CRYSTAL HOTEL CONFIDENTIALITY POLICY (Hotel Crystal LLC)

I SCOPE OF THIS POLICY

The Privacy Policy (hereinafter — the Policy) is aimed at protecting the rights and freedoms of individuals whose personal data is processed by LLC "Hotel Crystal", which is the operator of personal data (hereinafter — the Hotel).

The policy on personal data processing is developed in accordance with the Federal Law of July 27, 2006 № 152-FZ "On Personal Data" (hereinafter — the Federal Law "On Personal Data). This policy takes into account the latest amendments to the Act of March 1, 2023.

This policy applies to all information that the Hotel, located under the domain name krystalhotel.ru, can receive about the Consumers of hotel services during the use of the Website of the Hotel, programs and products of the Hotel.

1.4 This privacy policy sets out how we collect, identify, and use the personal data that the User provides to us when using the websites, mobile applications, and our hospitality services.

The use of the Site by the User means consents to this Policy and the terms of processing of the User’s personal data.

In case of disagreement with the terms of the Privacy Policy, the User must stop using the Site.

This policy applies only to the Site of the Hotel, the Hotel has no control over and is not responsible for the site of third parties, which the User can access through the links available on the Site of the Hotel.

The Hotel does not check the accuracy of personal data provided by the User on the Hotel’s website.

When providing the Hotel with the personal data of others, such as when making a reservation on their behalf, the Guest may do so only with their consent, warning them of how the Hotel will use their data, including the purposes specified in this Privacy Policy.

II CONCEPTS AND DEFINITIONS

Data Operator — authorized employees to manage the site, acting on behalf of the Hotel, which alone or jointly with others organize and / or carry out the processing of personal data, defines the purposes and methods of processing of personal data.

Data Processor — a natural or legal person, public authority, agency or other institution that processes personal data on behalf of the data controller.

Data recipient is a natural or legal person, government body, agency or other institution to which personal data is provided, regardless of whether it is a third party.

A third party is a natural or legal person, public authority, agency or institution. Not a data subject, operator, data processor, or persons authorized by direct order of the operator or data processor to process personal data.

The User of the Hotel’s website (hereinafter referred to as the User) is a person who has access to the website through the Internet and uses the Hotel’s website.

Personal data is any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is a person who can be identified directly or indirectly, including by identifiers such as name, ID number, location information, online identity, and one or more factors of that natural person’s physical, physiological, genetic, mental, economic, cultural or social background.

Data processing is any operation or set of operations performed on personal data or sets of personal data using automation or manual means. Such operations include the collection, recording, organization, arrangement, storage, adaptation, modification, retrieval, use as reference or otherwise, disclosure by transmission, dissemination or other means, synchronization or merging, classification, erasure or destruction of data.

Confidentiality of personal data — mandatory compliance with the Hotel or any other person who received access to personal data, the requirement to prevent their dissemination without consent to the processing of personal data or availability of other legal justification.

Breach of personal data security — a breach of data security, resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of transmitted, stored or otherwise processed personal data, as well as access to data.

III LEGAL BASIS OF PERSONAL DATA PROCESSING

3.1 The legal basis for the processing of personal data is a set of legal acts, pursuant to which and in accordance with which the Hotel processes personal data, namely:

— Constitution of the Russian Federation;

-Federal Law No. 152 of 27.07.2006;

-Federal Law "On Personal Data";

-Federal Law of 24.11.1996 № 132;

-Federal Law "On the Fundamentals of Tourist Activity in the Russian Federation";

— Decree of the Government of the Russian Federation of 18.11.2020"On Approval of the Rules of providing hotel services in the Russian Federation";

-Federal Law of 18.07.2006 № 109;

-Federal Law "On Migration Registration of Foreign Citizens and Stateless Persons in the Russian Federation";

-The Russian Federation Government Regulation № 9 from 15.01.2007 on the Procedure of Migration Registration of Foreign Citizens and Stateless Persons in the Russian Federation;

-Other legal acts.

IV THE SUBJECT OF THE PRIVACY POLICY

4.1 The hotel collects and processes the following personal data:

-Passport data (name, date of birth, place of birth, registration address);

-name, date of birth of the guest’s children;

residence address; -citizenship; -citizenship

-nationality;

-Visa and migration card data (for foreign citizens);

-Number and requisites of bank cards;

contact phone number; -address of email;

E-mail address; -place of work;

-place of work;

-position.

4.2 The hotel receives all personal data directly from the subject of personal data — Guests or their legal representatives.

4.3 The hotel protects the User’s data.

4.4 All personal information must be securely stored and not disclosed.

V THE PURPOSE OF COLLECTING PERSONAL INFORMATION ABOUT GUESTS

5.1 The purpose of the Policy is to protect the rights and freedoms of individuals and citizens in the processing of their personal data.

5.2 Personal data is processed for the purposes of:

— identification of the User for registration of accommodation or other services and / or conclusion of a contract for hotel services;

— providing the User with access to the personalized resources of the Hotel Website;

-Establishment of feedback with Users, including sending notices, inquiries regarding the provision of accommodation or other services, processing requests and applications from the User;

-Confirming the accuracy and completeness of the personal information provided by the User;

-Notifying the User of the Site about the confirmation of booking;

-processing and receiving payments, confirming tax or tax benefits, disputing payment and other financial operations;

-Providing the User with special offers, price information, newsletters and other information on behalf of the Hotel;

-Carrying out advertising activities with the User’s consent;

-Execution of a contract for the provision of accommodation or temporary accommodation services, one party to which is a Guest. As well as to provide additional services of the Hotel to its clients. The Hotel collects data only to the extent necessary to achieve the named purpose.

5.3 Processing of personal data incompatible with the purpose of personal data collection is not allowed.

5.4 Personal data may not be used for the purpose of causing property or moral damage to citizens, or impeding the realization of the rights and freedoms of citizens of the Russian Federation.

VI INFORMATION ON THE PROCESSING OF PEROSAN DATA

6.1The Hotel processes personal data on a lawful and fair basis to perform the functions, powers and duties imposed by law, to exercise the rights and legitimate interests of the Hotel, employees of the Hotel and third parties.

6.2 The hotel processes personal data in an automated way, with transmission over the internal network of the legal entity as well as with transmission over the Internet.

6.3Processing of personal data includes collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), blocking, deletion and destruction.

6.4 Only employees of the Hotel who need it to perform their job duties have access to the processing of guests' personal data.

6.5 Personal data of Guests is stored on paper and in electronic form in the local computer network of the Hotel.

6.6 The hotel ensures the confidentiality of personal data and is obliged to prevent its dissemination to third parties without the consent of the Guests or other legal grounds. Information about the personal data of the Guests is confidential.

VII THE USE AND TRANSFER OF PERSONAL DATA

7.1 The use of guests' personal data shall be carried out by authorized employees of the Hotel solely to achieve the purposes defined in the contract between the Guest and the Hotel, in particular to provide accommodation and temporary accommodation services, as well as additional services.

7.2 Access to personal data to employees of the Hotel, whose activities are not directly related to the work with personal data of Guests, is prohibited.

7.3 The hotel does not transfer personal data across borders.

7.4 It is not permitted to answer questions related to the transfer of information containing personal data by telephone or fax.

7.5 The hotel has the right to provide the personal data of Guests to third parties in the following cases:

-If disclosure of such information is required to comply with the law, execute a judicial act;

-to assist law enforcement or other governmental authorities only on the basis and in the manner prescribed by the laws of the Russian Federation;

— to protect the legal rights of the Guest and the Hotel.

7.6 In case of loss or disclosure of personal data, the management of the Hotel informs the User about the loss or disclosure of personal data.

7.7 The management of the Hotel together with the User shall take all necessary measures to prevent losses or other negative consequences caused by the loss or disclosure of personal data of the User.

VIII PROTECTION AND SECURITY OF PERSONAL DATA

8.1 The management of the Hotel shall take necessary organizational and technical measures to protect personal information of the User from unauthorized or accidental access, destruction, modification, blocking, copying, distribution, as well as other unlawful actions of third parties. And uses information protection means necessary to achieve the established level of personal data security.

8.2 The hotel appoints a person responsible for organizing the processing of personal data to fulfill the obligations under the Federal Law "On Personal Data" and the regulations adopted in accordance with it.

8.3 The hotel informs employees about the provisions of personal data legislation.

8.4 The hotel only allows employees to access personal data in order to perform their job duties.

8.5 The hotel determines security threats and personal data when processing them.

8.6 The hotel detects the facts of unauthorized access to personal data and takes measures to respond, including the restoration of personal data, modified or destroyed due to unauthorized access to them.

8.7 Protection of access to electronic databases containing personal data of Guests is provided by the use of licensed software products that prevent unauthorized access by third parties to personal data of Guests.

8.8 Documents containing personal data of Guests are stored in the premises, providing protection against unauthorized access.

8.9 After the expiry of the storage period of Personal Data, or in case of withdrawal of the agreement to process personal data by the guest, the personal data shall be destroyed. The destruction of personal data by the operator is done in accordance with the Federal Law "On Personal Data" № 152, taking into account all the latest editions (from 01.03.2023).

IX LIABILITY FOR VIOLATION OF THE RULES GOVERNING THE PROCESSING OF PERSONAL DATA

9.1 The hotel is responsible for the personal information that is in its possession, and enshrines the personal responsibility of employees to respect the established regime of confidentiality.

9.2 Each employee who receives a document containing personal data of a Guest for work is solely responsible for the safety of the medium and the confidentiality of the information.

9.3 Any person may complain to an employee of the Hotel about a violation of this policy. Complaints and applications regarding compliance with data processing requirements are reviewed within 30 days of receipt.

9.4 The Hotel staff is obliged to ensure the proper level of consideration of requests, applications and complaints of Guests, as well as to assist in the execution of the requirements of the competent authorities. The management of the Hotel, which has not fulfilled its obligations, shall be liable for losses incurred by the User in connection with the misuse of personal data, in accordance with the laws of the Russian Federation.

9.5 Persons guilty of violating the rules governing the receipt, processing and protection of personal data shall bear disciplinary, administrative, civil liability in accordance with federal law.

9.6 In case of loss or disclosure of confidential information, the management of the Hotel is not responsible if this confidential information:

— was in the public domain prior to its loss or disclosure;

-was received from a third party prior to its receipt by the Hotel;

-was disclosed with the consent of the User.

X OBLIGATIONS OF THE PARTIES

10.1 The hotel is obligated:

-receive the personal data of the Guest directly from the Guest;

-to process the personal data of the Guests solely for the purpose of providing legitimate services to the Guests;

-Ensure storage and protection of the personal data of the Guests against their unlawful use or loss;

-provide access to their personal data to the Guest or his/her legal representative upon application or upon receipt of a request containing the number of the basic identity document of the Guest or his/her legal representative, information on the date of issue of the said document and the issuing authority and the handwritten signature of the Guest or his/her legal representative. The request may be sent electronically and signed by electronic digital signature in accordance with the legislation of the Russian Federation.

-not to receive and not to process personal data of the Guest with his/her race, nationality, political views, religious and philosophical beliefs, health status, intimate life, except in cases provided by law;

-Limit the right of the Guest to access their personal data, if access to their personal data violates the rights and legitimate interests of third parties.

-In case of detection of unreliable personal data or unlawful actions with them by the operator upon application or at the request of the personal data subject or his legal representative or the authorized body for the protection of the rights of personal data subjects, the operator shall block personal data relating to the relevant personal data subject from the moment of such application or receipt of such request for the period of verification;

-In case of confirmation of the fact of inaccuracy of personal data, the operator shall clarify personal data and unblock them based on documents submitted by the subject of personal data or his legal representative or the authorized body for the protection of the rights of subjects of personal data, or other necessary documents;

— In case of detection of misconduct with personal data, the operator shall eliminate the violations within a period not exceeding three working days from the date of such detection. If it is impossible to eliminate the violations, the operator shall destroy personal data within a period not exceeding three working days from the date of detection of unlawful actions with personal data. The operator shall notify the personal data subject or his legal representative about the elimination of the violations or the destruction of personal data, and if the appeal or request was sent by the competent authority for the protection of the rights of personal data subjects, also the said authority.

10.2 Information about the availability of personal data must be provided to the Guest in an accessible form and must not contain personal data relating to other subjects of personal data.

10.3 The user is obligated to:

-provide information about personal data necessary to use the Website of the Hotel;

-update, supplement the provided information on personal data in case of changes in this information.

10.4 The guest has the right to:

-Access to information about himself, including information containing information confirming the fact of personal data processing, as well as the purpose of such processing; methods of processing personal data; information about persons who have access to personal data or who may be granted such access; list of processed personal data and source of its receipt, terms of processing personal data, including the terms of its storage; information about what legal consequences for the subject may entail the processing of his personal data

-Determination of the forms and methods of processing of his personal data;

-Limitation of methods and forms of processing of his personal data;

-Prohibition of distribution of personal data without his consent;

-modification, clarification, destruction of information about himself;

-Appeal against wrongful acts or omissions in the processing of personal data.

XI DISPUTE RESOLUTION

11.1 Before going to court with a claim for disputes arising out of the relationship between the User of the Hotel website and the management of the Hotel, it is mandatory to submit claims (written offer to voluntarily resolve the dispute).

11.2 The recipient of the claim shall notify the claimant in writing of the results of the claim within 30 calendar days of receipt of the claim.

11.3 If an agreement is not reached, the dispute will be referred to a judicial authority in accordance with the applicable laws of the Russian Federation.

XII ADDITIONAL TERMS

12.1 The Hotel has the right to make changes to this Privacy Policy without the User’s consent.

12.2 The new Privacy Policy will be effective from the moment it is posted on the Hotel’s Website, unless otherwise provided for in the new version of the Policy.

12.3 Any suggestions or questions about this Policy should be reported to the management of the Hotel. The current Privacy Policy is available at www.krystalhotel.ru/en/pp