Privacy Policy

1.1. This Personal Data Processing Policy (“the Policy”) sets out the procedure and conditions for the processing of personal data, the measures taken to protect such data, and the rights and obligations of the Controller and personal data subjects.

1.2. The Policy has been developed in accordance with Federal Law No. 152-FZ “On Personal Data” dated 27 July 2006, Decree of the Government of the Russian Federation No. 1119 dated 1 November 2012, and other regulatory legal acts of the Russian Federation governing the processing and protection of personal data.

1.3. This Policy applies to all personal data received by the Controller:

• from clients and guests of Lastochkiny Gory Hotel;


• from clients of Abashev Bistro restaurant;


• from users of the Controller’s websites;


• from employees and job applicants;


• from counterparties and representatives of counterparties, to the extent necessary for the performance of contracts.

Full name: Limited Liability Company “TURISTICHESKAYA GOSTINITSA LASTOCHKA”

Short name: LLC “TG LASTOCHKA”

TIN: 5837081780

OGRN: 1225800001206

Registered address: 35 Mira Street, Penza, Penza Region, 440046, Russia

General Director: Anastasiia Sergeevna Sidorova

Telephone: +7 (8412) 46-00-01

Email: info@lastochkinygory.ru

Website: www.lastochkinygory.ru, www.abashev-bistro.ru

Depending on the category of the data subject and the purposes of processing, the Controller processes the following personal data:

3.1. Guests of Lastochkiny Gory Hotel

The Controller processes personal data of guests of Lastochkiny Gory Hotel to the extent necessary for booking, check-in, accommodation and compliance with the requirements of Russian law, including:

• surname, first name and patronymic;


• telephone number;


• email address;


• identity document details;


• information required for the provision of hotel services, including preferred communication channel, accommodation and service preferences;


• information about bookings, check-ins, stays and services provided;


• payment and refund information;


• information about participation in the hotel loyalty programme;


• history of stays and interactions with the Controller.

Personal data is processed only to the extent necessary to achieve the relevant processing purposes.

3.2. Clients of Abashev Bistro Restaurant

The Controller processes personal data of clients of Abashev Bistro restaurant to the extent necessary for table reservations, provision of catering services and participation in the restaurant loyalty programme, including:

• surname, first name and patronymic, where available;


• telephone number;


• email address, where available;


• information about table reservations and restaurant visits;


• information about participation in the restaurant loyalty programme;


• preferences voluntarily provided by the client.

If a client of Abashev Bistro restaurant is also a staying guest of Lastochkiny Gory Hotel, personal data is processed as part of the performance of the hotel services agreement and the internal interaction of the Controller’s structural divisions, to the extent necessary for the provision of services.

3.3. Users of the Controller’s Websites

The Controller processes personal data of users of the Controller’s websites, including:

• telephone number and email address provided through feedback, booking and enquiry forms;


• cookie files;


• data on user behaviour on the Controller’s websites, including anonymised analytical data.

3.4. Employees and Job Applicants

The Controller processes personal data of employees and job applicants to the extent provided for by Russian labour legislation, including:

• surname, first name and patronymic;


• passport details;


• registered address and actual residential address;


• SNILS;


• TIN;


• bank details;


• information about salary and other payments;


• information about employment history;


• employment contracts, orders and other HR documents;


• other personal data provided by the personal data subject or obtained by the Controller in connection with employment relations or their formalisation.

3.5. Counterparties and Representatives of Counterparties

For the purpose of performing contractual obligations, the Controller processes personal data of counterparties and/or their representatives, including:

• surname, first name and patronymic;


• position;


• contact details, including telephone number and email address;


• other information required for the conclusion and performance of contracts.

3.6.

The Controller does not process special categories of personal data, including information concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, health or intimate life of personal data subjects, except in cases expressly provided for by Russian labour legislation in relation to the Controller’s employees, including preliminary and periodic medical examinations and personal medical record books.

Photographs, video recordings and audio recordings made by the Controller are not used for the purpose of biometric identification.

Biometric personal data within the meaning of Article 11 of Federal Law No. 152-FZ “On Personal Data” is not processed by the Controller.

Video surveillance on the Controller’s premises is carried out solely for the purposes of maintaining public order and ensuring the safety of guests, employees and property, without personal identification and with a limited retention period for recordings.

Audio recording of telephone conversations is carried out only with mandatory prior notification, solely for the purposes of improving service quality and operational processes, and is not used to identify the speaker.

Purpose No. 1. Preliminary Booking of Services at Lastochkiny Gory Hotel

Types of personal data: surname, first name and patronymic; telephone number; email address; booking information; interaction history.

Recipients (subcontractors): booking and IT support contractors, including online booking systems.

Retention period: 10 years from the cancellation of the booking or from the commencement of performance of the hotel services agreement.

Deletion period: upon expiry of the retention period, paper records shall be destroyed and personal data deleted from information systems.

Purpose No. 2. Conclusion and Performance of the Hotel Services Agreement

Types of personal data: surname, first name and patronymic; telephone number; email address; identity document details; information about bookings, check-ins, stays and services provided; payment and refund information; information concerning minors where required by law.

Recipients (subcontractors): booking systems and other persons engaged for the performance of the hotel services agreement.

Retention period: 10 years from completion of the hotel services agreement.

Deletion period: upon expiry of the retention period, paper records shall be destroyed and personal data deleted from information systems.

Purpose No. 3. Compliance with Migration and Registration Requirements

Types of personal data: surname, first name and patronymic; date and place of birth; sex; citizenship; identity document details; registered address; for foreign nationals — migration card details, visa details, residence permit or temporary residence permit details.

Recipients (subcontractors): migration and registration authorities and other state authorities in cases предусмотренных legislation of the Russian Federation.

Retention period: 3 years unless otherwise established by the legislation of the Russian Federation.

Deletion period: upon expiry of the retention period, paper records shall be destroyed and personal data deleted from information systems.

Purpose No. 4. Retention of Stay and Interaction History with Guests

(including confirmation of stays upon lawful requests)

Types of personal data: surname, first name and patronymic; contact details; information about dates and facts of stays; history of services provided; interaction history with the Controller.

Recipients (subcontractors): public authorities and other persons where lawful grounds exist.

Retention period: 10 years.

Deletion period: upon expiry of the retention period, paper records shall be destroyed and personal data deleted from information systems.

Purpose No. 5. Administration of the Lastochkiny Gory Hotel Loyalty Programme

(exclusively subject to the consent of the personal data subject)

Types of personal data: surname, first name and patronymic; telephone number; email address; date of birth, where available; stay history; preferences.

Recipients (subcontractors): mailing and IT support contractors engaged in the operation of loyalty programmes.

Retention period: 10 years from the last interaction or until consent is withdrawn.

Deletion period: upon expiry of the retention period or upon withdrawal of consent, paper records shall be destroyed and personal data deleted from information systems.

Purpose No. 6. Table Reservations and Customer Service at Abashev Bistro Restaurant

Types of personal data: surname, first name and patronymic, where available; telephone number; email address, where available; information about table reservations and visits.

Recipients (subcontractors): contractors providing IT support and restaurant process automation services.

Retention period: 10 years.

Deletion period: upon expiry of the retention period, paper records shall be destroyed and personal data deleted from information systems.

Purpose No. 7. Administration of the Abashev Bistro Loyalty Programme

(subject to the consent of the personal data subject)

Types of personal data: surname, first name and patronymic; telephone number; email address, where available; visit history; preferences.

Recipients (subcontractors): mailing and IT support contractors engaged in the operation of loyalty programmes.

Retention period: 10 years from the last interaction or until consent is withdrawn.

Deletion period: upon expiry of the retention period or upon withdrawal of consent, paper records shall be destroyed and personal data deleted from information systems.

Purpose No. 8. Conclusion and Performance of Civil Law Agreements

(including agreements with private individuals and self-employed persons)

Types of personal data: surname, first name and patronymic; passport details; registered address; TIN; SNILS, where available; bank details; information about completed works or services rendered; signature.

Recipients (subcontractors): electronic document management operators; banks; other persons engaged in the performance of contracts.

Retention period: 5 years from completion of the agreement unless otherwise established by the legislation of the Russian Federation.

Deletion period: upon expiry of the retention period, paper records shall be destroyed and personal data deleted from information systems.

Purpose No. 9. Performance of Agreements with Agents and Other Counterparties

(confirmation of stays, settlements and reporting)

Types of personal data: surname, first name and patronymic of guests; information about dates and facts of stays; other information required for the performance of contractual obligations.

Recipients (subcontractors): booking agents; payment systems; electronic document management operators; other counterparties within the framework of agreements.

Retention period: 5 years from completion of the agreement or for such periods as established by the legislation of the Russian Federation.

Deletion period: upon expiry of the retention period, paper records shall be destroyed and personal data deleted from information systems.

Purpose No. 10. Processing of Enquiries, Reviews and Complaints

Types of personal data: surname, first name and patronymic; contact details, including telephone number and email address; contents of enquiries, reviews or complaints; interaction history.

Recipients (subcontractors): contractors responsible for receiving and processing enquiries; review and communication platforms, where applicable.

Retention period: 5 years from completion of the review of the enquiry.

Deletion period: upon expiry of the retention period, paper records shall be destroyed and personal data deleted from information systems.

Purpose No. 11. Improvement of Service Quality at Lastochkiny Gory Hotel and Abashev Bistro

Types of personal data: surname, first name and patronymic; contact details; information about services provided; interaction history; reviews and service quality assessments.

Recipients (subcontractors): contractors responsible for analytics and IT support of service processes, where applicable.

Retention period: 10 years from the last interaction or, in anonymised form, without limitation.

Deletion period: upon expiry of the retention period, personal data shall be destroyed or anonymised.

Purpose No. 12. Improvement of the Controller’s Websites and Web Analytics

(cookies, user behaviour, anonymised analytical data)

Types of personal data: contact details, where voluntarily provided by the user; cookie files; data relating to user behaviour on the Controller’s websites, including anonymised analytical data.

Recipients (subcontractors): contractors providing web analytics and technical website support services.

Retention period: up to 5 years or until anonymisation of the data, after which the retention period is unlimited.

Deletion period: upon expiry of the retention period, personal data shall be destroyed or anonymised.

Purpose No. 13. HR Administration and Compliance with the Requirements of the Legislation of the Russian Federation

(including employment relations, accounting and tax records, medical examinations, personal medical record books and military registration)

Types of personal data: surname, first name and patronymic; passport details; registered and residential address; SNILS; TIN; bank details; employment information; military registration information; information contained in documents relating to mandatory medical examinations and personal medical record books; other personal data, the processing of which is required under the legislation of the Russian Federation.

Recipients (subcontractors): state authorities and state extra-budgetary funds, including the Federal Tax Service and the Social Fund of Russia; banks; medical organisations; electronic document management operators; other persons in cases provided for by the legislation of the Russian Federation.

Retention period: for the periods established by labour, tax and archival legislation of the Russian Federation, but not less than 5 years.

Deletion period: upon expiry of the retention period, paper records shall be destroyed and personal data deleted from information systems.

Purpose No. 14. Recruitment and Selection of Personnel

(review of CVs, interviews and formation of a talent pool)

Types of personal data: surname, first name and patronymic; contact details, including telephone number and email address; information about education and work experience; other personal data contained in a CV or candidate application form.

Recipients (subcontractors): recruitment contractors, where applicable; persons participating in recruitment activities on behalf of the Controller.

Retention period: 10 years or until withdrawal of consent by the personal data subject.

Deletion period: upon expiry of the retention period or upon withdrawal of consent, paper records shall be destroyed and personal data deleted from information systems.

The Controller processes personal data on lawful grounds, including:

• on the basis of the consent of the personal data subject, provided in written, electronic or any other form allowing confirmation of receipt;


• without the consent of the personal data subject — in cases provided for by the legislation of the Russian Federation, as well as where processing is necessary for:
  
  
  
  • the conclusion and performance of agreements to which the personal data subject is a party;
  
  
  • compliance with obligations imposed on the Controller by the legislation of the Russian Federation;
  
  
  • protection of the rights and legitimate interests of the Controller or third parties;
  
  
  • administration of justice, execution of court decisions and lawful requests of state authorities.
  
  
  
  

The legal grounds for the processing of personal data include:

• Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”;


• the Civil Code of the Russian Federation;


• the Labour Code of the Russian Federation;


• the Tax Code of the Russian Federation;


• other federal laws and subordinate legal acts of the Russian Federation;


• agreements concluded by the Controller with personal data subjects and/or third parties;


• consent of the personal data subject to the processing of personal data — where such consent is required under the legislation of the Russian Federation.

6.1. The Controller processes personal data in compliance with the principles and requirements established by the legislation of the Russian Federation, including the principles of lawfulness, fairness, data minimisation, purpose limitation and storage limitation.

Personal data is processed:

• on the basis of the consent of the personal data subject — where such consent is required;


• or on another lawful basis provided for by the legislation of the Russian Federation, without obtaining consent from the personal data subject, where processing is necessary to achieve the purposes specified in this Policy.

6.2. The Controller may transfer personal data to third parties solely to the extent necessary to achieve specific processing purposes and subject to compliance with the requirements of the legislation of the Russian Federation concerning personal data protection.

Personal data may be transferred, including, to:

• payment, booking and information systems;


• booking agents and other counterparties in the course of performing contractual obligations;


• electronic document management operators and state information systems;


• state authorities and migration and registration authorities — in cases and to the extent provided for by the legislation of the Russian Federation;


• contractors and other persons engaged by the Controller to achieve the purposes of personal data processing, including IT support, analytics, mailing and process automation services.

Personal data transferred to third parties may not be used for the third parties’ own purposes unless otherwise provided for by the legislation of the Russian Federation or by contract.

6.3. Databases containing personal data of citizens of the Russian Federation are localised by the Controller within the territory of the Russian Federation.

Personal data is stored and processed:

• in information systems hosted on servers located within the territory of the Russian Federation;


• on paper records kept on the Controller’s premises with restricted access.

6.4. Access to personal data is granted only to authorised employees of the Controller, the list of whom is determined by local regulations and/or orders of the Controller.

Employees authorised to process personal data:

• receive instruction and training regarding the processing and protection of personal data;


• are required to comply with confidentiality and personal data security requirements.

Access to personal data is granted on a strictly need-to-know basis according to the specific duties of the employee concerned.

The personal data subject has the right to:

• obtain information relating to the processing of their personal data, including information regarding the fact of processing, legal grounds, purposes, methods of processing, categories of personal data processed, retention periods and persons to whom the personal data may be transferred;


• require the Controller to clarify, block or destroy their personal data where such data is incomplete, outdated, inaccurate, unlawfully obtained or no longer necessary for the stated processing purposes;


• withdraw consent to the processing of personal data — where processing is based on consent;


• object to the processing of personal data for direct marketing purposes, including informational and advertising communications;


• appeal against actions or omissions of the Controller that violate their rights and legitimate interests before the authorised personal data protection authority or in court;


• exercise other rights provided for by Federal Law No. 152-FZ “On Personal Data” and other regulatory legal acts of the Russian Federation.

Withdrawal of consent by the personal data subject does not affect the lawfulness of processing carried out prior to such withdrawal and does not require termination of personal data processing where such processing is carried out on another lawful basis provided for by the legislation of the Russian Federation.

The rights of personal data subjects may be exercised by submitting a written request or an electronic request using the contact details specified in Section 11 of this Policy.

The Controller implements the necessary and sufficient legal, organisational and technical measures to ensure the security of personal data and to protect it against unlawful or accidental access, destruction, modification, blocking, copying, disclosure, dissemination and other unlawful actions.

For the purpose of protecting personal data, the Controller implements, among others, the following measures:

• appointment of a person responsible for organising the processing and ensuring the security of personal data;


• development, approval and implementation of local regulations governing the procedures for processing and protecting personal data;


• restriction of access to personal data and recording the actions of employees authorised to process such data;


• granting access to personal data on a strict need-to-know basis;


• use of anti-virus protection and other information security tools;


• backup copying of personal data and storage of backup copies on secure media;


• regular updating of software and information security tools;


• storage of paper records containing personal data in premises with restricted access;


• destruction of paper records using technical means preventing the recovery of information, as well as secure deletion of personal data from electronic media;


• instruction and training of employees regarding the processing and protection of personal data;


• internal control and periodic audits to ensure compliance with the legislation of the Russian Federation and the Controller’s local regulations concerning personal data processing.

9.1. Retention periods for personal data are determined by the purposes of personal data processing specified in this Policy, as well as by the requirements of the legislation of the Russian Federation and the terms of agreements to which the Controller is a party.

9.2. Upon achievement of the purposes of personal data processing or expiry of the established retention periods, personal data shall be destroyed or anonymised, except where further retention and processing are necessary:

• to comply with the requirements of the legislation of the Russian Federation;


• for the performance of agreements;


• to protect the rights and legitimate interests of the Controller and/or third parties.

9.3. Where a personal data subject withdraws consent to the processing of personal data, the Controller shall cease processing and destroy or anonymise the personal data within 30 calendar days, unless otherwise provided for by the legislation of the Russian Federation or where further processing is permitted on another lawful basis.

9.4. Personal data shall be destroyed by the Controller in compliance with the legislation of the Russian Federation and local regulations, including:

• for personal data contained on paper records — by physical destruction preventing the recovery of information;


• for personal data contained in electronic information systems — by secure deletion preventing the recovery of data.

9.5. Processing of personal data carried out without the use of automated means shall comply with the requirements of Resolution of the Government of the Russian Federation No. 687 dated 15 September 2008 “On Approval of the Regulation on the Specific Features of Processing Personal Data Without the Use of Automated Means” (as amended).

10.1. The Controller may amend and supplement this Policy for the purpose of updating it, ensuring compliance with the current legislation of the Russian Federation and the Controller’s internal procedures.

10.2. A new version of the Policy shall enter into force from the moment it is published on the Controller’s official websites, unless otherwise provided for by the new version of the Policy.

10.3. The current version of this Policy is publicly available at:

• on the official website of Lastochkiny Gory Hotel — https://lastochkinygory.ru;


• on the official website of Abashev Bistro restaurant — https://abashev-bistro.ru.

11. Contacts Regarding Personal Data Matters

For matters relating to the processing of personal data, personal data subjects may contact the Controller using the following details:

Email address: info@lastochkinygory.ru

Postal address:
Building 35, Mira Street,
Penza, Penza Region, 440046, Russian Federation

Telephone: +7 (8412) 46-00-01