Privacy policy

Privacy policy

Sanganway Limited Personal Data Processing and Protection POLICY

1. General

1.1. This Personal Data Processing and Protection Policy (“Policy”) has been developed in accordance with Personal Data Federal Law No. 152-ФЗ dated July 27, 2006 (“Personal Data Law”) and other personal data protection regulations.

1.2. This Policy defines the main issues relating to Personal Data processing by SANGANWAY LIMITED LIABILITY COMPANY (“Company”).

1.3. The Personal Data is confidential, proprietary information and is subject to all requirements imposed by Company’s confidentiality procedures.

1.4. This Company Policy regulates, without limitation, Personal Data Processing issues, including processing of all Visitor and User information the Operator may receive when Company Services, including https://theoutletmoscow.com website and the Information Center, are used by Users.

1.5. Key terms used in this Policy:

  • Personal Data – any information relating, directly or indirectly, to an identified or identifiable individual (Data Subject);
  • Personal Data Operator (Operator) – a state or municipal authority, legal entity or individual, who severally or jointly with other persons arranges processing of and/or processes Personal Data, as well as defines the purposes of Personal Data Processing, the scope of
  • Personal Data subject to processing and actions/operations performed with Personal Data;
  • Personal Data Processing – any action/operation or a set of actions/operations performed with Personal Data, whether automated or non-automated, including, without limitation, collection, recording, filing, accumulation, storage, modification (updating and revision), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion and destruction of Personal Data.
  • User – an individual, Data Subject, using Company Services, Website or Information Center;
  • Visitor – an individual, Data Subject, attending the Company premises;
  • Website – a combination of graphics and information, as well as software and databases making them available on the Internet at https://theoutletmoscow.com;
  • Information Center – a business unit of the Company dealing with Users and providing information via voice channels on behalf of the Company;
  • Services – a set of tools facilitating remote interaction between a User and the Company.

2. Purposes of Personal Data Processing

2.1. The purposes of Personal Data Processing are as follows:

  • organize and maintain personnel records, assist employees in job placement, training and career development;
  • ensure compliance with the Russian Tax Code in connection with PIT calculation and payment, as well as compliance with pension regulations when generating and presenting personified data on each income earner for calculation of compulsory pension insurance and
  • security contributions;
  • fill in primary statistical documents;
  • conclude, perform and terminate civil law contracts;
  • enable employees of Company’s counteragents to perform their obligations under contracts between the Company and its counteragents;
  • follow due care and diligence requirements/recommendations when selecting counteragents;
  • promote new campaigns and services in the market by direct contacts with potential clients (including Users) using communication tools, by such means and for such purposes as permitted by Russian law;
  • meet obligatory requirements of the Russian laws and regulations.

2.2. The Company may inform Users, subject to their consent, on new campaigns and services, special offers and different events. A User may always opt out of such communications sending an email with subject “OPT OUT” to infodesk.theoutlet@hines.com.

2.3. Users’ depersonalized data collected using Internet statistics services are used to gather information on Users’ actions on the Website and to improve the Website quality and content.

2.4. Personal Data may be processed by the Company:

  • subject to Data Subject’s consent only;
  • if the Personal Data Processing is necessary to perform a contract whereby the Data Subject acts as a party, a beneficiary or a guarantor, or for conclusion of a contract by a Data Subject or whereby the Data Subject acts as a beneficiary or a guarantor;
  • otherwise to the extent permitted by the applicable Russian law.

3. Personal Data Processing Legal Framework

3.1. The legal framework of Personal Data Processing is presented by a combination of legal instruments regulating the Personal Data Processing by the Company.

3.2. The Company processes Personal Data in accordance with and pursuant to Russian legal requirements, particularly the Russian Constitution, Russian Civil Code, Personal Data Protection Federal Law, constituent documents of the Company and contracts entered into between the Company and Data Subjects.

4. Data Subject Categorization. Scope and Categories of Processed Personal Data

4.1. The Company processes Personal Data of the following categories of Data Subjects:

  • Company employees, former employees, candidates for offices;
  • clients (potential clients) and counteragents (potential counteragents) of the Company (individuals);
  • Users and Visitors;
  • representatives/employees of clients and counteragents (potential clients/counteragents) of the Company (legal entities);

4.2. Scope of Personal Data processed:

  • Personal Data processed by the Company under employment contracts:
  • surname, name, patronymic;
  • sex;
  • nationality;
  • date and place of birth;
  • information on registration at the place of residence or place of stay;
  • address of actual residence;
  • phone numbers (home, cell), email address;
  • office held;
  • information on employment activities, service record data, including service record insert;
  • taxpayer’s identification number;
  • data of compulsory pension insurance certificate;
  • data of compulsory health insurance policy;
  • data of passport or another ID card;
  • information on education (name of the educational institution, graduation date (day, month, year), specialty and qualification, details of the education certificate);
  • information on knowledge of foreign languages (foreign language, level of proficiency);
  • information on civil status (married, single).
  • Personal Data processed by the Company with respect to clients (potential clients) and/or counteragents (potential counteragents) of the Company (individuals):
  • surname, name, patronymic;
  • sex;
  • nationality;
  • date and place of birth;
  • information on registration at the place of residence or place of stay;
  • address of actual residence;
  • phone numbers (home, cell), email address;
  • taxpayer’s identification number;
  • data of compulsory pension insurance certificate;
  • data of passport or another ID card.
  • Personal Data processed by the Company with respect to representatives/employees of clients and/or counteragents (potential clients/counteragents) of the Company (legal entities):
  • surname, name, patronymic.
  • Personal Data processed by the Company with respect to Users and Visitors:
  • surname, name, patronymic;
  • date of birth;
  • place of permanent residence (if required);
  • phone numbers;
  • email address.

The Website also collects and processes depersonalized data relating to visitors (including cookies) using Internet statistics services (Yandex Metrica, Google Analytics, etc.)

4.3. The Company does not process special categories of Personal Data and/or biometrical Personal Data.

5. Key Principles of Personal Data Processing

5.1. Personal Data may not be processed for purposes other than those declared for collection thereof.

5.2. Databases containing Personal Data processed for different purposes may not be merged.

5.3. Company employees may access Personal Data for the processing purposes to the extent they need it to fulfill their duties.

5.4. Personal Data subject to processing shall be accurate and sufficient and where appropriate relevant for the processing purposes.

5.5. Personal Data shall be stored in such a way as to ensure identification of the Data Subject, however for a period no longer than needed for the purposes of Personal Data Processing, unless the Personal Data storage period is stipulated by a federal law or a contract whereby the Data Subject acts as a party, a beneficiary or a guarantor.

5.6. The processed Personal Data shall be destructed or depersonalized upon achievement of the processing purposes or in the event it is no longer necessary to achieve these purposes, unless otherwise is provided for by a federal law.

5.7. The Personal Data retention period depends on the duration of civil law relations between the Data Subject and the Company, action limitation period, retention periods for documents in hard copy or in electronic databases, other requirements of the Russian laws and regulations, as well as the validity period of subject’s consent to processing of his/her Personal Data.

5.8. The Company will process User and/or Visitor Personal Data only when it is filled in and/or sent independently by the User and/or Visitor through special forms available on the Website or in the Information Center. By filling in respective forms and/or sending his/her Personal Data to the Operator, the User/Visitor acknowledges his/her acceptance of this Policy.

5.9. The Company will processes depersonalized data relating to the User if settings of the User’s browser enable it to do so (cookie and JavaScript enabled).

6. Measures of Personal Data Protection

6.1. When processing Personal Data, the Company shall take necessary legal, organizational and technical measures to protect the Personal Data against unauthorized or accidental access, destruction, modification, blocking, copying, provision, dissemination, as well as other unlawful actions with respect to Personal Data.

6.2. Personal Data safety shall be ensured by, without limitation:

  • taking organizational and technical measures to protect Personal Data when processing it in Personal Data information systems as necessary to comply with Personal Data protection requirements ensuring maintenance of Personal Data protection levels established by the Russian Government.
  • detecting unauthorized access to Personal Data and taking necessary measures;
  • establishing rules of access to Personal Data processed in a Personal Data information system and ensuring registration and keeping records of all actions in the Personal Data information system involving Personal Data;
  • monitoring measures taken to ensure Personal Data safety and maintenance of Personal Data information system protection level;

7. Data Subject Rights

A Data Subject may:

7.1. Obtain information relating to Processing of his/her Personal Data, including that containing:

  • confirmation that the Personal Data is processed by the Operator;
  • legal grounds and purposes of Personal Data Processing;
  • purposes and methods used by the Company to process Personal Data;
  • name and location of the Company, information on persons (except for Company’s employees) who have access to Personal Data or to whom the Personal Data may be disclosed under a contract with the Company or a federal law;
  • Personal Data processed with respect to the respective Data Subject, its source, unless a different procedure for the submission of such data is provided by a federal law;
  • period of Personal Data Processing, including the retention period;
  • procedure for exercise of Data Subject’s rights stipulated by the Personal Data Federal law;
  • information on effected or proposed cross-border transfer of data;
  • name or surname, name and patronymic and address of a person processing Personal Data on behalf of the Operator, should such person be charged with the processing;
  • other information stipulated by the Personal Data Federal Law or other federal laws;

7.2. Demand from the operator improvement of his/her personal data, its blocking or destruction if the Personal Data is incomplete, outdated, inaccurate, obtained unlawfully or is not necessary for the stated purpose of Processing, and also take statutory measures to protect his/her rights.

7.3. Have unrestricted free access to his/her Personal Data, including the right to obtain a copy of any record containing the Personal Data, to the extent permitted by the Russian law.

7.4. Appeal in the court against any unlawful acts or omissions of the Company with respect to Processing and protection of his/her Personal Data.

8. Obligations of Company

The Company shall:

8.1. Take necessary and adequate legal, organizational and technical measures to protect the Personal Data against unauthorized or accidental access, destruction, modification, blocking, copying, provision, dissemination, as well as other unlawful actions with respect to Personal Data

8.2. Implement organizational and technical measures to protect Personal Data in accordance with the personal data processing regulations of the Russian Federation.

8.3. To ensure Personal Data protection, assess harm that may be incurred by Data Subjects due to violation of Personal Data protection rules and identify actual Personal Data safety risks when processing Personal Data in Personal Data information systems.

8.4. If actual safety risks are identified, take necessary and adequate legal, organizational and technical measures to ensure Personal Data safety, including:

  • identify data safety risks when processing information containing Personal Data;
  • take organizational and technical measures to ensure data safety when processing information containing Personal Data;
  • assess efficiency of the measures taken, before the Personal Data information system is put into operation;
  • keep record of machine-readable media containing Personal Data;
  • identify and respond to unauthorized access to information containing Personal Data;
  • retrieve Personal Data modified or destructed due to unauthorized access thereto;
  • establish rules of access to information containing Personal Data, ensure registration and keeping records of all actions in the Personal Data information system involving information containing Personal Data;
  • monitor the measures taken.

9. Obligations and Responsibility of Company’s Employees

9.1. Company’s employees authorized to process Personal Data shall:

  • know and strictly observe the requirement of this Policy;
  • process Personal Data to the extent they need it to fulfill their duties.;
  • not disclose Personal Data obtained while fulfilling their duties or due to their occupation;
  • prevent third party acts that may lead to disclosure (destruction, distortion) of Personal Data;
  • identify cases of Personal Data disclosure (destruction, distortion) and notify them to their supervisor;
  • keep the information containing Personal Data confidential in accordance with Company’s corporate acts.

9.2. Company’s employees authorized to process Personal Data are prohibited from making unauthorized and ad hoc copies of Personal Data in paper or electronic media other than those intended for storing Personal Data.

9.3. Each new employee of the Company directly involved in Personal Data Processing shall read, understand and observe requirements of the Personal Data safety laws and regulations of the Russian Federation, this Policy and other corporate acts relating to Personal Data Processing and safety.

9.4. In case of violation of Personal Data laws and regulations of the Russian Federation, offenders shall be subject to disciplinary, material, civil law, administrative or criminal liability.

10. Final Provisions

10.1. The updated Policy is available at https://theoutletmoscow.com.

10.2. The Policy is updated to reflect changes in personal data regulations and corporate acts regulating the organization of personal data processing and protection.