8 800 700–11–91Personal account
En

Personal Data Processing Policy

(Legal entity – LLC “FIRST FREE PLATFORM OF LEGAL MUSIC”)

1. General Provisions

1.1. This Personal Data Processing Policy defines the procedure for processing personal data and measures to ensure the security of personal data at LLC “FIRST FREE PLATFORM OF LEGAL MUSIC” (hereinafter referred to as the “Company”) to protect the rights and freedoms of individuals during the processing of their personal data, including the right to privacy, personal and family secrets.

1.2. This Policy is developed in accordance with Federal Law No. 152-FZ of July 27, 2006 “On Personal Data” (hereinafter referred to as “FZ-152”).

1.3. The following terms and definitions are used in this Policy:

  • any information relating directly or indirectly to an identified or identifiable individual (personal data subject);
  • any action (operation) or a set of actions (operations) performed with or without the use of automation tools involving personal data, including collection, recording, systematization, accumulation, storage, updating (modification), retrieval, usage, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
  • processing of personal data using computing technologies;
  • actions aimed at disclosing personal data to an indefinite number of persons or providing access to personal data to an unlimited number of persons, including publication in mass media, placement in information and telecommunication networks, or otherwise providing access to personal data;
  • actions aimed at disclosing personal data to a specific person or a specific group of persons;
  • temporary suspension of personal data processing (except when processing is necessary to clarify the personal data);
  • actions resulting in the impossibility of restoring the content of personal data in the personal data information system and/or leading to the destruction of tangible media containing personal data;
  • actions resulting in the impossibility of determining the subject of the personal data without additional information;
  • the aggregate of personal data contained in databases and information technologies and technical tools that ensure their processing;
  • transfer of personal data to the territory of a foreign state to a foreign government authority, foreign individual or foreign legal entity.

1.4. This Policy applies to all personal data of subjects processed by the Company with or without the use of automation tools.

1.5. Any personal data subject must have access to this Policy.

1.6. The Company may use phone numbers and email addresses provided by the personal data subject when submitting a request through Company websites (https://bubuka.info, https://my.bubuka.info, https://enter.yoga, https://my.enter.yoga, https://market.bubuka.info, https://avtorskoepravo.com, https://bubuchit.ru, https://работавбубуке.рф) for informational messages and calls related to the services provided by the Company.

2. Principles and Conditions of Personal Data Processing

2.1. Personal data processing in the Company is based on the following principles:

  • legality and fairness;
  • limitation of personal data processing to achieving specific, predetermined and lawful goals;
  • prohibition of processing personal data incompatible with the purposes of data collection;
  • prohibition of merging databases containing personal data processed for incompatible purposes;
  • processing only personal data that meets the purposes of their processing;
  • correspondence of the content and volume of processed personal data to the declared processing purposes;
  • prevention of excessive personal data processing in relation to the stated purposes of processing;
  • ensuring the accuracy, sufficiency, and relevance of personal data in relation to the purposes of processing;
  • destruction or depersonalization of personal data upon achievement of the processing goals or if the need to achieve these goals is lost, unless otherwise provided by federal law.

2.2. The Company processes personal data only under one or more of the following conditions:

  • with the consent of the personal data subject to process their personal data;
  • processing is required to achieve goals provided by law or to perform functions, powers, and duties imposed by the legislation of the Russian Federation;
  • processing is necessary for the performance of a contract to which the personal data subject is a party, beneficiary, or guarantor, or to conclude a contract at the initiative of the personal data subject;
  • processing is necessary to exercise the rights and legitimate interests of the Company or third parties, or to achieve socially significant goals, provided that this does not violate the rights and freedoms of the personal data subject;
  • processing is carried out of personal data made publicly available by the personal data subject or at their request;
  • processing is carried out of personal data that must be disclosed or published in accordance with federal law.

2.3. The Company and other parties with access to personal data must not disclose or distribute such data without the personal data subject's consent, unless otherwise provided by federal law.

2.4. For informational purposes, publicly available sources of employees’ personal data may be created within the Company, including directories and address books. With the employee’s consent, the following may be included: full name, date and place of birth, position, contact phone numbers, email address. The employee may request deletion of such data at any time or upon a court or government agency’s order.

2.5. The Company may entrust personal data processing to another party with the consent of the personal data subject, unless otherwise provided by federal law, under a data processing agreement (hereinafter – “Company’s Assignment”). The authorized party must comply with the principles and rules established by FZ-152.

2.6. The Company may process special categories of personal data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, health condition, and sex life only under the following conditions:

  • the personal data subject has given written consent;
  • the personal data is made publicly available by the subject;
  • the processing is required under social assistance, labor law, pension law;
  • the processing is necessary to establish or exercise the rights of the personal data subject or third parties, or in connection with the administration of justice;
  • the processing is required under anti-terrorism, anti-corruption, enforcement proceedings, or criminal execution legislation of the Russian Federation;
  • the processing is carried out under mandatory insurance legislation. Processing of such special data must cease immediately once the reasons for processing are eliminated, unless otherwise required by law.

2.7. The Company may process data on criminal records only in cases and procedures defined by federal law.

2.8. Information that characterizes a person’s physiological and biological characteristics enabling identification – biometric personal data – may be processed by the Company only with the employee’s written consent.

3. Rights of the Personal Data Subject

3.1. The personal data subject decides to provide their personal data and gives consent for its processing freely, by their own will and in their own interest. Consent to the processing of personal data may be given by the personal data subject or their representative in any form that allows confirmation of its receipt, unless otherwise provided by federal law. The responsibility to prove the receipt of such consent or the existence of grounds specified in FZ-152 lies with the Company.

3.2. The personal data subject has the right to receive information concerning the processing of their personal data, unless this right is restricted under federal law. The personal data subject may request the Company to clarify, block, or delete their personal data if it is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the stated purpose of processing, as well as take legal action to protect their rights.

3.3. Processing of personal data for the purpose of promoting goods, works, or services through direct contact with a potential consumer via communication means, as well as for political campaigning, is only allowed with the prior consent of the personal data subject. Such processing is deemed unauthorized if the Company cannot prove the receipt of such consent. Upon request of the personal data subject, the Company must immediately cease processing their data for the specified purposes.

3.4. Decisions that have legal consequences for the personal data subject or otherwise affect their rights and legitimate interests cannot be made solely on the basis of automated processing of personal data, except in cases provided by federal law or with the written consent of the personal data subject.

3.5. If a personal data subject believes that the Company is processing their data in violation of FZ-152 or infringing their rights and freedoms in any other way, they have the right to file a complaint with the authorized body for the protection of personal data subjects or through legal proceedings. The data subject has the right to defend their rights and legitimate interests, including seeking compensation for damages and/or moral harm in court.

4. Ensuring the Security of Personal Data

4.1. The security of personal data processed by the Company is ensured through legal, organizational, technical, and software measures necessary and sufficient to meet the requirements of federal legislation on personal data protection.

4.2. To create an unfavorable environment and significant obstacles for violators attempting unauthorized access to personal data for the purpose of acquiring, altering, destroying, infecting with malware, substituting, or committing other unauthorized actions, the Company implements the following organizational and technical measures:

  • appointment of responsible personnel for organizing personal data processing and protection;
  • restriction and regulation of the number of employees with access to personal data;
  • informing employees of the federal legislation and internal policies on personal data processing and protection;
  • ensuring accounting and secure storage of physical data carriers, excluding theft, tampering, unauthorized copying or destruction;
  • identifying security threats to personal data, developing threat models;
  • developing a data protection system based on the threat model for the appropriate class of information systems;
  • testing the readiness and effectiveness of data protection tools;
  • implementing user access control to information resources and technical tools for data processing and protection;
  • logging and auditing user activity in personal data information systems;
  • password protection for access to personal data information systems;
  • controlling access to communication ports, input/output devices, removable media and external storage devices;
  • when necessary, applying cryptographic tools for data protection during transmission over open networks and storage on digital media;
  • running antivirus checks and preventing the introduction of malware and trojans into the corporate network;
  • using firewalls;
  • detecting intrusions into the Company's corporate network that violate or may lead to violation of data protection rules;
  • centralized management of the data protection system — including backup of information;
  • ensuring restoration of personal data modified or destroyed due to unauthorized access;
  • training employees to correctly use data protection tools implemented in personal data information systems;
  • accounting for information security tools and their operational and technical documentation;
  • using certified information security tools that have passed compliance assessment;
  • monitoring user activity and investigating violations of personal data security requirements;
  • locating data processing technical means within a protected area;
  • organizing access control on the Company's premises;
  • maintaining technical security systems and alarm systems in a constant state of readiness.

5. Final Provisions

5.1. Other rights and obligations of the Company as a personal data operator are determined by the legislation of the Russian Federation in the field of personal data. Company officials found responsible for violating rules governing the processing and protection of personal data are subject to disciplinary, administrative, civil, or criminal liability as provided by federal law.