Personal Data Processing Policy
1. General Provisions
1.1. This Personal Data Processing Policy (hereinafter, the “Policy”) defines the policy of Arcolad LLC (Taxpayer Identification Number (INN): 9725075105, Primary State Registration Number (OGRN): 1227700088450) (hereinafter, the “Operator”) as a personal data operator with respect to the processing and protection of Personal Data.
The processing of Personal Data by the Operator is carried out in compliance with the principles and conditions established by this Policy and the legislation of the Russian Federation concerning Personal Data.
The Operator considers the observance of human and civil rights and freedoms in the processing of Personal Data, including protection of privacy and personal and family secrets, to be one of the most important objectives and conditions of its activities.
This Policy has been developed in accordance with the following regulatory legal acts:
- Federal Law No. 149-FZ dated July 27, 2006, “On Information, Information Technologies and Information Protection”;
- Federal Law No. 152-FZ dated July 27, 2006, “On Personal Data”;
- Decree of the Government of the Russian Federation No. 512 dated July 6, 2008, “On Approval of Requirements for Physical Media of Biometric Personal Data and Technologies for Storage of Such Data Outside Personal Data Information Systems”;
- Decree of the Government of the Russian Federation No. 687 dated September 15, 2008, “On Approval of the Regulation on the Peculiarities of Personal Data Processing Carried Out Without Automation Tools”;
- Decree of the Government of the Russian Federation No. 1119 dated November 1, 2012, “On Approval of Requirements for Personal Data Protection in Personal Data Information Systems”;
- Local regulations of the Operator.
1.2. The purpose of this Policy is to establish the procedure for obtaining, recording, processing, storing, and protecting Personal Data from unauthorized access, unlawful use, or loss.
The Policy defines:
- the purposes, content, and procedure for Personal Data processing;
- measures aimed at protecting Personal Data;
- procedures aimed at identifying and preventing violations of Russian legislation in the field of Personal Data.
The Policy also establishes the Operator’s obligations concerning Personal Data processing and protection, including maintaining the confidentiality of Personal Data provided to the Operator.
1.3. Definitions
1.3.1. Automated Processing of Personal Data – processing of Personal Data using computer technology.
1.3.2. Blocking of Personal Data – temporary suspension of Personal Data processing, except where processing is necessary to clarify Personal Data.
1.3.3. Personal Data Information System (PDIS) – a set of Personal Data contained in databases and the information technologies and technical means used to process them.
1.3.4. Confidentiality of Personal Data – a mandatory requirement for the Operator or any person who has gained access to Personal Data not to disclose such data without the consent of the Personal Data Subject or another lawful basis.
1.3.5. Depersonalization (Anonymization) of Personal Data – actions that make it impossible, without additional information, to determine the identity of the Personal Data Subject.
1.3.6. Processing of Personal Data – any action or set of actions performed with Personal Data, with or without automation tools, including:
- collection;
- recording;
- systematization;
- accumulation;
- storage;
- updating and modification;
- retrieval;
- use;
- transfer (distribution, provision, access);
- anonymization;
- blocking;
- deletion;
- destruction.
1.3.7. Personal Data Operator – Arcolad LLC, registered in accordance with Russian law, which independently or jointly with others organizes and/or carries out Personal Data processing and determines:
- the purposes of processing;
- the categories of Personal Data processed;
- the operations performed with Personal Data.
1.3.8. Personal Data – any information relating directly or indirectly to an identified or identifiable natural person.
1.3.9. Product – a product described on the Website, including information regarding its characteristics, purchase conditions, delivery, and return policies.
1.3.10. Personal Data Permitted for Distribution – Personal Data to which an unlimited number of persons have access as authorized by the Data Subject through consent provided in accordance with Russian law.
1.3.11. Personal Data Processing Policy – this document, including all amendments and supplements, approved by the Operator and publicly available at:
https://shop.arcolad.ru/ru/privacy-policy
1.3.12. User – a legally capable individual using the Website for personal purposes or on behalf of a legal entity or individual entrepreneur.
1.3.13. Provision of Personal Data – actions aimed at disclosing Personal Data to a specific person or group of persons.
1.3.14. Distribution of Personal Data – actions aimed at disclosing Personal Data permitted for distribution to an indefinite number of persons.
1.3.15. Website – the collection of information, texts, graphic elements, design, images, photo and video materials, intellectual property results, and software available at:
arcolad.ru, including subdomains.
1.3.16. Cross-Border Transfer of Personal Data – transfer of Personal Data to:
- a foreign government authority;
- a foreign individual;
- a foreign legal entity.
1.3.17. Destruction of Personal Data – actions making it impossible to restore Personal Data or resulting in destruction of physical media containing such data.
1.3.18. Cookies – small data files sent by a web server and stored on the User’s device, which are transmitted back to the server via HTTPS requests when accessing a website.
1.3.19. Personal Data Subject – an individual identified or identifiable through Personal Data.
1.3.20. IP Address – a unique network address of a node within an IP-based network.
1.3.22. Mailing List / Newsletter – automated sending by the Operator of informational and advertising emails/messages to the User's email address.
1.4. Personal Data constitutes confidential information and may not be used by the Operator or any other person for personal purposes.
Persons who gain access to Personal Data must not disclose it to third parties or distribute it without the consent of the Data Subject, unless otherwise provided by law.
1.5. The Data Subject independently decides whether to provide Personal Data and gives consent to its processing voluntarily and in their own interests.
Consent must be:
- specific;
- informed;
- conscious;
- unambiguous.
The Operator does not verify the accuracy of Personal Data provided by the Data Subject.
1.6. By consenting to the collection and processing of Personal Data and accepting this Policy, the Data Subject consents to the processing of Personal Data specified in Section 5, including:
- collection;
- recording;
- accumulation;
- storage;
- updating;
- retrieval;
- use;
- transfer to third parties;
- anonymization;
- blocking;
- deletion;
- destruction.
1.7. A User who refuses consent to Personal Data processing for the purposes specified in Section 5 understands that they will not be able to use all Website functions and services, and access may be limited.
2. Requirements, Principles, and Conditions of Personal Data Processing
2.1. To ensure human and civil rights and freedoms, the Operator shall comply with the following requirements:
- Personal Data may be processed only for lawful purposes;
- The scope and content of Personal Data processed must comply with applicable regulations;
- Processing must comply with Russian law;
- Personal Data is generally obtained directly from the Data Subject.
2.2. The Operator processes Personal Data lawfully and fairly to perform duties established by law and to protect the legitimate interests of the Operator and other persons.
2.3. The Operator receives Personal Data directly from the Data Subject except where data is transferred within contractual relations.
If Personal Data can only be obtained from a third party:
- the Data Subject must be notified in advance;
- written consent must be obtained.
The Data Subject must be informed about:
- the purpose of collection;
- sources of data;
- methods of obtaining data;
- categories of Personal Data involved;
- consequences of refusing consent.
2.4. Personal Data is processed based on:
- written consent where legally required; or
- implied consent through actions performed by the User.
2.5. The User must provide accurate Personal Data and promptly notify the Operator of any changes.
2.6. Personal Data may only be used for the purposes for which it was collected.
It may not be used to:
- cause material or moral harm;
- obstruct the exercise of rights and freedoms.
Discrimination based on social origin, race, nationality, language, religion, or political affiliation is prohibited.
2.7. Personal Data may only be transferred:
- with the consent of the Data Subject or legal representative; or
- where explicitly permitted by law.
Only the minimum amount of Personal Data necessary for the stated purpose may be transferred.
2.8. Consent to process Personal Data that the Data Subject permits for public distribution must be obtained separately from any other consent for Personal Data processing.
The Operator must provide the Data Subject with the opportunity to determine which categories of Personal Data may be distributed.
Silence or inaction by the Data Subject shall under no circumstances be considered consent for the distribution of Personal Data.
2.9. The Data Subject may establish restrictions in their consent regarding:
- transfer of Personal Data to an unlimited number of persons (except for granting access);
- processing conditions for such Personal Data by an unlimited number of persons.
The Operator may not refuse to implement such restrictions.
2.10. When transferring Personal Data, the Operator must:
- not disclose Personal Data to third parties without written consent from the Data Subject or legal representative, except where required by law or necessary to protect life and health;
- inform recipients that the Personal Data may only be used for the purposes for which it was provided;
- require recipients to maintain confidentiality;
- not request information regarding a Data Subject’s health status except where permitted by law.
2.11. All security measures for collection, processing, and storage apply equally to paper and electronic records.
2.12. Databases containing Personal Data of Russian citizens are located within the territory of the Russian Federation.
2.13. Depending on the level of Personal Data protection required, the Operator:
- secures premises containing Personal Data information systems;
- protects Personal Data storage media;
- uses certified information security tools;
- restricts access to electronic logs within Personal Data information systems.
2.14. Upon termination of a civil-law contract with a Data Subject, the Operator immediately ceases processing the relevant Personal Data and destroys it within the period established by law, except for archived documents retained under legal requirements.
2.15. Principles of Personal Data Processing
2.15.1. Processing must be lawful and fair.
2.15.2. Processing must be limited to specific, predetermined, and lawful purposes.
2.15.3. Databases containing Personal Data processed for incompatible purposes must not be merged.
2.15.4. Only Personal Data relevant to processing purposes may be processed.
2.15.5. The content and scope of Personal Data must correspond to the stated processing purposes and must not be excessive.
2.15.6. The Operator must ensure Personal Data is accurate, sufficient, and up to date and must take measures to correct inaccurate or incomplete information.
2.15.7. Personal Data may be stored only as long as necessary for the purposes of processing unless a different period is established by law or contract.
After processing purposes are achieved, Personal Data must be:
- destroyed; or
- anonymized.
2.15.8. Before carrying out a cross-border transfer of Personal Data, the Operator must ensure that the receiving country provides adequate protection of Data Subjects’ rights.
2.15.9. The Operator is not responsible for information processing by third-party websites accessible through links on the Website.
2.16. Access to rooms containing Personal Data documents or storage devices is restricted.
2.17. Personal Data is stored on electronic media with restricted access.
Only the Operator has direct access to Personal Data.
2.19. Guarantees and compensation provided by law are granted to Data Subjects from the moment the relevant information is provided unless otherwise required by law.
3. Rights and Obligations of the Operator
3.1. Rights of the Operator
The Operator has the right to:
- collect Personal Data through Website forms and direct communication;
- provide Users with Website access;
- collect, record, store, update, retrieve, use, transfer, anonymize, block, delete, and destroy Personal Data;
- distribute Personal Data where separate consent for distribution has been obtained;
- transfer Personal Data to third parties under contracts concluded for the purposes specified in Section 5;
- engage third parties to process Personal Data on its behalf under contractual arrangements and in compliance with Russian law;
- continue processing Personal Data after withdrawal of consent where legal grounds exist;
- refuse repeated requests from Data Subjects where permitted by law and provide a justified response.
3.2. The Operator may not collect or process Personal Data concerning:
- political beliefs;
- religious beliefs;
- other personal convictions;
- private life;
- membership in public organizations;
- trade union membership;
except where allowed by law or where the Data Subject has provided written consent.
3.3. The Operator may transfer Personal Data to government authorities and supervisory bodies when required by law.
3.4. Obligations of the Operator
The Operator must:
- use Personal Data only for the purposes specified in Section 5;
- provide information concerning a Data Subject's Personal Data upon request;
- respond to inquiries regarding Personal Data processing;
- not disclose Personal Data without consent unless legally required;
- provide requested information in an accessible format;
- explain decisions based solely on automated processing and their legal consequences;
- explain the consequences of refusing to provide Personal Data where such provision is legally required;
- ensure localization of Russian citizens’ Personal Data in databases located in Russia;
- maintain reliable protection and confidentiality of Personal Data.
The Operator is not liable for disclosure of confidential information if:
- it became publicly available before disclosure by the Operator;
- it was lawfully obtained from a third party;
- it was disclosed with the Data Subject’s consent.
4. Rights and Obligations of the Personal Data Subject
4.1. The Data Subject has the right to:
Request correction, blocking, or deletion
Require the Operator to correct, block, or destroy Personal Data if it is:
- incomplete;
- outdated;
- inaccurate;
- unlawfully obtained;
- unnecessary for the stated processing purpose.
Requests may be sent to:
online@arcolad.ru
Request information about protection measures
The Data Subject may request information regarding measures taken by the Operator to protect Personal Data.
Request information about Personal Data processing
The Data Subject may obtain information concerning Personal Data processed by the Operator.
Submit repeated requests
A repeated request may be submitted no earlier than 30 days after the initial request unless a shorter period is established by law.
Request access before the 30-day period
If information was not provided in full, the Data Subject may submit a justified repeated request before 30 days have elapsed.
Withdraw consent
The Data Subject may withdraw:
- consent to Personal Data processing;
- consent to distribution of Personal Data.
Appoint representatives
The Data Subject may appoint representatives to protect their Personal Data rights.
Seek legal protection
The Data Subject may:
- seek compensation for losses;
- seek compensation for moral damages;
- pursue judicial remedies.
File complaints
The Data Subject may challenge actions or inaction by the Operator before:
- the competent Personal Data supervisory authority;
- a court of law.
Part 3 — Personal Data Processing Policy
Section 5. Purposes of Processing, Categories of Personal Data, Methods, Retention Periods, Destruction Procedures, and Categories of Data Subjects
5.1.
The Operator processes Personal Data within Personal Data Information Systems (PDIS), both with and without automation tools, and ensures their protection taking into account the applicable security threat level and protection level.
The Operator protects both paper and electronic records containing Personal Data.
For each processing purpose, the Operator defines:
- categories and lists of Personal Data processed;
- categories of Data Subjects;
- processing methods;
- retention periods;
- destruction procedures;
- internal procedures for preventing and detecting violations of Russian Personal Data legislation and eliminating their consequences.
5.1.1. Performance of a Sales Contract and Related Agreements
The Operator processes Personal Data for:
- acceptance of the Operator’s public offer;
- conclusion and performance of product sales contracts;
- registration of a user account;
- providing access to the personal account on the Website;
- conclusion of agreements initiated by the Data Subject;
- agreements under which the Data Subject acts as beneficiary or guarantor.
Categories of Personal Data
Other Personal Data that does not belong to:
- special categories of Personal Data;
- biometric Personal Data;
- Personal Data authorized for public distribution.
Data Processed
- surname;
- first name;
- patronymic (if applicable);
- email address;
- telephone number;
- password (if it contains Personal Data);
- delivery address.
Categories of Data Subjects
- customers of the Operator;
- customer representatives;
- beneficiaries under contracts;
- persons intending to conclude a contract with the Operator.
Processing Methods
Automated and non-automated (mixed) processing, including transmission via the Internet and the following operations:
- collection;
- recording;
- systematization;
- accumulation;
- storage;
- updating and modification;
- retrieval;
- use;
- transfer (provision and access);
- anonymization;
- blocking;
- deletion;
- destruction.
Cross-Border Transfers
Cross-border transfer of Personal Data is not carried out.
Retention Periods
Where processing is based on:
Consent
- for the period specified in the consent.
Contract
- for the duration of the contract unless otherwise specified.
Law
- for periods established by applicable legislation.
Destruction
Personal Data is destroyed:
- when the purpose of processing is achieved;
- when processing is no longer necessary;
- upon occurrence of other legal grounds,
unless federal law provides otherwise.
5.1.2. Handling Requests, Claims, Applications, and Feedback
The Operator processes Personal Data to:
- respond to inquiries;
- process complaints;
- process claims and applications;
- provide legally required information;
- communicate regarding contracts.
Categories of Personal Data
Other Personal Data not classified as special, biometric, or publicly distributable Personal Data.
Data Processed
- surname;
- first name;
- patronymic (if applicable);
- email address;
- banking details (when related to refunds);
- passport details (when related to claims);
- usernames in messaging apps and social networks;
- mailing address for responses;
- any other Personal Data voluntarily provided by the Data Subject.
Categories of Data Subjects
- customers;
- customer representatives;
- contract beneficiaries;
- prospective customers;
- Website users;
- persons with no contractual relationship who submit correspondence, claims, complaints, or applications.
Processing Methods
Automated and non-automated processing with Internet transmission.
Operations include:
- collection;
- recording;
- systematization;
- storage;
- updating;
- retrieval;
- use;
- transfer;
- anonymization;
- blocking;
- deletion;
- destruction.
Cross-Border Transfers
Not carried out.
Retention Periods
The same retention rules described in Section 5.1.1 apply.
Destruction
Personal Data is destroyed after achieving the purpose of processing or when processing is no longer necessary.
5.1.5. Marketing and Promotion of Products
Purpose
Promotion of products on the market.
Personal Data Processed
- cookies;
- technical information collected during Website visits.
Categories of Data Subjects
Website users.
Processing Methods
Automated and non-automated processing with Internet transmission.
Operations include:
- collection;
- storage;
- updating;
- use;
- transfer;
- anonymization;
- blocking;
- deletion;
- destruction.
Cross-Border Transfers
Not carried out.
Retention
- according to consent periods; or
- periods established by law.
Destruction
Upon completion of processing purposes or other legal grounds.
Third-Party Data Processors
5.2. T-Bank JSC
To process online payments, the Operator contracts with T-Bank JSC.
T-Bank:
- collects and processes Personal Data connected with payment transactions;
- provides payment services.
The Operator only receives the portion of Personal Data necessary to identify a specific payment or order.
The Operator does not receive access to payment card information.
Personal Data is processed under T-Bank’s own Personal Data Policy and retained until the relevant processing purpose is achieved.
The storage location is T-Bank’s data center.
5.4. Regional Network Information Center JSC (RSIC)
The Operator contracts with RSIC JSC to provide website hosting services.
RSIC:
- collects and processes Personal Data specified in Section 5.1;
- processes data under its own Personal Data Policy.
Data Storage Address
Russia, Moscow,
69 Aviamotornaya Street.
5.5. Express Tochka Ru LLC
The Operator contracts with Express Tochka Ru LLC for product delivery services.
The company processes Personal Data necessary for delivery.
Processing is carried out according to the company's own Personal Data Policy.
Personal Data is stored by Express Tochka Ru LLC until the relevant processing purpose has been fulfilled.
Section 6. Threats of Personal Data Loss
6.1. A threat to Personal Data means any actual or potential event capable of causing harm to protected information.
Threats may be:
- internal or external;
- active or passive;
- isolated or complex.
6.2. Risks may arise from:
- natural disasters;
- emergencies;
- terrorist acts;
- equipment failures;
- communication failures;
- actions of interested or disinterested third parties.
6.3. Protection of Personal Data aims to ensure:
- confidentiality;
- integrity;
- availability;
- accuracy.
External Protection Measures
The Operator establishes protective barriers and unfavorable conditions for unauthorized access.
Unauthorized access may result in:
- acquisition of confidential information;
- modification of information;
- destruction of information.
Unauthorized persons include:
- visitors;
- individuals not directly associated with the Operator.
Such persons must not have access to internal work processes or confidential documents.
Security Requirement
Devices used in business operations must be protected by reliable antivirus software.
Part 4 — Personal Data Processing Policy
Sections 7–12 (Final Portion)
7. Liability of the Operator
7.1. Personal responsibility is one of the primary requirements for the functioning of a personal information protection system and an essential condition for ensuring its effectiveness.
7.2. Legal entities and individuals who possess, receive, and use information about citizens within the scope of their authority are liable under the legislation of the Russian Federation for violations of requirements governing the protection, processing, and use of such information.
7.3. If legal entities or individuals provide services to the Operator under contracts (or other legal grounds) and therefore require access to Personal Data, such Personal Data shall be provided only after the signing of a confidentiality agreement.
In exceptional cases, contractual provisions concerning confidentiality, including provisions regarding Personal Data protection, may be incorporated directly into service agreements.
7.4. Persons guilty of violating rules governing the collection, processing, and protection of Personal Data may incur:
- disciplinary liability;
- administrative liability;
- civil liability;
- criminal liability;
in accordance with applicable federal legislation.
8. Requirements for Premises Where Personal Data Is Processed
8.1. Premises housing Personal Data Information Systems (PDIS) or storage media containing Personal Data must comply with fire safety requirements established by the legislation of the Russian Federation for the relevant category of premises.
9. Measures Ensuring Security of Personal Data During Processing
9.1. The Operator protects Personal Data using generally accepted security methods designed to safeguard information against:
- loss;
- unlawful access;
- accidental access;
- distortion;
- unauthorized dissemination;
- destruction;
- modification;
- blocking;
- copying;
- other unlawful actions by third parties.
Security measures include:
- network protection software;
- access-control procedures;
- cryptographic information protection tools;
- compliance with this Policy;
- compliance with internal documents regulating Personal Data processing.
9.2. If Personal Data is lost or disclosed, the Operator must inform the Data Subject.
9.3. The Operator and the Data Subject shall take all necessary legal, organizational, and technical measures to prevent losses or other adverse consequences resulting from loss or disclosure of Personal Data.
9.4. Personal Data remains confidential except where the Data Subject voluntarily makes information publicly available.
9.5. Security of Personal Data processed within Personal Data Information Systems is ensured by preventing unauthorized access, including accidental access, and by implementing the following measures:
9.5.1. Identification of security threats affecting Personal Data.
9.5.2. Implementation of organizational and technical protection measures required to satisfy Russian government security requirements.
9.5.3. Use of certified information security tools that have successfully passed conformity assessment procedures.
9.5.4. Assessment of the effectiveness of security measures before the information system is put into operation.
9.5.5. Inventory and control of storage media containing Personal Data.
9.5.6. Detection of unauthorized access incidents and implementation of corrective actions.
9.5.7. Recovery of Personal Data modified, deleted, or destroyed as a result of unauthorized access.
9.5.8. Establishment of access rules for Personal Data processed within information systems and logging of all actions performed with such data.
9.5.9. Monitoring the effectiveness of security measures and protection levels.
9.6. The Operator must implement measures sufficient to comply with Russian Personal Data legislation.
These measures include:
1) Appointment of a person responsible for organizing Personal Data processing.
2) Adoption of documents governing:
- Personal Data processing policies;
- categories of Personal Data processed;
- categories of Data Subjects;
- processing methods;
- retention periods;
- destruction procedures;
- procedures for preventing and detecting legal violations.
3) Implementation of legal, organizational, and technical security measures.
4) Conducting internal audits and compliance monitoring.
5) Assessment of potential harm to Data Subjects in the event of legal violations and comparison of such risks with implemented safeguards.
6) Publication of this Personal Data Processing Policy on the Website for unrestricted public access.
10. Personal Data Processing Periods
10.1. Personal Data submitted through Website forms may be processed from the moment a completed form is submitted until:
- operation of the Website ceases;
- consent is withdrawn;
- the personal account is deleted;
- another event occurs as provided by law.
10.2. Unless otherwise provided by this Policy or legislation, processing shall cease when:
- the purpose of processing has been achieved;
- the consent period expires;
- consent is withdrawn;
- unlawful processing is identified;
- a request for destruction of Personal Data is received.
10.3. Transfer (distribution, provision, or access) of Personal Data authorized for public distribution must cease at any time upon the request of the Data Subject.
10.4. The Data Subject may require the Operator to stop distributing Personal Data previously authorized for distribution if legal requirements are violated.
The Operator must cease such distribution:
- within three business days after receiving the request; or
- within the period established by a final court decision.
If no specific period is stated in the court decision, distribution must cease within three business days after the decision becomes legally effective.
10.5. The User independently determines the duration of newsletter subscriptions.
The User may unsubscribe:
- through the unsubscribe link contained in each email; or
- by sending a request to:
online@arcolad.ru
with the subject line:
“Newsletter Unsubscribe”
11. Updating, Correction, Deletion, and Destruction of Personal Data; Responses to Requests
11.1. If Personal Data is found to be inaccurate or unlawfully processed:
- it must be corrected; and
- processing must cease where appropriate.
11.2. A Data Subject may request deletion or anonymization of Personal Data by emailing:
online@arcolad.ru
Following deletion, certain Website functionality may become unavailable.
The request review period is:
10 business days.
11.3. When processing purposes have been achieved, the Operator must:
- cease processing; and
- destroy Personal Data
within 30 calendar days, unless otherwise required by law or contract.
If destruction is impossible within that period, the data must be blocked and destroyed within six months, unless a different period is established by law.
11.4. Following withdrawal of consent, the Operator must cease processing and destroy Personal Data within 30 days, provided no legal grounds remain for retaining it.
If immediate destruction is impossible, the data must be blocked and destroyed within six months.
11.5. Upon receiving a request to stop processing Personal Data, the Operator must cease processing within:
10 business days.
This period may be extended by no more than:
5 business days
with a justified written explanation.
If destruction is impossible immediately, the data must be blocked and destroyed within six months.
11.6. The Operator blocks Personal Data during investigations of:
- unlawful processing;
- inaccurate Personal Data.
Blocking begins immediately after the request or complaint is received.
11.7. The Operator must update, correct, or clarify Personal Data within:
7 business days
after receiving a request.
11.8. The Operator must delete and destroy Personal Data within:
7 business days
after receiving evidence that:
- the data was unlawfully obtained; or
- the data is unnecessary for the stated processing purpose.
The Operator must also notify the Data Subject and take reasonable steps to notify third parties who previously received the data.
11.9. If unlawful processing is discovered:
- processing must cease within 3 business days;
- unlawful data must be destroyed within 10 business days if lawful processing cannot be established.
The Operator must notify the Data Subject and, where applicable, the supervisory authority.
11.10. The Operator responds to requests from:
- Data Subjects;
- authorized representatives;
- supervisory authorities
within:
10 business days.
This period may be extended by up to:
5 business days
with written justification.
11.11. Personal Data Breach Notification
If unlawful or accidental disclosure, transfer, provision, distribution, or access to Personal Data results in a violation of Data Subjects’ rights, the Operator must notify the authorized Personal Data supervisory authority:
Within 24 Hours
The notification must include:
- details of the incident;
- suspected causes;
- potential harm;
- measures taken to address consequences;
- contact information for the person responsible for communications.
Within 72 Hours
The Operator must provide:
- results of the internal investigation;
- information regarding persons responsible for the incident (if identified).
12.1. This Policy becomes effective on the date it is approved by the Operator.
12.2. The Policy may be amended through supplements and appendices approved by order of the Operator.
12.3. The Operator provides unrestricted public access to this Policy.
12.4. The Policy is made available to Data Subjects by publication on the Website.
12.5. By continuing to use the Website after publication of a revised version of the Policy, the Data Subject confirms acceptance of the updated Policy.