POLITICS REGARDING THE PROCESSING OF PERSONAL DATA

Contents
1. General Provisions2. Purposes of Personal Data Collection3. Legal Basis for Processing Personal Data4. The Scope and Categories of Processed Personal Data5. Procedure and Conditions of Personal Data Processing6. Actualisation, correction, deletion, destruction of personal data

1. GENERAL PROVISIONS

1.1 This Policy on Personal Data Processing (hereinafter referred to as the Policy) is developed in compliance with the requirements of the international agreements between in the field of personal data protection and other legal acts ensuring personal data protection (hereinafter referred to as the Personal Data Law), in order to ensure the protection of human and civil rights and freedoms when processing personal data, including the protection of the right to privacy and personal data protection.

1.2 The Policy applies to all personal data processed by PHENIX JAPAN (hereinafter referred to as the Operator)

1.3 The Policy applies to the relations in the field of personal data processing arisen by the Operator both before and after the approval of this Policy.

1.4 This Policy is published in free access in the information and telecommunication network Internet on the Operator's website.

1.5 Basic concepts used in the Policy:

Personal Data Subject/Customer
a natural person using the Operator's website, who owns personal data and can be identified by this data.
personal data
any information relating to a directly or indirectly defined or identifiable natural person (subject of personal data);
personal data operator (operator)
an organisation that independently or jointly with other persons organises and (or) carries out the processing of personal data, as well as determines the purposes of personal data processing, the composition of personal data subject to processing, actions (operations) performed with personal data;
processing of personal data
any action (operation) or set of actions (operations) with personal data, performed with or without the use of automation tools. Processing of personal data includes, but is not limited to:
  • collection;
  • entry;
  • systematisation;
  • accumulation;
  • storage;
  • clarification (update, change);
  • extraction;
  • usage;
  • transmission (distribution, provision, access);
  • depersonalisation;
  • blocking;
  • deletion;
  • annihilation;
automated processing of personal data
processing of personal data by means of computer equipment;
dissemination of personal data
actions aimed at disclosure of personal data to an indefinite number of persons;
provision of personal data
actions aimed at disclosure of personal data to a certain person or a certain circle of persons;
blocking of personal data
temporary cessation of personal data processing (except for cases when processing is necessary to clarify personal data);
destruction of personal data
actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;
depersonalisation of personal data
actions as a result of which it becomes impossible to determine, without the use of additional information, whether personal data belong to a particular subject of personal data;
personal data information system
a set of information technologies and technical means contained in databases of personal data and ensuring their processing;
biometric personal data
information about physiological and biological features of a person, by which his/her identity can be established.
Cookies

Cookies are fragments of data sent by a web server to a browser when the Client visits the Site. The Company automatically receives some types of information obtained during the interaction of users with the Site. This refers to technologies and services such as web protocols, cookies, web tags, and third party applications and tools. A cookie is a piece of data that is automatically located on the hard drive of your computer each time you visit a website. A cookie is therefore the browser's unique identifier for a website. Cookies allow information to be stored on a server and help you navigate the web more easily, as well as enabling analysis of website, evaluation of results and targeting of behavioural advertising. Most web browsers allow the use of cookies, but you can change your settings to refuse cookies or track the way they are sent. However, some resources may not function properly if cookies are disabled in your browser.

1.6 The main rights and obligations of the Operator.

1.6.1 The Operator shall have the right to:

  • independently determine the composition and list of measures necessary and sufficient to ensure the fulfilment of the obligations stipulated by the Personal Data Law and the regulatory legal acts adopted in accordance with it, unless otherwise provided by the Personal Data Law or other federal laws;
  • entrust the processing of personal data or transfer it to another person with the consent of the personal data subject, unless otherwise provided for by federal law, on the basis of a contract concluded with this person. The person carrying out personal data processing on behalf of the Operator is obliged to comply with the principles and rules of personal data processing stipulated by the Personal Data Law, to observe confidentiality of personal data, to take necessary measures aimed at ensuring fulfilment of obligations stipulated by the Personal Data Law;
  • in case the personal data subject withdraws consent to personal data processing, the Operator has the right to continue personal data processing without the consent of the personal data subject if there are grounds specified in the Personal Data Law.

1.6.2 The Operator shall:

  • organise the processing of personal data in accordance with the requirements of the Personal Data Law;
  • respond to appeals and requests of personal data subjects and their legal representatives in accordance with the requirements of the Personal Data Law;
  • report to the authorised body for the protection of the rights of subjects of personal data at the request of this body the necessary information within 10 working days from the date of receipt of such a request. This term may be extended, but not more than for five working days.

1.7 The basic rights of the personal data subject. The subject of personal data has the right to:

  • receive information regarding the processing of his/her personal data, except in cases provided for by law. Information shall be provided to the subject of personal data by the Operator in an accessible form and shall not contain personal data relating to other subjects of personal data, except in cases where there are legal grounds for disclosure of such personal data. The list of information and the procedure for obtaining it is established by the Law on Personal Data;
  • to demand from the operator to clarify his personal data, block or destroy them if the personal data are incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures provided for by law to protect his rights;
  • give prior consent to the processing of personal data in order to promote goods, works and services on the market;
  • to appeal in court against unlawful acts or omissions of the Operator in the processing of his/her personal data.

1.8 Control over compliance with the requirements of this Policy shall be exercised by the authorised person responsible for organisation of personal data processing at the Operator.

1.9 By agreeing to this Policy, the personal data subject provides the Operator with his/her consent to the processing of personal data specified in Section 4 of this Policy for the purposes specified in Section 2 of this Policy.

1.10. Provision of personal data to affiliated persons and persons who are connected with the Operator by contractual relations is carried out for fulfilment of contractual relations concluded between the Customer and third parties for: purchase of goods, delivery and transportation of goods.

1.11. Affiliated persons and persons connected with the Operator by contractual relations undertake to ensure confidentiality of information and guarantee its protection, as well as undertake to use the obtained information exclusively for the purposes of fulfilment of the purposes specified in Section 2 of this Policy.

2. PURPOSES OF PERSONAL DATA COLLECTION

2.1 The processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes. Processing of personal data incompatible with the purposes of personal data collection is not allowed.

2.2 Only personal data that fulfils the purposes for which it is processed shall be processed.

2.3 The Operator shall process personal data of natural persons for the following purposes:

  • ensuring compliance with laws and other regulations;
  • forming a base of those who are (intend to become) the Operator's counterparties/customers or civil law relations: conclusion, execution, amendment, cancellation of various contracts, including vehicle sales and purchases, ordering, notification of order status, processing and receipt of payments;
  • identification of users of the Operator's websites, applications, messengers and social networks, other services and software products, processing of requests and applications from them, other interaction with them, identification and elimination of errors on websites, applications, messengers and social networks, other services and software products of the Operator;
  • information interaction with contractors, users of websites, applications, messengers and social networks, other services and software products of the Operator;
  • carrying out measures to settle applications, claims, messages, other appeals of individuals received from them or left by them in writing, orally, by telephone, via messengers, social networks, other possible forms or other possible sources;
  • participate in promotions, surveys, and receive news, information about products, events, promotions or services.

3. LEGAL BASIS FOR PROCESSING PERSONAL DATA

3.1 The legal basis for personal data processing is a set of regulatory legal acts, pursuant to which and in accordance with which the Operator processes personal data.

3.2 The legal basis for the processing of personal data is also:

  • contracts concluded between the Operator and personal data subjects;
  • consent of personal data subjects to the processing of their personal data;

4. THE SCOPE AND CATEGORIES OF PROCESSED PERSONAL DATA, CATEGORIES OF PERSONAL DATA SUBJECTS

4.1 The content and scope of processed personal data shall comply with the stated purposes of processing as provided for in Section 2 of this Policy. The processed personal data shall not be redundant in relation to the stated purposes of their processing.

4.2 The Operator shall process the following personal data of the Customer:

  • last name, first name, middle name;
  • date and place of birth;
  • passport details;
  • residential registration address;
  • the delivery address of the goods/cargo;
  • contact details (phone number, email address, nickname/login in messengers and social networks);
  • individual taxpayer number;
  • bank account details;
  • order history;
  • Cookies;
  • Geopositioning information;
  • IP address;
  • access time;
  • information about the browser (or other programme that accesses the advertisements);

4.3 The Operator does not process special categories of personal data concerning race, nationality, political views, religious or philosophical beliefs, state of health, intimate life, except for cases provided for by the legislation.

5. PROCEDURE AND CONDITIONS OF PERSONAL DATA PROCESSING

5.1 Processing of personal data shall be carried out by the Operator in accordance with the requirements of the legislation.

5.2 The processing of personal data shall be carried out with the consent of personal data subjects to the processing of their personal data, as well as without it in cases provided for by the Law on Personal Data.

5.3 The Operator shall process personal data for each purpose of their processing in the following ways:

  • automated processing of personal data with or without transmission of the received information via information and telecommunication networks;

5.4 The Operator's employees whose job description includes personal data processing are allowed to process personal data.

5.5 The processing of personal data for each purpose of processing specified in clause 2.3 of the Policy is carried out by:

  • receiving personal data orally and in writing directly from personal data subjects, including via the Internet;
  • entering personal data into the Operator's journals, registers and information systems;
  • using other methods of personal data processing.

5.6 The Operator shall take the necessary legal, organisational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, dissemination and other unauthorised actions, including:

  • identifies threats to the security of personal data during its processing;
  • adopts local normative acts and other documents regulating relations in the field of personal data processing and protection;
  • appoints persons responsible for ensuring personal data security in the structural subdivisions and information systems of the Operator;
  • creates the necessary conditions for working with personal data;
  • organises record keeping of documents containing personal data;
  • organises work with information systems where personal data are processed;
  • stores personal data in conditions that ensure their safety and prevent unauthorised access to them;
  • organises training of the Operator's employees processing personal data. Provides: data encryption, backup, access control, regular security updates.

5.9 The Operator shall store personal data in a form that allows identification of the personal data subject for no longer than required by each purpose of personal data processing, unless the period of personal data storage is established by law or international agreement.

5.10. The Operator stops processing personal data in the following cases:

  • the fact of their unauthorised processing has been revealed. Deadline - within 3 (three) working days from the date of detection;
  • the purpose of their processing has been achieved;
  • the personal data subject's consent to the processing of the said data has expired or has been withdrawn, when, under the Personal Data Law, the processing of such data is permitted only with consent.

5.11. When the purposes of personal data processing are achieved, as well as in case the subject of personal data withdraws his/her consent to their processing, the Operator shall cease processing of such data if:

  • not stipulated by the contract to which the personal data subject is a party, beneficiary or guarantor otherwise;
  • The operator may not carry out processing without the consent of the personal data subject on the grounds provided for by the Personal Data Law or other federal laws;
  • otherwise not provided for by another agreement between the Operator and the subject of personal data.

5.12. If the personal data subject appeals to the Operator with a request to stop processing personal data within a period not exceeding 10 (ten) working days from the date of receipt of the relevant request by the Operator, the processing of personal data shall be stopped, except for cases provided for by the Personal Data Law. The said term may be extended, but not more than for five working days. For this purpose, the Operator shall send a motivated notice to the personal data subject indicating the reasons for extending the term.

5.13. When collecting personal data, including via the information and telecommunications network Internet, the Operator shall ensure recording, systematisation, accumulation, storage, clarification (update, change), extraction of personal data using databases.

6. Actualisation, correction, deletion, destruction of personal data, responses to the subjects' requests for access to personal data

6.1 Confirmation of the fact of personal data processing by the Operator, legal grounds and purposes of personal data processing shall be provided by the Operator to the personal data subject or his/her representative within 10 working days from the moment of application or receipt of the request of the personal data subject or his/her representative. This term may be extended, but not more than for 5 working days. For this purpose, the Operator should send a motivated notice to the personal data subject indicating the reasons for extending the term for providing the requested information.

The information provided shall not include personal data relating to other personal data subjects, unless there are legitimate grounds for disclosure of such personal data.

The request must contain:

  • number of the main identity document of the personal data subject or his/her representative, information on the date of issue of the said document and the issuing authority;
  • information confirming the personal data subject's participation in relations with the Operator (contract number, date of contract conclusion, conventional word designation and (or) other information), or information otherwise confirming the fact of personal data processing by the Operator;
  • signature of the personal data subject or his/her representative.

The request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation.

The operator shall provide information to the personal data subject or his/her representative in the form in which the relevant appeal or request was sent, unless otherwise specified in the appeal or request.

If the appeal (request) of the personal data subject does not reflect all the necessary information in accordance with the requirements of the Law on personal data or the subject does not have access rights to the requested information, a reasoned refusal shall be sent to him/her.

The right of a personal data subject to access his/her personal data may be restricted in accordance with the Personal Data Law, including if the personal data subject's access to his/her personal data violates the rights and legitimate interests of third parties.

6.2 In case inaccurate personal data is detected upon application of the personal data subject or his/her representative or at their request, the Operator blocks personal data related to this personal data subject from the moment of such application or receipt of the said request for the period of verification, if blocking of personal data does not violate the rights and legitimate interests of the personal data subject or third parties.

If the fact of inaccuracy of personal data is confirmed, the Operator, based on the information provided by the personal data subject or his/her representative, or other necessary documents, shall clarify the personal data within 7 (seven) working days from the date of submission of such information and remove the blocking of personal data.

6.3 In case of detection of unlawful processing of personal data upon application (request) of a personal data subject or his/her representative, the Operator shall block the unlawfully processed personal data related to this personal data subject from the moment of such application or request.

6.4 If the Operator, or any other interested party identifies the fact of unlawful or accidental transfer (provision, distribution) of personal data (access to personal data), which resulted in violation of the rights of personal data subjects, the Operator:

  • within 24 hours - notify the legal entity about the incident, the alleged reasons for the violation of the rights of personal data subjects, the alleged harm caused to the rights of personal data subjects, and the measures taken to eliminate the consequences of the incident;
  • within 72 hours - notify the legal entity of the results of the internal investigation of the identified incident and provide information on the persons whose actions caused the incident (if any).

6.5 Procedure for destruction of personal data by the Operator.

6.5.1 Conditions and terms of personal data destruction by the Operator:

  • achievement of the purpose of personal data processing or loss of necessity to achieve this purpose - within 30 working days;
  • achievement of the maximum retention period for documents containing personal data - within 30 working days of the day;
  • provision by the personal data subject (his/her representative) of confirmation that the personal data were obtained illegally or are not necessary for the stated purpose of processing - within seven working days;
  • revocation by the personal data subject of consent to the processing of his/her personal data, if their retention for the purpose of their processing is no longer required - within 30 working days.

6.5.2 Upon achievement of the purpose of personal data processing, as well as in the event of withdrawal of consent to processing by the subject of personal data, the personal data shall be destroyed if:

  • not stipulated by the contract to which the personal data subject is a party, beneficiary or guarantor otherwise;
  • the operator may not carry out processing without the consent of the personal data subject on the grounds provided for by the Personal Data Law or other federal laws;
  • otherwise not provided for by another agreement between the Operator and the subject of personal data.

6.5.3 Destruction of personal data is carried out by a responsible person appointed by the Operator.

6.5.4 Methods of personal data destruction shall be set out in the Operator's local regulatory acts.