Privacy Policy


On the processing and protection of personal data

  1. General Provisions
    1. This Policy https://www.elgrekorealestate.com (Operator) regarding the processing of personal data (hereinafter referred to as the Policy) has been developed in compliance with the requirements of paragraph 2 of Part 1 of Article 18.1 of the Federal Law of 27.07.2006 No. 152-FZ "On Personal Data" (hereinafter referred to as the Law on Personal Data) in order to ensure the protection of the rights and freedoms of a person and citizen when processing his personal data, including the protection of the rights to privacy, personal and family secrets.
    2. The policy applies to all personal data processed by the Company.
    3. The Policy applies to relationships in the field of personal data processing that arose with the Operator both before and after the approval of this Policy.
    4. In compliance with the requirements of Part 2 of Article 18.1 of the Law on Personal Data, this Policy is published in the public domain on the Internet information and telecommunications network at https://www.elgrekorealestate.com . 
    5. The policy is valid indefinitely until it is replaced by a new version.
  2. Terms and definitions
    Personal data – any information relating to a directly or indirectly identified or identifiable natural person (subject of personal data).
    Personal data permitted for distribution by the subject of personal data are personal data, access to which by an unlimited number of persons is provided by the subject of personal data by giving consent to the processing of personal data permitted for distribution by the subject of personal data.
    Personal data operator (operator) – a state body, municipal body, legal entity or individual that independently or jointly with other persons organizes and (or) carries out the processing of personal data, as well as determines the purposes of processing personal data, the composition of personal data subject to processing, actions (operations) performed with personal data.
    Personal data processing – any action (operation) or set of actions (operations) with personal data, performed with or without the use of automation tools. Personal data processing includes, among other things:
    • collection;
    • recording;
    • systematization;
    • accumulation;
    • storage;
    • clarification (update, change);
    • extraction;
    • usage;
    • transfer (provision, access);
    • spreading;
    • depersonalization;
    • blocking;
    • removal;
    • destruction.
    Automated processing of personal data is the processing of personal data using computer technology.
    Provision of personal data – actions aimed at disclosing personal data to a specific person or a specific group of persons.
    Blocking of personal data is a temporary cessation of the processing of personal data (except in cases where the processing is necessary to clarify personal data).
    Destruction of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the material carriers of personal data are destroyed.
    Depersonalization of personal data – actions as a result of which it becomes impossible to determine the ownership of personal data to a specific subject of personal data without the use of additional information.
    Personal data information system – a set of personal data contained in databases and information technologies and technical means that ensure their processing.
    Cross-border transfer of personal data is the transfer of personal data to the territory of a foreign state to a foreign government body, a foreign individual or a foreign legal entity. 
  3. Procedure and conditions for processing and storing personal data
    1. The processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.
    2. The processing of personal data is carried out with the consent of the subjects of personal data to the processing of their personal data, as well as without such consent in cases stipulated by the legislation of the Russian Federation.
    3. Consent to the processing of personal data permitted by the subject of personal data for distribution is drawn up separately from other consents of the subject of personal data to the processing of his personal data.
    4. Consent to the processing of personal data, permitted by the subject of personal data for distribution, may be provided to the operator:
      • directly;
      • using the information system of the authorized body for the protection of the rights of personal data subjects.
    5. The operator carries out both automated and non-automated processing of personal data.
    6. Only employees of the Operator whose job responsibilities include processing personal data are allowed to process personal data.
    7. The processing of personal data is carried out by:
      • obtaining personal data in oral and written form directly with the consent of the subject of personal data to the processing or dissemination of his personal data;
      • entering personal data into the Operator’s logs, registers and information systems;
      • use of other methods of processing personal data.
    8. Disclosure to third parties and distribution of personal data without the consent of the subject of the personal data is not permitted, unless otherwise provided by federal law.
    9. The transfer of personal data to inquiry and investigation bodies, the Federal Tax Service, the Social Fund of Russia and other authorized executive bodies and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.
    10. The operator takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, distribution and other unauthorized actions, including:
      • identifies threats to the security of personal data during their processing;
      • adopts local regulations and other documents governing relations in the field of processing and protection of personal data;
      • appoints persons responsible for ensuring the security of personal data in the structural divisions and information systems of the Operator;
      • creates the necessary conditions for working with personal data;
      • organizes the recording of documents containing personal data;
      • organizes work with information systems in which personal data is processed;
      • stores personal data under conditions that ensure their safety and prevent unauthorized access to them;
      • organizes training for the Operator’s employees who process personal data.
    11. The operator stores personal data in a form that allows the subject of personal data to be identified, no longer than required by the purposes of processing personal data, unless the storage period for personal data is established by federal law, contract or agreement.
    12. When collecting personal data, including through the Internet information and telecommunications network, the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, except for cases specified in the Law on Personal Data.
    13. Types of personal data and purposes of personal data processing:
      1. Types of personal data processed by the Operator:
        • last name, first name, patronymic;
        • contact phone number;
        • email address;
        • registration address;
        • address of actual place of residence (stay);
        • accounts in messaging programs (messengers).
      2. Only personal data that meet the purposes of their processing are subject to processing. The Operator processes personal data for the following purposes:
        • ensuring compliance with the Constitution, federal laws and other regulatory legal acts of the Russian Federation;
        • implementation of its activities;
        • the Operator’s entry into civil law relations;
        • accounting;
        • notification of the subject of personal data about changes and additions to the services provided under the agreement with him;
        • receiving feedback, reviews and recommendations from the subject of personal data;
        • conducting surveys for effective communication with the Operator’s current and potential clients.
    14. Categories of personal data subjects whose personal data are processed by the Operator:
      • individuals, both those in civil-law relations with the Operator and potential counterparties;
      • representatives of legal entities, both those in civil-law relations with the Operator, and potential counterparties.
    15. Storage of personal data.
      1. Personal data of subjects may be obtained, further processed and transferred for storage both on paper and in electronic form.
      2. Personal data recorded on paper media are stored in locked cabinets or in locked rooms with limited access rights.
      3. Personal data of subjects processed using automation tools for different purposes are stored in different folders.
      4. Storage and placement of documents containing personal data in open electronic catalogues (file sharing services) in ISPD (personal data information systems) is not permitted.
      5. The storage of personal data in a form that allows the identification of the subject of the personal data is carried out no longer than required by the purposes of their processing, and they are subject to destruction upon achievement of the purposes of processing or in the event of loss of the need to achieve them.
    16. Destruction of personal data.
      1. Destruction of documents (carriers) containing personal data is carried out by burning, crushing (grinding), chemical decomposition, transformation into a shapeless mass or powder. A shredder may be used to destroy paper documents.
      2. Personal data on electronic media are destroyed by erasing or formatting the media.
      3. The fact of destruction of personal data is confirmed by a documented act on the destruction of media.
    17. The site uses cookies and visitor data from traffic statistics services (IP address; information from cookies, browser information, site access time, address of the page on which the advertising block is located, referrer (address of the previous page) and other data).
      With the help of this data, information is collected about the actions of visitors on the site in order to improve its content, improve the functionality of the site and, as a result, create high-quality content and services for visitors.
      The subject of personal data may at any time change the settings of their browser so that all cookies are blocked or a notification is provided about their sending. In this case, the subject must understand that some functions and services of the site will not be able to work properly.
  4. Protection of personal data
    1. In accordance with the requirements of regulatory documents, the Operator has created a personal data protection system (PDPS), consisting of subsystems of legal, organizational and technical protection.
    2. The legal protection subsystem is a complex of legal, organizational, administrative and regulatory documents that ensure the creation, functioning and improvement of the legal protection subsystem.
    3. The organizational protection subsystem includes the organization of the management structure of the personal data protection system, the permit system, and the protection of information when working with employees, partners, and third parties.
    4. The technical protection subsystem includes a set of technical, software, and hardware tools that ensure the protection of personal data.
    5. The main measures to protect personal data used by the Operator are:
      1. Appointment of a person responsible for the processing of personal data, who carries out the organization of the processing of personal data, training and instruction, internal control over the compliance of the institution and its employees with the requirements for the protection of personal data.
      2. Identification of current threats to the security of personal data when processing them in the ISPD and development of measures and activities to protect personal data.
      3. Development of a policy regarding the processing of personal data.
      4. Establishing rules for access to personal data processed in the ISPD, as well as ensuring the registration and accounting of all actions performed with personal data in the ISPD.
      5. Establishing individual passwords for employee access to the information system in accordance with their production responsibilities.
      6. Application of information security tools that have undergone the established conformity assessment procedure.
      7. Certified antivirus software with regularly updated databases.
      8. Compliance with conditions that ensure the safety of personal data and prevent unauthorized access to it.
      9. Detection of facts of unauthorized access to personal data and taking measures.
      10. Restoration of personal data modified or destroyed due to unauthorized access to them.
      11. Training of the Operator's employees directly involved in the processing of personal data in the provisions of the Russian Federation legislation on personal data, including requirements for the protection of personal data, documents defining the Operator's policy regarding the processing of personal data, and local acts on issues of processing personal data.
      12. Implementation of internal control and audit.
  5. Basic rights of the personal data subject and obligations of the Operator
    1. Basic rights of the subject of personal data.
      The subject has the right to access his personal data and the following information:
      • confirmation of the fact of processing of personal data by the Operator;
      • legal grounds and purposes of processing personal data;
      • the purposes and methods of processing personal data used by the Operator;
      • the name and location of the Operator, information about persons (except for the Operator’s employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Operator or on the basis of federal law;
      • terms of processing personal data, including the terms of their storage;
      • the procedure for the exercise by the subject of personal data of the rights provided for by the Law on Personal Data;
      • the name or surname, first name, patronymic and address of the person processing personal data on behalf of the Operator, if the processing is or will be entrusted to such person;
      • contacting the Operator and sending him requests;
      • appeal against the actions or inactions of the Operator.
    2. Operator's responsibilities.
      The operator is obliged to:
      • when collecting personal data, provide information about the processing of personal data;
      • in cases where personal data was not received from the subject of personal data, notify the subject;
      • in case of refusal to provide personal data, the subject is informed of the consequences of such refusal;
      • publish or otherwise provide unrestricted access to the document defining its policy regarding the processing of personal data, to information on the implemented requirements for the protection of personal data;
      • take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other illegal actions in relation to personal data;
      • provide responses to requests and appeals from personal data subjects, their representatives and the authorized body for the protection of the rights of personal data subjects.
  6. Updating, deleting and destroying personal data, responding to requests from subjects for access to personal data
    1. Confirmation of the fact of processing of personal data by the Operator, the legal grounds and purposes of processing of personal data, as well as other information specified in Part 7 of Article 14 of the Law on Personal Data, are provided by the Operator to the subject of personal data or his representative upon request or upon receipt of a request from the subject of personal data or his representative.
      The information provided does not include personal data relating to other personal data subjects, except in cases where there are legal grounds for disclosing such personal data.
      The request must contain:
      • the number of the main document certifying the identity of the personal data subject or his representative, information on the date of issue of the specified document and the body that issued it;
      • information confirming the participation of the personal data subject in relations with the Operator (contract number, date of conclusion of the contract, conventional verbal designation and (or) other information), or information otherwise confirming the fact of processing of personal data by the Operator;
      • signature of the personal data subject or his/her representative.
      The request may be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Russian Federation.
      If the personal data subject’s request (appeal) does not reflect all the necessary information in accordance with the requirements of the Law on Personal Data or the subject does not have the right to access the requested information, then a reasoned refusal is sent to him.
      The right of the personal data subject to access his personal data may be limited in accordance with Part 8 of Article 14 of the Law on Personal Data, including if the personal data subject's access to his personal data violates the rights and legitimate interests of third parties.
    2. In the event that inaccurate personal data is detected upon an appeal by the personal data subject or his/her representative or at their request or at the request of Roskomnadzor, the Operator shall block the personal data related to this personal data subject from the moment of such appeal or receipt of the specified request for the verification period, if the blocking of the personal data does not violate the rights and legitimate interests of the personal data subject or third parties.
      In the event of confirmation of the fact of inaccuracy of personal data, the Operator, on the basis of information provided by the subject of personal data or his representative or Roskomnadzor, or other necessary documents, clarifies the personal data within seven working days from the date of submission of such information and removes the blocking of the personal data.
    3. In the event of detection of unlawful processing of personal data upon an appeal (request) from the subject of personal data or his representative or Roskomnadzor, the Operator shall block the unlawfully processed personal data related to this subject of personal data from the moment of such appeal or receipt of the request.
    4. Upon achieving the purposes of processing personal data, as well as in the event of the withdrawal of consent to their processing by the subject of personal data, personal data are subject to destruction if:
      • unless otherwise provided by an agreement to which the subject of personal data is a party, beneficiary or guarantor;
      • the operator does not have the right to carry out processing without the consent of the subject of personal data on the grounds provided for by the Law on Personal Data or other federal laws;
      • unless otherwise provided by another agreement between the Operator and the personal data subject.
  7. Cross-border transfer of personal data
    1. Before commencing the cross-border transfer of personal data, the operator is obliged to ensure that the foreign state to whose territory it is intended to transfer personal data ensures reliable protection of the rights of personal data subjects.
    2. Cross-border transfer of personal data to the territory of foreign states that do not meet the above requirements may be carried out only if there is written consent from the subject of personal data to the cross-border transfer of his personal data and/or execution of an agreement to which the subject of personal data is a party.