LITRES OPERATIONS LIMITED
Personal Data Processing Policy
1. Introduction

1.1 This document sets out the policy of LITRES OPERATIONS LIMITED (established and registered under the laws of the Republic of Ireland, registration number 650295, registered office: 18 MALLOW STREET, CO. LIMERICK, LIMERICK, V94N12Y, IRELAND) (hereinafter, the Service) in relation to the personal data processing.

1.2. This Policy is elaborated in line with the current personal data legislation of the Russian Federation.

1.3. This Policy shall apply to all processes related to the processing, namely the collection, recording, systematization, accumulation, storage, clarification, retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, and destruction of personal data, performed with or without the use of automation tools.

2. Principles of personal data processing
Personal data shall be processed based on the following principles: 
  • Personal data shall be processed on a lawful and fair basis; 
  • The processing of personal data shall be limited to the attainment of specific, predefined, and legitimate purposes. No personal data processing that's not in line with the reasons for collecting personal data shall be allowed. 
  • No consolidation of databases containing personal data processed for incompatible purposes shall be permitted;
  • Only personal data relevant to the purposes of processing shall be processed;
  • The content and scope of the personal data being processed shall correspond to the stated processing purposes. The personal data being processed shall not be excessive in relation to the stated purposes of processing;
  • When processing personal data, the accuracy, adequacy, and, where necessary, relevance of the personal data in relation to the stated purposes of its processing shall be ensured.

Unless the storage period for personal data is established by federal law or by an agreement to which the data subject is a party, beneficiary, or guarantor, personal data shall be stored in a form that allows the identification of the data subject for no longer than is necessary for the purposes of processing personal data. Personal data being processed shall be destroyed or anonymized upon achievement of the processing objectives or in the event that the need to achieve these objectives ceases to exist, unless otherwise provided by federal law.

3. Conditions for processing personal data

3.1 Personal data shall be processed subject to compliance with the principles and rules established by the General Data Protection Regulation (GDPR) and/or other applicable laws. The processing of personal data shall be allowed in the following cases:
  • Personal data is processed with the consent of the data subject to the processing of their personal data;
  • The processing of personal data is necessary to achieve the purposes stipulated by the General Data Protection Regulation (GDPR) and/or other applicable laws for the implementation and performance of functions, powers, and duties imposed by the General Data Protection Regulation (GDPR) and/or the other applicable laws on the operator;
  • The processing of personal data is necessary for the administration of justice, the enforcement of a court order, an order of another body or official subject to enforcement in accordance with the General Data Protection Regulation (GDPR) and/or other applicable laws on enforcement proceedings;
  • The processing of personal data is necessary for the performance of an agreement, to which the subject of personal data or a beneficiary or guarantor is a party, as well as for the execution of an agreement on the initiative of a personal data subject or an agreement whereby the personal data subject will be a beneficiary or guarantor;
  • The processing of personal data is necessary to protect the life, health, or other vital interests of the data subject where it is impossible to obtain the consent of the data subject;
  • The processing of personal data is necessary for the exercise of the rights and legitimate interests of the operator or third parties or for the achievement of socially significant purposes, provided that the rights and freedoms of the subject of personal data are not thereby violated;
  • Personal data is processed for statistical or other research purposes, provided that personal data is anonymized. An exception is made for the processing of personal data for the purpose of promoting goods, works, and services on the market by establishing direct contact with potential consumers using means of communication, as well as for the purpose of political campaigning.

Personal data is processed when access to it is provided to an unlimited number of persons by the data subject or at their request (hereinafter, personal data made publicly available by the data subject);
Personal data is processed that is subject to publication or mandatory disclosure in accordance with federal law.

3.2. Biometric personal data (data that characterizes the physiological and biological characteristics of a person, on whose basis their identity can be established and which is used by the operator to establish the identity of the subject of personal data) shall not be processed by the Service.

3.3. Decisions that generate legal consequences for the subject of personal data or otherwise affect their rights and legitimate interests shall not be made on the grounds of automated processing of personal data alone.

3.4. Should no written consent of the subject be required for the processing of their personal data, the voluntary provision of such data by the subject or their representative shall be recognized by the parties as the provision of personal data with the consent of the subject.

3.5. The Service may entrust the processing of personal data to another entity, unless otherwise provided by federal law, based on an agreement concluded with that entity (hereinafter, the operator's assignment). In this case, the Service shall contractually oblige the entity processing personal data on behalf of the Service to comply with the principles and rules for processing personal data provided for by the General Data Protection Regulation (GDPR) and/or other applicable laws .

3.6. Should the Service entrust the processing of personal data to another entity, the Service shall be liable to the data subject for the actions of that entity. The entity processing personal data on behalf of the Service shall be liable to the Service.

3.7. The Service shall undertake and oblige other persons who have access to personal data to neither disclose personal data to third parties nor distribute it without the consent of the subject of personal data, unless otherwise provided by the General Data Protection Regulation (GDPR) and/or other applicable laws .

4. Obligations of the Service
Pursuant to the requirements of the General Data Protection Regulation (GDPR) and/or other applicable laws, the Service shall be obliged to:

Provide the data subject, upon request, with information regarding the processing of their personal data, or refuse to do so on legal grounds.

At the request of the data subject, clarify the personal data being processed, block or delete it where the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the stated purpose of processing.

Notify the data subject about the processing of personal data where the personal data has not been obtained from the data subject, save in the following cases:
  • The subject has been notified of the processing of their personal data by the relevant operator;
  • The Service has obtained personal data based on federal law or in connection with the performance of an agreement to which the data subject is a party, beneficiary, or guarantor;
  • Personal data has been made publicly available by the data subject or obtained from a publicly available source;
  • The Service processes personal data for statistical or other research purposes, for the purpose of professional journalistic activities or scientific, literary, or other creative activities, provided that this does not violate the rights and legitimate interests of the personal data subject.
The provision of personal data contained in the Notice on the processing of personal data to the data subject violates the rights and legitimate interests of third parties.

Should the purpose of processing personal data be achieved, the processing of personal data shall be terminated immediately and the relevant personal data shall be destroyed within a period not exceeding thirty days from the date of achieving the purpose of processing personal data, unless otherwise provided for in the Agreement to which the personal data subject is a party, beneficiary, or guarantor, or in any other agreement between the Service and the personal data subject, or if the Service is not entitled to process personal data without the consent of the personal data subject on the grounds provided for by the General Data Protection Regulation (GDPR) and/or other applicable laws.

Should the data subject withdraw their consent to the processing of their personal data, the processing of personal data shall be terminated and the personal data shall be destroyed within a period not exceeding thirty days from the date of receipt of the said withdrawal, unless otherwise provided for in the agreement between the Service and the data subject.

The Service shall be obliged to notify the data subject of the destruction of personal data.

Should a data subject request that the processing of personal data for the purpose of promoting goods, works, or services on the market be discontinued, the processing of personal data shall be immediately discontinued.

5. Measures to ensure the security of personal data during processing

5.1. When processing personal data, the Service shall take the necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access, destruction, alteration, blocking, copying, provision, distribution, as well as from other unlawful actions in relation to personal data.

5.2. The security of personal data shall be ensured, in particular, through:
  • Identifying threats to the security of personal data when processing it in personal data information systems;
  • Applying organizational and technical measures to ensure the security of personal data when processing it in personal data information systems, which are necessary to comply with personal data protection requirements, whose implementation ensures the levels of personal data protection established by the General Data Protection Regulation (GDPR) and/or other applicable laws;
  • Using means of information protection that have undergone the established conformity assessment procedure;
  • Assessing the effectiveness of measures taken to ensure the security of personal data prior to the commissioning of the personal data information system;
  • Detecting unauthorized access to personal data and taking action;
  • Restoring personal data that has been modified or destroyed as a result of unauthorized access;
  • Exercising control over measures taken to ensure the security of personal data and the level of protection of personal data information systems.