1.1. This Personal Data Processing Policy (hereinafter, the "Policy") has been released and used by Autonomous Non-commercial Organization of Additional Education «Academy of Confectionary Art» (hereinafter, the Operator) in conformity with the Federal Law of 27 July 2006, No. 152-FZ "On personal data" (hereinafter, the Law), the General Data Protection Regulation (Regulation (EU) 2016/679) of 27 April 2016 (hereinafter, GDPR) and the Federal Law of 29 December 2012, No. 273-FZ "On education in the Russian Federation".
1.2. Concepts related to the personal data processing that is used in the Policy shall have the meaning given to them in Article 3 of the Law and provisions of GDPR, unless otherwise expressly provided in the Policy.
1.3. Any matters related to the personal data processing not covered in the Policy shall be settled in compliance with the current Russian personal data laws.
1.4. This Policy shall:
1.4.1. determine regulations for the processing by the Operator of personal data provided by the users of https://paulinepastryschool.co... (including its subdomains and particular pages) for the purpose of execution and fulfillment of paid or gratuitous agreements including those on the delivery of educational services (hereinafter, the Users and the Website, respectively);
1.4.2. determine goals, legal grounds, order, and amount of handled personal data;
1.4.3. contain information on applicable requirements to protection of handled personal data; and
1.4.4. determine the order of interaction with personal data subjects upon receipt of applications from them.
1.5. The Policy document is available to the Users online at https://paulinepastryschool.com/policyconfeng.
1.6. Ignorance of the terms and conditions determined in this Policy shall not be a
ground for making by the User a claim against the Operator.
1.7. If the User disagrees with the terms and conditions of this Policy, the User shall immediately terminate any use of the Website.
2. Terms and Definitions
2.1. Website means a set of information, texts, graphics, design, images, photo, and video materials and other intellectual deliverables as well as software contained in the information system that enables online access to such information via IP address at https://paulinepastryschool.co... (including all subdomains and particular pages).
2.2. My Account means a website area accessible for the User after signing up by entering a unique login and a password.
2.3. Cookie files mean data automatically transferred when the Website is used to the Operator by means of software installed on the User's device, that includes the IP address, geographic location, operation system type, and browser data, hardware and software specifications, and date and time of access to the Website.
3. The User's consent to the processing of personal data
3.1. The User shall accept the terms and conditions of the Policy and give to the Operator their informed consent to the processing of their personal data as governed by the requirements of the Policy and the Law:
3.1.1 When signing up on the Website – for personal data that the User presents to the Operator:
184.108.40.206 by completing the registration form posted on the Website. The User shall be deemed to have given consent to the processing of their personal data at the time of clicking the Signup or similarly named button;
220.127.116.11 When entering or modifying the personal data of the personal account – for personal data that the User presents when editing the data of the personal account. The User shall be deemed to have given consent to the processing of their personal data at the time of clicking the Save or similarly named button.
3.1.2 When completing the feedback form - for personal data that the User presents to the Operator by completing the feedback form online on the Website and via e-services (Skype, Google, WhatsApp, Telegram, Facebook, etc.). The User shall be deemed to have given consent to the processing of their personal data entered in the feedback form at the time of clicking the button used to acknowledge the application that may have such names as Send or Register or similar.
3.1.3 Whenever the Website is used – for personal data automatically transferred when the Website is used to the Operator by means of software installed on the User's device. The User shall be deemed to have given consent to the processing of their personal data at the time of beginning to use the Website.
3.2 The User consent to the processing of their personal data shall be valid within a period from the date of consent (clause 3.1 hereof) that is required to achieve the purpose of personal data processing.
3.3 The User shall be authorised to revoke the consent to the processing of personal data in the manner and fashion set out in section 12 of the Policy.
3.4 The User consent to the processing of personal data authorised for distribution shall be given by the User to the Operator separately from the personal data processing consent stated in clause 3.1 hereof.
3.5 The User consent to the processing of personal data authorised for distribution shall be given by the User to the Operator by completing the respective form available on the Platform. When giving such consent, the User shall complete the mandatory fields, namely: the User's surname, given name, middle name, patronymic (if any) in Russian, contact data (phone number, email or postal address of the personal data subject).
3.6 The User shall give to the Operator their consent to the processing of personal data authorised for distribution for a period fixed in such consent.
3.7 If the User's age is below the age of majority, the latter when presenting their personal data shall send to the Operator's email address stated in section 14 of this Policy a written consent of the User's legal representative (as per the form presented in Annex No. 1 hereto) to the processing of such data by the Operator. Considering that the data collection system operates automatically, the Operator shall not check the fact of giving such consent by the User. If it is found that the User presenting personal data without written consent of their legal representative is legally incompetent, the Operator shall immediately block the processing of such personal data until the matter is clarified.
4. Conditions for providing personal data by the User
4.1 Generally, the Operator shall not be obliged to verify the personal information provided by the users and check the users' capacity. The personal data subject shall bear liability for submission of invalid personal data including the use of third party data as their own.
4.2 The Operator assumes that:
4.3 The User responds with valid and sufficient personal information to the questions in the forms posted on the Website and maintains actual status of such information.
4.3.1 If the User uploads their image via personal account on the Website, the User thereby gives their consent to the use of that image free of charge (Article 152.1 of the Civil Code) for purposes not related to the identification of the User. The User undertakes not to use third party images instead of their own images.
4.4 Giving consent to the authorised distribution of their personal data, the User is informed that the Operator may post such data on the Website where they become available to the other Users of the Website and can be copied and distributed by such Users, unless the User's consent to the authorised distribution of the User's personal data contains limitations and/or qualifications for their distribution.
4.5 Giving consent hereunder, the User is informed of the right to impose prohibition on the transfer (save for granting access to) of their personal data by the Operator for the general public as well as prohibition on the processing or processing conditions of (save for gaining access to) these personal data for the general public.
4.6 The User is made aware of this Policy and gives their informed consent thereto.
5. Personal data
The User's personal data handled by the Operator shall include:
5.1 Surname, given name, middle name, patronymic;
5.2 Email address;
5.3 Phone number;
5.4 The User's date of birth;
5.5 The User's residence or location data;
5.6 Data from the User's passport;
5.7 Data of accounts in social media and e-services (links to the User profiles in Vkontakte, Facebook, Linkedin, Skype, Google, Twitter, Viber, Whatsapp, Telegram, etc.), provided that the Website allows authorization via said services;
5.8 The Operator may gain access to, collect and use for the purposes determined in the Policy any technical and other information related to the Users. Though technical information is not classified as personal data, the Operator uses cookie files that enable identification of the Users. Besides, technical information includes data automatically transferred to the Operator when the User is working on the Website using the software installed on the User's device, namely:
5.8.1 User online activity data, in particular, visited pages, date and time of URL clicks, etc.;
5.8.2 Information regarding the User's device, browser type and version, and operation system type and version used to get access to the web: IP address and (if the User visits the Website via mobile device) type, screen resolution and unique identifier of such device;
5.8.3 Information about the resource used by the User to get access to the Operator's Website (a website or an advertisement link);
5.8.4 User's device location data;
5.8.5 Information about web resources visited by the User; and
5.8.6 Information on the interaction with the Operator's advertisements placed outside the resource including their number, and visiting rate and depth.
5.9 The Operator shall not handle:
5.9.1 biometric personal data (describing the person's physiological and biological characteristics that may be used for identification), and
5.9.2 sensitive personal data (regarding race and national identity, political views, religious or philosophical beliefs, health condition, private life).
6. Legal grounds of personal data processing
The Users' personal data shall be processed on the following legal basis:
6.1 Constitution of the Russian Federation;
6.2 Civil Code of the Russian Federation;
6.3 Federal Law of 29 December, 2012, No. 273-FZ "On education in the Russian Federation";
6.4 Federal Law of 27 July, 2006, No. 152-FZ "On personal data";
6.5 User's consent to the processing of personal data.
6.6 User's consent to the processing of personal data authorised for distribution (if any).
6.7 General Data Protection Regulation (Regulation (EU) 2016/679) of 27 April, 2016 in respect of personal data of EU citizens and non-EU citizens temporarily or permanently residing in EU member states that use services provided by the Operator within EU.
7 . Purpose of personal data processing
The Operator shall handle the Users' personal data solely for the purpose of:
7.1 Registration of the User by the Operator on the Website, provision of the User with access to the whole range of the Website services.
7.2 Representation of the User profile in the personal account of the Website including the goal of providing the User with information on their achievements during the study under the educational program.
7.3 Establishment and maintenance of communication between the User and the Operator, consultation in the matter of provision of education services.
7.4 Execution and fulfillment of the Paid Education Service Subscription Agreement of 01 January, 2022 (by way of acceptance by the User of the respective Public Offer of the Operator posted on the Website).
7.5 Sending of advertisement messages by the Operator to the User's email address; targeting of advertising materials subject to the User's permission for such mail.
7.6 The User may object to the handling of data, in particular, profile development, to the extent that such handling is connected with direct marketing. The User shall send their objection to the Operator in the manner set out in 12.1 hereof.
7.7 User service quality enhancement and the Operator's Website upgrading by way of handling requests and inquiries from the User.
7.8 Statistical and other research based on anonymised information provided by the User.
7.9 Compliance with the requirements of Russian law.
8. Personal data processing
8.1 The User's personal data shall be processed by the Operator using databases located within the Russian Federation.
8.2 The personal data shall be processed using automated systems.
8.3 The processing of the User's personal data shall include performance by the Operator of the following actions: collection, recording, systematization, accumulation, storage, refinement (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion and destruction of personal data.
8.4 The User's personal data shall be collected in accordance with clause 3.1 of this Policy.
8.5 Personal data shall be stored until (whichever occurs first):
8.5.1 the time of their deletion by the User in the respective section of the personal account; 8.5.2 the time of their destruction by the Operator if the User revokes their consent to the processing of personal data or requests destruction of personal data; and 8.5.3 the expiration of the consent validity period or achievement of the purpose for the processing of personal data. 8.6 The Operator may transfer personal data to third parties. Such transfer shall not be deemed distribution of the User's personal data for an indefinite range of persons. 8.7 Goals of personal data transfer include: 8.7.1 Optimization by the Operator of the mailing of information and advertisement messages. In this case, the Users' personal data transferred to the third party include: surname, given name, patronymic; email address. 8.7.2 Sending to the Users of information mail on new opportunities in the area of education and development. In this case, the Users' personal data transferred to the third party include: surname, given name, patronymic; email address. Each information mail shall provide the User with an opportunity to stop the reception of such mail. 8.7.3 Fulfillment with the involvement of third parties of the terms and conditions of the agreement entered into with the Users of the Website. 8.8 The list of permitted methods of personal data processing includes: collection, recording, systematization, accumulation, storage, refinement (updating, modification), retrieval, use, transfer (distribution, provision, access), depersonalization, blocking, deletion and destruction. Third parties shall not be allowed to transfer and distribute personal data. 8.9 The Operator shall destroy personal data if: 8.9.1 the User deletes their personal data in the respective section of the personal account; 8.9.2 the User revokes their consent to the processing of personal data; 8.9.3 the User requests the destruction of personal data; 8.9.4 the User's consent validity expires; 8.9.5 the period of personal data storage agreed upon between the Operator and the User expires.
9. Measures taken by the Operator to protect personal data
The Operator shall take necessary and adequate legal, institutional and technical measures to protect information provided by the Users from unauthorised or accidental access, destruction, modification, blocking, copying, distribution or any other unauthorised actions of third parties. In particular, such measures include: 9.1 Appointment of a person responsible for personal data processing; 9.2 Implementation of institutional and technical measures to ensure safety of personal data processed in information systems; 9.3 Control of events of unauthorised access to personal data and implementation of measures to ensure nonoccurrence of such incidents in future; 9.4 Supervision over the measures taken to ensure personal data safety and the personal data system security level.
10. Limitation of liability
10.1 The Operator shall not be responsible for possible unintended use of personal data and any damage to the User caused by: 10.1.1 malfunction of software or hardware and networks beyond control of the Operator; 10.1.2 intentional or unintentional use of the Website not in accordance with its intended purpose by third parties; 10.1.3 failure to ensure confidentiality of access passwords or intentional transfer of access passwords or other information to third parties that do not have access to such information by the User themselves during the provision of services by the Operator or the use of the Website; 10.1.4 unauthorized acts of third parties to gain access to the Website data including personal data. 10.2 The Operator shall not be responsible for the manner in which personal data are used by third parties interacting with the User during the use of the Website. 10.3 The Operator shall not check whether the Users are implementing special security arrangements for processing their personal data. If the User who is an EU citizen or a non-EU citizen temporarily or permanently residing in EU member states gains access to the Website from European countries, the Operator shall take reasonable efforts to ensure compliance with such statutory requirements for personal data protection. For this purpose, the User shall notify the Operator at firstname.lastname@example.org that they are implementing special security arrangements for processing their personal data.
11. Rights of the Users
The User shall be entitled to: 11.1 Provide the Operator at their sole discretion with personal data for the processing in compliance with the terms and conditions set out in the Policy; 11.2 Enter at their own discretion modifications and amendments to their personal data in the respective section of the personal account, provided that such modifications and amendments contain relevant and authentic information; 11.3 Delete personal data by way of editing the respective section of the personal account; 11.4 Apply to the Operator with requests, in particular, to refine personal data or block personal data if such data are incomplete, obsolete, unauthentic, illegally gained or not necessary for the intended purpose of processing. Such request shall be made in the manner described in section 12 of the Policy; 11.5 Receive from the Operator in response to their request information regarding the processing of their personal data to the extent determined in clause 7 of article 14 of the Federal Law of 27 July, 2006, No. 152-FZ "On personal data". 11.6 Apply to the Operator, if the processing of personal data falls within the scope of GDPR, with a request to unload their personal data for the purpose of their transfer into information systems of other data controllers (as determined in clause 7 of article 4 of GDPR).
12. User requests
12.1 The User shall be entitled to send to the Operator their requests and inquiries (hereinafter, the Request) including those regarding the use of their personal data or those to revoke or give consent to the processing of personal data authorised for distribution by the personal data subject. Such Request can be sent in any of the following forms: 12.1.1 A written request to the Operator's address (section 14 of the Policy); 12.1.2 An e-document (or scanned/photocopied document). The document shall be sent from the User's email address specified when signing up on the Website or in the agreement as the designated email address to the Operator's email address: email@example.com/ 12.2 The Request sent by the User shall contain the following information: 12.2.1 Surname, middle name and given name of the User; 12.2.2 Information confirming the relationship between the User and the Operator (in particular, the login and password used to access the Website); 12.2.3 Subject of the Request; 12.2.4 Signature of the User or their legal representative. 12.3 The Operator shall review the User's Request in a manner including the following steps: 12.3.1 Registration of the Request in the User Request Log; 12.3.2 Verification of all requisite particulars of the Request; 12.3.3 Verification of the Request coherence; 12.3.4 Response to the Request. Subject to the content of the Request, the response may include: 18.104.22.168 Information on the processed personal data requested by the User; 22.214.171.124 Substantiated denial to provide the requested information on the processed personal data; 126.96.36.199 Notification of actions performed with the User's personal data in response to the Request. 12.4 Response to the Request shall be sent in a form consistent with the form of request, unless another form of Response is stipulated in the User's Request (as per clause 12.1 hereof).
13. Policy modifications
13.1 The Operator may enter modifications in the Policy. The User shall familiarize themselves with the text of Policy each time they use the Website. 13.2 An amended version of the Policy shall be deemed to have taken effect since the date on which it was posted in the respective section of the Operator's website. If the User continues to use the Website or its services after the amended version of the Policy has been published, the User shall be deemed to have accepted the Policy and its terms. If the User disagrees with the terms of the Policy, they shall immediately terminate the use of the Website and its services.
14. Banking details of the Operator. Person responsible for personal data processing:
Autonomous Non-Commercial Organization of Additional Education «Academy of Confectionary Art» Registered office: 118, Saltykova-Shchedrina St., apt. 71, Novosibirsk, Novosibirsk Oblast, Russia, 630132 PSRN 1215400030010 TIN 5407982134
Director of the Academy of Confectionary Art Pavel V. Khvostenko /__________________________
Person responsible for personal data processing: Pavel V. Khvostenko, Director of the Academy of Confectionary Art by Order No. ___ of ________ .
Director of the Academy of Confectionary Art Pavel V. Khvostenko /__________________________
Annex No.1 Personal Data Processing Policy 01 January, 2022
Consent of the minor User's legal representative to the processing of the minor's personal data
I, _______________________________, passport series ____ No.______ issued on ____________ by ___________________________________________________________________ as the legally authorized representative of ______________________________________________ hereby give the Academy of Confectionary Art, Autonomous Non-Commercial Organization of Additional Education my consent to the automated processing (specifically, performance of actions contemplated in Sec. 3 Art. 3 and Art. 15 of the Federal Law of 27 July, 2006, No. 152–FZ "On personal data") of the personal data of my child __________________________________________________________, posted on the website _______________________: for the purpose of entering into the Paid Education Service Subscription Agreement (executed by way of acceptance of the Public Offer to enter into a Paid Education Service Subscription Agreement of 01 January, 2022) in accordance with the Personal Data Processing Policy of 01 January, 2022 and receiving information from the Academy of Confectionary Art, Autonomous Non-Commercial Organization of Additional Education for a period necessary for the achievement of the purpose of personal data processing.
__________________ Date ________________/__________________ Full name Signature