1. General Provisions1.1. This Privacy and Personal Data Processing Policy (hereinafter referred to as the "Policy") has been drawn up in accordance with Article 24 and Chapter IV of the General Data Protection Regulation (EU) 2016/679 (GDPR) and applies to all personal data processed by DDA REAL ESTATE SPB LLC (hereinafter referred to as the "Company" or "Controller"). 1.2. The purpose of this Policy is to define the categories of personal data processed by the Company, as well as the core principles that the Company follows when processing personal data. 1.3. The provisions of this Policy are binding on all employees of the Company, organisations receiving or providing personal data to the Company, as well as individuals who are in a contractual relationship with the Company. 1.4. The following terms are used in this Policy:
Personal data – any information relating to an identified or identifiable natural person ("Data Subject") (Article 4(1) of the GDPR);
Processing of personal data – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) of the GDPR);
Dissemination of personal data – actions aimed at disclosing the Personal Data of the Data Subject to an indefinite circle of persons;
Provision of personal data – actions aimed at disclosing the Personal Data of the Data Subject to a specific person or a specific circle of persons;
Restriction of processing (Blocking) – the marking of stored personal data with the aim of limiting their processing in the future (Article 4(3) of the GDPR);
Destruction (Erasure) of personal data – actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which the physical media of personal data are destroyed;
Pseudonymisation (Anonymisation) – the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information (Article 4(5) of the GDPR);
Documented information – information recorded on a material carrier by means of documentation with details allowing to identify such information or its material carrier;
Automated processing of personal data – the processing of personal data using computer technology;
Information system of personal data – a set of personal data contained in databases and information technologies and technical means ensuring their processing;
Confidentiality of personal data – the obligation of the Company and other persons who have gained access to personal data not to disclose to third parties and not to disseminate personal data without the consent of the data subject, unless otherwise provided by law. 1.5. Data Subjects or their legal representatives have the right (pursuant to Chapter III of the GDPR):
- To receive full information about their personal data and the processing of such data (including automated processing);
- To have free and unhindered access to their personal data, including the right to obtain copies of any record containing the personal data of the subject, except as provided by law;
- To demand the rectification or completion of incorrect or incomplete personal data, as well as data the processing of which violates applicable law (Right to Rectification / Right to Erasure);
- To require the Company or its authorized person to notify all persons to whom the incorrect or incomplete personal data of the subject were previously communicated of all changes or exclusions made to them. 1.6. Data Subjects or their legal representatives are obliged:
- To provide the Company with personal data that corresponds to reality;
- To promptly notify the Company of all changes in personal data. 1.7. The Company has the right to process personal data provided that there are lawful bases for processing (Article 6 of the GDPR), that the processing matches the stated purposes, and complies with applicable data protection laws, this Policy, and other local acts of the Company. 1.8. The Company is obliged:
- to ensure the protection of personal data at its own expense against unlawful use or loss in accordance with applicable law;
- to provide the data subject, upon request, with information regarding the processing of their personal data, or to provide a reasoned refusal on legal grounds;
- to provide the data subject with free access to their personal data, including the right to obtain copies of any record containing their personal data, except as provided by law;
- at the request of the data subject, to rectify, restrict, or erase the processed personal data if the personal data is incomplete, outdated, inaccurate, unlawfully obtained, or is no longer necessary for the stated purpose of processing;
- to maintain a log of data subject requests, which must record requests for personal data as well as the facts of providing personal data in response to these requests;
- to notify the data subject of the processing of personal data if the personal data was not obtained directly from the data subject (Article 14 of the GDPR);
- if the purpose of personal data processing is achieved, to immediately cease processing and destroy the relevant personal data within a period not exceeding thirty days from the date the purpose is achieved, unless otherwise provided by law;
- if the data subject submits a request to withdraw consent or object to processing, to cease processing and destroy the personal data within a period not exceeding thirty days from the date of receipt of the said request. This period may be extended by no more than five working days if the Company sends a reasoned notification to the data subject stating the reasons for the extension. The Company has the right to continue processing personal data in cases where there is another legal basis for processing pursuant to Article 6(1) and Articles 9-10 of the GDPR;
- to provide the personal data of the subject only to authorized persons and only to the extent necessary for them to perform their duties in accordance with this Policy and applicable law.
2. Purposes of Personal Data Processing2.1. Specific purposes of processing are defined and approved by the Company for each category of personal data. Processing of personal data that is incompatible with the approved purposes is not permitted (Purpose Limitation principle, Article 5(1)(b) of the GDPR). 2.2. The specific purposes of processing personal data are formed based on the concluded service contract, additional service agreements, and other documents concluded between the data subject and the Company. 2.3. Processed personal data shall be destroyed or anonymised upon expiry of the retention period, achievement of processing purposes, or when the need to achieve these purposes is lost, unless otherwise provided by law.
3. Procedure and Conditions for Personal Data Processing3.1. The Company receives all personal data directly from the data subject, their representative, or from a person who has instructed the Company to process personal data on legal grounds, except as otherwise provided by law. 3.2. Processing of personal data is carried out with the consent of the data subject, except as provided by other lawful bases under Article 6 of the GDPR. Consent may be expressed in various forms that allow confirming the fact of its receipt, including by unambiguous affirmative actions (conclusive actions), in writing as a separate document, or as part of a document signed by the subject. Consent may be given by a representative of the subject, provided they supply evidence of their authority. 3.3. Consent to the processing of personal data may be withdrawn by the data subject at any time (Article 7(3) of the GDPR). In cases provided by law, the processing of personal data may be continued even after the withdrawal of consent if another lawful basis exists. 3.4. When making decisions affecting the interests of the subject, the Company never bases them solely on automated processing, including profiling, which produces legal effects concerning him or her (Article 22 of the GDPR). 3.5. Personal data shall not be used for the purpose of causing material and/or moral harm to citizens, or hindering the realization of the rights and freedoms of individuals. 3.6. Access to personal data is restricted to employees of the Company who require the personal data for the performance of their official duties. 3.7. Disclosure of personal data to third parties is carried out only with the explicit consent of the subject, unless otherwise provided by law. 3.8. The Company has the right to transfer personal data to law enforcement authorities, investigative bodies, and other authorized state bodies on the grounds provided by applicable law. 3.9. The transfer of the data subject's personal data for commercial purposes without their explicit written consent is prohibited. 3.10. If it is necessary for the Company to transfer personal data to third parties (Data Processors), it shall be carried out only after signing a Data Processing Agreement (DPA) and a non-disclosure agreement in accordance with Article 28 of the GDPR, except as provided by law. 3.11. Processing of personal data is carried out both with the use of computer technology (automated) and without the use of such tools (manual processing). 3.12. The periods for personal data processing by the Company are determined in accordance with the periods established by applicable data protection laws; the validity period of the relevant contract; the periods specified in the data processing instruction; statutory archiving periods; the statute of limitations; the validity period of the consent given by the data subject; as well as other requirements of applicable legislation. 3.13. When processing personal data without the use of automation tools, it shall be segregated from other information, in particular by recording it on separate material data carriers (hereinafter referred to as material carriers), in special sections, or on the fields of forms. 3.14. When recording personal data on material carriers, it is not allowed to record personal data on a single material carrier if the purposes of processing are clearly incompatible. To process different categories of personal data without automation tools, a separate material carrier shall be used for each category. 3.15. Persons performing the processing of personal data without automation tools must be informed about the fact of processing, the categories of personal data being processed, as well as the specific rules for carrying out such processing. 3.16. When using standard document forms to be filled in by the data subject by hand, the nature of the information in which implies or permits the inclusion of personal data (hereinafter referred to as the "standard form"), the following conditions shall be met:
- the standard form or related documents must contain information about the purpose of processing, the name and address of the Company, the full name and address of the data subject, the source of personal data, processing periods, and a list of processing actions;
- the standard form must provide a field where the data subject can tick a box to signify their explicit consent to the processing – where written consent is required;
- the standard form must be designed in such a way that each data subject has the opportunity to familiarize themselves with their own data without violating the rights and legitimate interests of other data subjects;
- the standard form must exclude the combining of fields intended for entering personal data whose purposes of processing are clearly incompatible. 3.18. Personal data shall be destroyed upon achieving the purposes of processing, loss of the need to achieve them, expiration of the storage period, detection of unlawful processing, or at the request of the data subject/Controller within a period not exceeding ten working days. This period may be extended by no more than five working days if a reasoned notification is sent to the data subject. Destruction is carried out in the presence of an appointed internal commission, and an erasure report (act of destruction) is drawn up. 3.19. Cross-border transfer of personal data outside the European Economic Area (EEA) is not carried out by the Company. If such a transfer becomes necessary, it will only be executed in compliance with Chapter V of the GDPR (e.g., based on Adequacy Decisions or Standard Contractual Clauses).
4. Protection of Personal Data4.1. The Company ensures the technical and organizational protection of the data subject's personal data against unauthorized or accidental access, destruction, alteration, blocking, copying, dissemination, as well as against other unlawful actions (Article 32 of the GDPR). 4.2. Protection of personal data is ensured by implementing a complex set of organizational and technical measures that guarantee data security in accordance with applicable laws and local regulations. 4.3. All protective measures during the collection, processing, storage, and transfer of personal data apply to both paper-based and electronic (automated) media.
5. Update, Rectification, Erasure, and Destruction of Personal Data5.1. The Company has the right to supplement, change, restrict, or erase personal data in accordance with applicable data protection regulations. 5.2. At the request of the data subject, the Company is obliged (pursuant to Articles 15-21 of the GDPR):
- to provide confirmation as to whether or not personal data concerning him or her are being processed;
- to provide access to the personal data and information regarding its processing;
- to rectify inaccurate or outdated personal data;
- to restrict or erase personal data if it was unlawfully obtained, is no longer necessary for the stated purpose, or if the subject has withdrawn consent and there is no other legal ground for processing. 5.3. A request from a data subject should ideally be sent to the Company in writing and contain the identity details of the data subject or their legal representative, and the handwritten or qualified electronic signature of the data subject or their representative. 5.4. The request can be sent in electronic form and signed with an electronic signature in accordance with applicable law to the email address: ddarespb@yandex.ru. 5.5. Upon receipt of a request, the responsible employee of the Company is obliged to register it in the log of data subject requests. 5.6. A response or a reasoned refusal must be sent within one month (thirty days) from the date of receipt of the request (in accordance with Article 12(3) of the GDPR). This period may be extended by two further months where necessary, taking into account the complexity and number of the requests, provided the data subject is informed within one month of receipt. The response shall be provided in the same form as the request unless otherwise requested by the data subject.
6. Amendments to the Policy6.1. The Company has the right to amend this Policy. When changes are made, the date of the last update shall be indicated at the top of the Policy. The new version of the Policy comes into force from the moment it is posted on the Company's website, unless otherwise provided. 6.2. The current version is kept at the location of the executive body of the Company at:
Office/Premises No. 101/a2, Room 1-N, Manezhny lane, 14 Litera A, Saint Petersburg, 191123, or can be accessed electronically on the Company's website at:
https://dda-re.com/. 6.3. This Policy and the relations between the data subjects and the Controller shall be governed by applicable data protection laws (GDPR / national data protection laws).
7. Feedback
7.1. Email address:
ddarespb@yandex.ru 7.2. Postal address:
Office/Premises No. 101/a2, Room 1-N, Manezhny lane, 14 Litera A, Saint Petersburg, 191123