22/2, Sadovaya street, Saint-Petersburg
+7 (812) 441-83-83|

Personal Data Processing Policy

Dear Guests,

Please read the Personal Data Processing Policy of Metropol Joint Stock Company.

 

  1. General Provisions

 

1.1.       This Personal Data Processing Policy of Metropol Joint Stock Company (hereinafter referred to as the «Policy») has been developed in accordance with Clause 2, Part 1, Article 18.1 of Federal Law No. 152-FZ dated July 27, 2006, «On Personal Data» (hereinafter referred to as the «Personal Data Law»), to ensure the protection of human and civil rights and freedoms during the processing of their personal data, including the rights to privacy, personal and family confidentiality.

 

1.2.       This Policy applies to all personal data processed by Metropol Joint Stock Company (hereinafter referred to as the «Operator», «Metropol JSC»).

 

 

1.3.       This Policy applies to personal data processing relations that have arisen both before and after its approval by the Operator.

 

1.4.       In accordance with Part 2 of Article 18.1 of the Personal Data Law, this Policy is publicly available on the Operator’s website on the Internet.

 

 

1.5.       The main terms used in this Policy:

 

Personal data – any information related directly or indirectly to an identified or identifiable individual (personal data subject);

 

Personal data operator (operator) – a government body, municipal body, legal entity, or individual that independently or jointly with others organizes and/or performs the processing of personal data, and determines the purposes of processing, the scope of data to be processed, and the actions (operations) performed with personal data;

 

Processing of personal data – any action (operation) or set of actions (operations) performed with or without the use of automation tools, including:

• collection;

• recording;

• systematization;

• accumulation;

• storage;

• clarification (updating, modification);

• retrieval;

• use;

• transfer (distribution, provision, access);

• depersonalization;

• blocking;

• deletion;

• destruction;

 

Automated processing of personal data – processing using computing technology;

 

Dissemination of personal data – actions aimed at disclosing personal data to an indefinite number of persons;

 

Provision of personal data – actions aimed at disclosing personal data to a specific person or a specific group of persons;

 

Blocking of personal data – temporary cessation of personal data processing (except where processing is necessary to clarify personal data);

 

Destruction of personal data – actions that make it impossible to restore personal data in a personal data information system and/or lead to the destruction of physical storage media of personal data;

 

Depersonalization of personal data – actions making it impossible to identify the subject of personal data without additional information;

 

Personal data information system – a set of personal data contained in databases and the information technologies and technical tools ensuring their processing.

 

 

1.6.       The main rights and obligations of the Operator.

 

1.6.1.   The Operator has the right to:

 

  1. Independently determine the composition and list of measures necessary and sufficient to ensure compliance with the obligations under the Personal Data Law and related regulations, unless otherwise provided by law;

 

 

  1. Entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by federal law, based on a contract concluded with such person. A person processing personal data on behalf of the Operator must comply with the principles and rules for processing personal data as provided by law, maintain confidentiality, and take appropriate measures to fulfill legal requirements;

 

 

  1. Continue processing personal data without the consent of the subject if there are legal grounds under the Personal Data Law, even if the subject withdraws consent.

 

 

 

1.6.2.   The Operator must:

 

  1. Organize personal data processing in accordance with the requirements of the Personal Data Law;

 

 

  1. Respond to inquiries and requests from data subjects or their legal representatives in accordance with legal requirements;

 

 

  1. Provide requested information to the authorized body for the protection of data subjects' rights (Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications – Roskomnadzor) within 10 business days of receiving a request. This period may be extended by no more than five business days, subject to providing a reasoned notification;

 

 

  1. Ensure interaction with the state system for detecting, preventing, and mitigating the consequences of computer attacks on information resources of the Russian Federation, including informing about incidents involving unlawful personal data disclosure (provision, dissemination, access), in accordance with procedures set by the authorized federal executive body.

 

 

 

1.7.       The main rights of the personal data subject.

The personal data subject has the right to:

 

  1. Receive information regarding the processing of their personal data, except where restricted by federal laws. The information is provided in an accessible form and must not contain personal data of other subjects unless legally justified;

 

 

  1. Request that the Operator clarify, block, or delete their personal data if it is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the stated purpose, and take legal measures to protect their rights;

 

 

  1. Provide prior consent to the processing of personal data for the purpose of promoting goods, works, and services;

 

 

  1. Appeal unlawful actions or inaction of the Operator during data processing to Roskomnadzor or in court.

 

 

 

1.8.       Control over compliance with this Policy is carried out by the authorized person responsible for organizing personal data processing on behalf of the Operator.

 

1.9.       Responsibility for violations of the laws of the Russian Federation and the internal regulations of Metropol JSC in the field of personal data processing and protection shall be determined in accordance with the legislation of the Russian Federation.

 

  1. Purposes of Personal Data Collection

 

2.1.       The processing of personal data is limited to the achievement of specific, pre-defined, and lawful purposes. The processing of personal data incompatible with the purposes of its collection is not permitted.

 

2.2.       Only personal data relevant to the purposes of processing shall be processed.

 

 

2.3.       The Operator processes personal data for the following purposes:

 

Carrying out activities in accordance with the Charter of JSC «Metropol», including the conclusion and performance of contracts with counterparties;

 

Compliance with labor legislation in the framework of labor and related relationships, including: assistance to employees in employment, education, and career development; recruitment and selection of candidates; ensuring personal safety of employees; monitoring the quantity and quality of work performed; safeguarding property; maintaining personnel and accounting records; completing and submitting required reports to authorized bodies; organizing individual (personalized) accounting in the systems of compulsory pension and social insurance;

 

Implementation of access control.

 

 

2.4.       The processing of personal data of employees, counterparties, and clients of JSC «Metropol» is carried out solely to ensure compliance with laws and other regulatory legal acts.

 

 

 

  1. Legal Grounds for Personal Data Processing

 

3.1.       The legal grounds for personal data processing are a set of regulatory legal acts under which and in accordance with which the Operator processes personal data, including:

 

Constitution of the Russian Federation;

 

Civil Code of the Russian Federation;

 

Labor Code of the Russian Federation;

 

Tax Code of the Russian Federation;

 

Federal Law No. 208-FZ of 26.12.1995 «On Joint Stock Companies»;

 

Federal Law No. 152-FZ of 27.07.2006 «On Personal Data»;

 

Federal Law No. 149-FZ of 27.07.2006 «On Information, Information Technologies and Protection of Information»;

 

Federal Law No. 63-FZ of 06.04.2011 «On Electronic Signature»;

 

Federal Law No. 402-FZ of 06.12.2011 «On Accounting»;

 

Federal Law No. 27-FZ of 01.04.1996 «On Individual (Personalized) Record-Keeping in the System of Compulsory Pension Insurance»;

 

Rules for the Provision of Hotel Services in the Russian Federation, approved by the Decree of the Government of the Russian Federation No. 1853 of 18.11.2020;

 

Other regulatory legal acts related to the Operator’s activities.

 

 

3.2.       Other legal grounds include:

 

The Charter of JSC «Metropol»;

 

Contracts concluded between the Operator and personal data subjects;

 

Consent of personal data subjects to the processing of their personal data.

 

 

 

 

  1. Scope and Categories of Processed Personal Data, Categories of Subjects

 

4.1.       The content and volume of personal data processed must correspond to the declared purposes outlined in Section 2 of this Policy. Personal data that is excessive in relation to the stated purposes must not be processed.

 

4.2.       The Operator may process personal data of the following categories of data subjects:

 

 

4.2.4.   Clients of the Operator (natural persons, including visitors and users of the Operator's websites, applications, and information resources) — for the purposes of providing catering services, temporary accommodation, and other services in accordance with the Charter of JSC «Metropol»:

 

Full name;

 

Date and place of birth;

 

Passport details;

 

Residential registration address;

 

Contact details (including phone number);

 

Marital and social status;

 

Degree of kinship (when minors are accommodated);

 

Bank account number and card details used to pay for hotel services;

 

Taxpayer Identification Number (TIN) and Insurance Number of the Individual Personal Account (SNILS);

 

Visa details, residence permit, migration card details, and other migration-related documents;

 

Other personal data provided by clients and counterparties (natural persons) necessary for the conclusion and execution of service agreements.

 

 

4.2.5.   Representatives (employees) of the Operator’s clients and counterparties (legal entities) — for the purposes of performing activities in accordance with the Charter of JSC «Metropol»:

 

Full name;

 

Passport details;

 

Contact information;

 

Job title;

 

Other personal data provided by the representatives necessary for entering into and executing business contracts.

 

 

4.3.       The content and scope of personal data are determined based on the processing purposes. Data that is excessive or incompatible with the following main goals shall not be processed:

 

4.3.1. Establishing employment relationships, recruiting personnel;

4.3.2. Entering into and extending contracts with JSC «Metropol»;

4.3.3. Identification of the parties to contracts and transactions;

4.3.4. Fulfillment of contractual obligations, including provision of services (including hotel services), performance of work, and delivery of goods;

4.3.5. Use of websites and other information resources of the Operator in accordance with their terms of use;

4.3.6. Registration, identification, and personalization of users; providing access to resources and features for registered users; improving user experience, software products, and service quality;

4.3.7. Communicating with individuals and legal entities to send notifications, respond to inquiries, distribute newsletters and promotional messages;

4.3.8. Protecting the Operator’s legitimate interests; preventing unlawful actions and fraud; ensuring information security;

4.3.9. Access control on Operator's premises, protection of property and security of staff and clients;

4.3.10. Providing social benefits, financial aid, compensation, and benefits to employees;

4.3.11. Collecting and processing analytics and statistics on activities, information resource usage, and services provided by the Operator;

4.3.12. Compliance with labor, accounting, pension, and other applicable laws of the Russian Federation;

4.3.13. Compliance with other legislation applicable to the Operator’s activities.

 

4.4.       The Operator processes biometric personal data (information characterizing physiological and biological traits used to establish a person’s identity) in accordance with the legislation of the Russian Federation.

 

4.5.       The Operator does not process special categories of personal data related to race, nationality, political views, religious or philosophical beliefs, health status, or intimate life, except in cases provided by Russian law.

 

  1. Procedure and Conditions for Personal Data Processing

 

5.1. Personal data processing is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.

 

5.2.       Personal data processing is carried out with the consent of the personal data subjects, as well as without such consent in cases provided for by the legislation of the Russian Federation.

Consent may be expressed by the subject of personal data through conclusive actions, for example:

 

Acceptance of the terms of the rules for using the Operator’s information resources and software products;

 

Continuing to use the Operator’s applications, services, information resources, websites, and interacting with their user interfaces after being notified about data processing;

 

Granting necessary permissions to a mobile application during installation or use;

 

Ticking checkboxes, filling in corresponding fields in forms or documents;

 

Maintaining electronic correspondence referring to the processing;

 

Other actions by the subject indicating their will.

 

 

In cases explicitly provided by Russian law, consent is formalized in writing with the details required by the Personal Data Law, as well as other applicable requirements and standard forms.

In cases where personal data is obtained not directly from the subject but from other persons based on agency or other agreements or instructions, the obligation to obtain consent may lie with the person from whom the personal data was received.

 

5.3.       The Operator processes personal data for each processing purpose using the following methods:

 

Non-automated processing;

 

Automated processing, with or without transmission of data over information and telecommunication networks;

 

Mixed processing.

 

 

5.4.       Only employees of the Operator whose job duties include processing personal data are allowed to process such data.

 

5.5.       Personal data processing for each purpose listed in section 2.3 of the Policy is performed by:

 

 

Collecting personal data orally or in writing directly from the subjects;

 

Entering personal data into journals, registers, and the Operator’s information systems;

 

Using other processing methods.

 

 

5.6.       Disclosure and dissemination of personal data to third parties without the subject’s consent is prohibited unless otherwise provided by federal law. Consent for the dissemination of personal data allowed by the subject is issued separately from other consents.

Requirements for the content of consent for dissemination of personal data are established by the Roskomnadzor Order No. 18 dated 24.02.2021.

 

5.7.       Transfer of personal data to investigative authorities, the Federal Tax Service, the Social Fund of Russia, and other authorized executive bodies and organizations is carried out in accordance with Russian legislation.

 

5.8.       The Operator takes necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, dissemination, and other unauthorized actions, including:

 

 

Identifying security threats during processing;

 

Adopting local regulations and other documents governing processing and protection relations;

 

Appointing responsible persons for personal data security in structural units and information systems;

 

Creating conditions for working with personal data;

 

Organizing document accounting containing personal data;

 

Managing information systems processing personal data;

 

Storing personal data under conditions ensuring their safety and preventing unauthorized access;

 

Organizing training of employees processing personal data.

 

 

5.9.       The Operator stores personal data in a form allowing identification of the subject no longer than required for each processing purpose, unless federal law or contract specifies otherwise.

 

5.9.1. Personal data on paper media are stored at JSC “Metropol” for periods defined by Russian archival law (Federal Law No. 125-FZ dated 22.10.2004 and related regulations).

 

5.9.2. Storage period of personal data processed in information systems corresponds to the storage period of paper-based personal data.

 

5.10.    The Operator stops processing personal data in the following cases:

 

Unlawful processing is detected (within three working days of detection);

 

The purpose of processing is achieved;

 

The consent for processing is expired or withdrawn when processing requires consent under the law.

 

 

5.11.    Upon achieving processing goals or withdrawal of consent, the Operator ceases processing unless:

 

Otherwise stipulated by contract involving the subject as a party or beneficiary;

 

The Operator has the right to process without consent according to law;

 

Otherwise provided by agreements between the Operator and the subject.

 

 

5.12.    Upon a subject’s request to cease processing, the Operator stops processing within 10 working days of receipt, except as otherwise provided by law. The period may be extended by no more than five working days with a motivated notice to the subject.

 

5.13.    When collecting personal data, including via the Internet, the Operator ensures recording, systematization, accumulation, storage, updating, and extraction of personal data of Russian citizens using databases located in the Russian Federation, except in cases provided by the law.

 

 

 

 

  1. Rights of Personal Data Subjects

 

6.1. A subject has the right to withdraw consent by sending a corresponding request to the Operator by mail, email, or in person.

 

6.2. A subject has the right to receive information related to the processing of their personal data, including:

6.2.1. confirmation of processing fact;

6.2.2. legal grounds and purposes of processing;

6.2.3. purposes and methods of processing used by the Operator;

6.2.4. name and location of the Operator, and information about persons with access;

6.2.5. processed data related to the subject, source of data, unless otherwise provided by law;

6.2.6. data processing and storage terms;

6.2.7. procedures to exercise rights;

6.2.8. other info as per law.

 

6.3. Subjects may require clarification, blocking, or destruction of inaccurate, outdated, illegal, or unnecessary data for the stated purpose, and take legal protection measures.

 

6.4. Subjects may complain about violations to Roskomnadzor, other authorities, or courts.

 

6.5. Subjects have the right to protect their rights, including compensation in court.

 

 

 

  1. Updating, Correcting, Deleting, Destroying Personal Data; Responses to Access Requests

 

7.1. Confirmation of processing, legal grounds, purposes, and other information required by law are provided by the Operator within 10 working days of request, extendable by 5 days with notice.

Information related to other subjects is not included unless legally justified.

Requests must include:

 

ID document number, issue date, issuing authority;

 

Evidence of relationship with the Operator (contract number, date, etc.) or proof of processing;

 

Signature of the subject or representative.

Requests may be electronic with an electronic signature under Russian law.

Information is provided in the same form as the request unless stated otherwise.

If the request lacks necessary info or the subject lacks access rights, a motivated refusal is sent.

Access rights may be restricted if disclosure violates third parties’ rights.

 

 

7.2.       If inaccurate data is found upon request or Roskomnadzor’s query, data is blocked during verification unless blocking violates rights. If confirmed inaccurate, data is corrected within 7 working days and unblocked.

 

7.3.       If unlawful processing is detected upon request or Roskomnadzor’s query, the data is blocked immediately.

 

 

7.4.       In case of unlawful or accidental disclosure or access, the Operator:

 

Notifies Roskomnadzor within 24 hours with incident details and corrective measures, including contact person info;

 

Provides investigation results within 72 hours, including info on responsible persons.

 

 

7.5. Data destruction procedures:

7.5.1. Conditions and timing:

 

Upon achieving purpose or loss of need — within 30 days;

 

Upon maximum document storage term — within 30 days;

 

Upon confirmation of unlawful data receipt — within 7 working days;

 

Upon withdrawal of consent if data retention is unnecessary — within 30 days;

 

Upon subject’s request to stop processing — within 10 days.

 

 

7.5.2. Data is destroyed upon purpose achievement or consent withdrawal unless:

 

Otherwise in contract;

 

Processing without consent is permitted by law;

 

Otherwise agreed.

 

 

7.5.3. Destruction methods are defined by the Operator’s internal documents.

8. Publication and Updating of the Policy

 

8.1. The Policy is a publicly available document of JSC «Metropol» and provides the opportunity for any person to familiarize themselves with its current version by publishing it on the official website of JSC «Metropol» in the information and telecommunications network «Internet.»

 

8.2. The Policy is effective indefinitely after approval and until it is replaced by a new version. JSC «Metropol» has the right to make changes to the Policy without notifying any persons. The Policy is reviewed and updated as necessary to keep it current.

 

8.3. Suggestions and comments for making changes to the Policy can be sent by interested parties to the email address of JSC «Metropol»: info@mtpl.ru.

TripAdvisor
We use cookies to improve the way you interact with our website. By continuing to view this page, you are agreeing to use cookies. Learn more about our "Cookies Policy".
We use marketing cookies if you have given permission for this. If you do not give permission, advertisements will still be shown, but these are random advertisements. You can make your choice below.
-->