the Federal Law 152-FZ and this Policy.
4.9. Public sources of personal data
4.9.1. For informational support, the Operator may create publicly available sources of personal data for subjects of personal data, including directories, customer journals and others. With the written consent of the subject of personal data, publicly available sources of personal data may include his last name, first name, patronymic, date and place of birth, position, contact phone numbers, e-mail address, and other personal data provided by the subject of personal data.
4.9.2. Information about the subject of personal data must be excluded from publicly available sources of personal data at any time at the request of the subject of personal data, an authorized body for the protection of the rights of subjects of personal data, or by a court decision.
4.10. Processing of personal data of citizens of the Russian Federation
In accordance with Article 2 of the Federal Law of July 21, 2014 N 242-FZ "On Amendments to Certain Legislative Acts of the Russian Federation in terms of clarifying the procedure for processing personal data in information and telecommunication networks" while obtaining personal data, including through informational and telecommunication network "Internet", the Operator shall obliged to ensure the recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for the following cases:
- the processing of personal data is necessary to achieve the goals provided for by an international agreement of the Russian Federation or by law, for the implementation and implementation of the functions, powers and duties imposed by the legislation of the Russian Federation on the Operator;
- the processing of personal data is necessary for the administration of justice, the execution of a judicial act, an act of another body or official, subject to execution in accordance with the legislation of the Russian Federation on enforcement proceedings (hereinafter referred to as the execution of a judicial act);
- processing of personal data is necessary for the execution of the powers of federal executive bodies, bodies of state non-budgetary funds, executive bodies of state power of the constituent entities of the Russian Federation, local government bodies and the functions of organizations participating in the provision of state and municipal services, respectively, provided for by the Federal Law of July 27, 2010 N 210-FZ "On the organization of the provision of state and municipal services", including the registration of the subject of personal data on a single portal of state and municipal services and (or) regional portals of state and municipal services;
- processing of personal data is necessary for the implementation of the professional activity of a journalist and (or) the legitimate activity of the media or scientific, literary or other creative activity, provided that this does not breach the rights and legitimate interests of the subject of personal data.
4.11. Cross-border transfer of personal data
4.11.1. The operator shall be obliged to make sure that the foreign state, to which territory personal data is supposed to be transferred, provides adequate protection of the rights of subjects of personal data, prior to the start of such transfer.
4.11.2. Cross-border transfer of personal data on the territory of foreign states that do not provide adequate protection of the rights of subjects of personal data can be carried out in the following cases:
- written consent of the subject of personal data for the cross-border transfer of their personal data;
- execution of a contract to which the subject of personal data is a party.
4.11.3. The Operator shall carry out cross-border transfer of personal data to any foreign country on the territory of which cross-border transfer of personal data is carried out, at the request of the person who applied for the provision of services to the Hotel (the subject of personal data)
4.12. Special categories of personal data
The processing by the Operator of special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, health status, intimate life is not allowed, except in cases established by the law.
4.13. Social networks
4.13.1. The transmission of login data on the Website to third-party social website or social networks such as Facebook, Instagram, Vkontakte, Odnoklassniki or Twitter requires the consent of the subject of personal data. If there is a social network plug-in on the Website, the Internet browser of the subject of personal data will automatically contact the social network server. Thus, the social network will receive information that the browser of the subject of personal data requested the corresponding page on the Website, even if the subject of personal data does not have a profile on the corresponding social network or did not actually interact with the plugin, for example, did not click the "Like" button. If a subject of personal data is a user of a social network and is logged into their account, the social network can automatically remember the account data. If a subject of personal data used plugins, for example, by clicking on the "Like" button, the corresponding information is sent directly to the social network and stored there. The plugins "Post", "Share" and "Repost" on the websites work on the same principle. The Hotel cannot influence the nature and amount of information that will be transmitted to the social network, as well as its subsequent use.
4.14. Use of personal data for advertising and marketing research
4.14.1. The subject of personal data provides the Hotel with consent to carry out advertising and information mailing about discounts, promotions, new offers, etc. using various means of communication, including, but not limited to: mailing list, email, telephone, Internet, social networks, etc. The frequency of such mailings is determined by the Hotel at its discretion unilaterally.
4.14.2. The Guest shall have the right to refuse to receive advertising and other information without explaining the reasons for the refusal. At the same time, if the Guest does not want to receive the specified mailings, they must unsubscribe from the mailing list using the "Unsubscribe from mailing list" function, following the link contained in the mailing letter.
4.14.3. Service messages informing the Guest about the booking of services and the stages of processing of their requests shall be for informational purposes only in order to inform of the procedure for fulfilling the request, shall not be advertising mailings, shall be sent automatically and cannot be rejected by the Guest.

5. OBLIGATIONS OF THE OPERATOR
5.1. The Hotel as the Operator shall be obliged to:
5.1.1. Process the personal data of the Guests solely for the purpose of providing services to the Guests according to the law.
5.1.2. Receive personal data of the Guest directly from them. If the Guest's personal data can only be obtained from a third party, then the Guest must be notified of this in advance and a written consent must be obtained from him. Hotel employees must inform the Guests about the purposes, intended sources and methods of obtaining personal data, as well as the nature of the personal data to be received and the consequences of the Guest's refusal to provide written consent to obtain them.
5.1.3. Not to receive or process the personal data of the Guest about their race, nationality, political views, religious or philosophical beliefs, health status, intimate life, except as otherwise provided by law.
5.1.4. Provide access to their personal data to the Guest or their legal representative when contacting or receiving a request containing the number of the identity document of the Guest or their legal representative, information about the date of issue of such document and the issuing authority, and the Guest's or their legal representative's handwritten signature. The request may be sent in electronic form and signed with an electronic digital signature in accordance with the legislation of the Russian Federation. Information about the availability of personal data must be provided to the Guest in an accessible form and must not contain personal data of other subjects of personal data.
5.1.5. Restrict the Guest's right to access their personal data if:
processing of personal data, including personal data obtained as a result of law enforcement, counterintelligence and intelligence activities, is carried out for the purposes of national defense, state security and law enforcement;
the processing of personal data is carried out by the bodies that detained the subject of personal data on suspicion of committing a crime or charged the subject of personal data in a criminal case, or applied a preventive measure to the subject of personal data prior to filing charges, except the cases provided for by the criminal procedure legislation of the Russian Federation, if it is allowed to provide the suspect or the accused person with such personal data;
the provision of personal data breaches the constitutional rights and freedoms of other persons.
5.1.6. Ensure the storage and protection of the Guest's personal data from their misuse or loss.
5.1.7. In case of revealing inaccurate personal data or illegal actions with them by the Operator when contacting or at the request of the subject of personal data or their legal representative or an authorized body for the protection of the rights of subjects of personal data, the Operator shall be obliged to block the personal data relating to the relevant subject of personal data from the moment of such contacting or receiving such a request for the verification period.
5.1.8. In case of confirmation of the fact of inaccuracy of personal data, the Operator on the basis of documents submitted by the subject of personal data or their legal representative or an authorized body for the protection of the rights of subjects of personal data, or other necessary documents, must clarify the personal data and remove their blocking.
5.1.9. In case of revealing illegal actions with personal data, the Operator, within a period not exceeding three working days from the date of such revealing, shall be obliged to eliminate such breach. If it is impossible to eliminate the breach, the Operator shall be obliged to destroy the personal data within a period not exceeding three working days from the date of revealing of illegal actions with personal data. The Operator shall be obliged to notify the subject of personal data or their legal representative about the elimination of the breach committed or the destruction of personal data, and if the appeal or request was sent by the authorized body for the protection of the rights of subjects of personal data, such body as well.

6. RIGHTS OF THE SUBJECT OF PERSONAL DATA
6.1. Consent of the subject of personal data to the processing of their personal data
The subject of personal data shall decide to provide their personal data and agree to their processing freely, of their own free will and in their interest. Consent to the processing of personal data may be given by the subject of personal data or their representative in any form that allows to confirm the fact of its receipt, unless otherwise provided by federal law.
6.2. Rights of the subject of personal data
6.2.1. According to Article 14 of the Federal Law FZ-152, the subject of personal data shall have the right to receive information from the Operator regarding the processing of their personal data, if such right is not limited in accordance with federal laws. The subject of personal data shall have the right to request from the Operator clarification of their personal data, their blocking or destruction if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, including by sending an appropriate request to the Operator, as well as to take measures provided by law to protect their rights.
6.2.2. The processing of personal data in order to promote goods, works, services on the market by making direct contacts with the subject of personal data (potential consumer) using means of communication is allowed only with the prior consent of the subject of personal data. The operator is obliged to immediately stop, at the request of the subject of personal data, the processing of his personal data for the abovementioned purposes.
6.2.3. It is forbidden to make decisions on the basis of solely automatic processing of personal data that causes legal consequences in relation to the subject of personal data or otherwise affect their rights and legitimate interests, except in the events provided by federal laws, or with the consent in writing of the subject of personal data.
6.2.4. If the subject of personal data believes that the Operator is processing their personal data breaching the requirements of the Federal Law FZ-152 or otherwise violates their rights and freedoms, the subject of personal data shall have the right to appeal against the actions or inaction of the Operator to the Authorized body for the protection of the rights of subjects of personal data or to the court.
6.2.5. The subject of personal data shall have the right to protect their rights and legitimate interests, including compensation for losses and (or) compensation for moral damage.

7. TERMS OF STORAGE OF PERSONAL DATA
7.1. The Hotel stores personal data of the Guests as long as it is required to perform the actions provided by their Policy, within other stated terms or periods permitted by applicable law. The Hotel shall have the right to store the personal data of the Guests if it is objectively necessary for the fulfillment of any legal obligations, the requirements of regulatory and supervisory authorities, the settlement of disputes or legal claims, as well as if it is required for other purposes to comply with this Policy, to prevent fraud and abuse.
7.2. When determining the appropriate storage period for the personal data of the Guests, the Hotel takes into account the volume, nature and degree of confidentiality of personal data, the potential risk in case of unauthorized use or disclosure of data, the purpose of processing these personal data, as well as the possibility of achieving such purposes in other ways, and the requirements of current legislation.
8. ENSURING THE SECURITY OF PERSONAL DATA
8.1. The security of personal data processed by the Operator is ensured by the implementation of legal, organizational and technical measures to comply with the requirements of federal legislation regarding personal data protection.
8.2. To prevent unauthorized access to personal data in the Hotel, the following organizational and technical measures shall be applied:
- appointment of officials responsible for organizing the processing and protection of personal data;
- limiting the persons having access to the processing of personal data;
- familiarization of subjects with the requirements of federal legislation and regulatory documents of the Operator on the processing and protection of personal data, containing information with personal data;
- identification of threats to the security of personal data during their processing, the formation of threat models on their basis;
- development of a personal data protection system based on a threat model;
- checking the readiness and effectiveness of the use of information security measures;
- differentiation of user access to information resources and software and hardware for information processing;
- registration and accounting of actions of users of information systems of personal data;
- use of anti-virus measures and means of restoring of the personal data protection system;
- using the system of passwords set by the system administrator;
- the use of firewalling, intrusion detection, security analysis and cryptographic information protection means, if necessary;
- organization of access control to the territory of the Hotel, protection of premises with technical means for processing personal data;
- documents containing personal data of the Guests shall be stored in specially designated rooms of the Hotel, providing protection against unauthorized access;
- other legal, organizational (corporate), technical and other protection measures not prohibited by the legislation of the Russian Federation.
8.3. The access of the Hotel employees to the personal data processed in the Hotel's information system, as well as to their material carriers, shall be performed only in order to fulfill their job duties. Workplaces and places for storing personal data shall be equipped in such a way as to exclude uncontrolled use of confidential information. Access to the personal data of the Guests of the Hotel employees who do not have properly issued access shall be prohibited. Copying and extracts of personal data of the Guests shall be allowed solely for working purposes.

9. POLICY REGARDING "COOKIE" FILES
9.1. When a Guest visits the Website, they automatically receive one or more "cookie" files. The main purpose of the Hotel use of "cookies" is to ensure the optimal quality of the services provided. Moreover, the Hotel uses third-party "cookies" to collect statistical information and analyze user behavior. The Policy specifies the types of "cookies" used by the Hotel, the purpose of their use, as well as how to block and delete such files.
9.2. What is a "cookie" file?
9.2.1. A "cookie" file is a small file, usually consisting of letters and numbers, that is downloaded to a device when a user visits certain websites. On each subsequent visit, the "cookies" are sent back to the original website. "Cookies" are useful since they allow the Website to recognize the user's web browser or device, the URL of the request source, preferred language and other aggregated data from network traffic.
9.3. Blocking and deleting "cookie" files
9.3.1. The browser can optionally block or delete "cookies". For more information, the user should refer to the "Help" menu of their browser. Blocking all "cookies" will adversely affect the functionality of many websites, including the Hotel's Website. For instance, the Hotel will not be able to identify the computer of the Website visitor, which is why the Website visitor will have to re-enter the system every time they visit the Hotel's Website. The visitor will also not be able to receive advertising and other offers that meet the interests and needs of the visitor. In this regard, the Hotel recommends to allow the use of "cookies" when working with the Website.
9.4. Hotel's use of "cookie" files
9.4.1. The "cookies" used by the Website may be set by the Hotel, by third parties having an agreement with the Hotel, or by independent third parties such as advertisers.
9.4.2. The Hotel uses functional "cookies" to ensure security, facilitate navigation, provide data more efficiently, and collect statistical data.
9.4.3. The Website uses both session and persistent "cookies". Session "cookies" remember information during navigation from page to page to filter and perform searches. They are then deleted when the session ends. Persistent cookies allow the Website to "recognize" the visitor at the next visit. They remain on the computer until they are deleted or until the specified expiration date. Persistent cookies stored on the Website visitor's computer as a result of the use of the Website by the visitor will be stored for no more than 2 (two) years from the date of the last visit to the Website.
9.5. Types of "cookie" files
The following describes the different types of "cookies" the Hotel uses, the reasons why the Hotel (or relevant third parties) uses them, and provides information on how a Website visitor may control the "cookies" used by the Hotel Website, as well as and learn more about them.
9.5.1. Essential "cookies"
The essential "cookies" are the most important for the correct operation of the Website. They allow the Hotel to remember the information selected on one page for use on other pages. It may be, for instance, the routes, dates and number of travelers. The Hotel may store such data and pass it on to its booking partners so that Website visitors do not have to enter it again.
9.5.2. User productivity and efficiency
The Hotel uses "cookies" to ensure the correct operation of the Website and to provide the desired search results in accordance with the selected parameters. The Hotel also uses "cookies" to improve the usability of the Website. For such reason, the Hotel determines, whether the visit to the Website is the first for a visitor, and the Website remembers the user's preferences (such as language and currency type) and previous searches.
9.5.3. Analytics and advertising
The Hotel also uses "cookies" to track and better understand how the Website and services are used and accessed, which allows the Hotel to optimize the experience of visitors on the Website. The Hotel may use them when choosing marketing messages to send and when tracking responses to online advertisements and Hotel marketing messages.
10. DISPUTE RESOLUTION AND CONTACT INFORMATION
10.1. Any appeals, inquiries to the Operator related to personal data can be sent by the subject of personal data:
10.1.1. by e-mail: info@kravtnevsky.ru, or
10.1.2. by mail to the address: "Otel Nevski" LLC, 190068, Saint-Petersburg, 133A Griboyedov Canal Embankment, letter A, office 046, room A.
10.2. Prior to submitting a lawsuit to the court regarding the disputes arising from the relationship between the subject of personal data and the Operator, it is mandatory to submit a claim (a written proposal for a voluntary settlement of the dispute).
10.3. The term for consideration of the claim is 30 (thirty) calendar days.
10.4. If an agreement is not reached, the dispute shall be referred to a judicial authority in accordance with the current legislation of the Russian Federation.
10.5. The current legislation of the Russian Federation applies to this Privacy Policy and the relationship between the subject of personal data and the Operator.

11. FINAL PROVISIONS
11.1. This Policy shall be subject to approval by the order of the General Director of the Hotel and is mandatory for all employees who have access to the personal data of the Guests.
11.2. The operator reserves the right, if necessary, to update this Policy without prior notice, including in the event of a change in legislation on personal data. The current version of the Policy is published on the Website.
11.3. Other rights and obligations of the Hotel as an Operator of personal data in connection with the processing of personal data are determined by the legislation of the Russian Federation in the field of personal data.
11.4. The Hotel shall be responsible for the personal information that is at its disposal and shall ensure the personal responsibility of employees for compliance with the established confidentiality regime.
11.5. Each employee who receives for work a document containing the personal data of a Guest shall be personally responsible for the safety of the document and the confidentiality of information.
11.6. The employees of the Hotel who violate the rules governing the processing and protection of personal data shall be liable with material, disciplinary, administrative, civil or criminal liability according to the federal laws.
11.7. This Policy is made in Russian and English. The text of this Policy in Russian shall prevail.
HOTEL
8 812 777 4 555
info@kravtnevsky.ru
Saint-Petersburg, Alexander Nevsky St., 8а

COOPERATION AND ADVERTISING
marketing-manager@kravt.com

24 / 7