Privacy Policy
1. General Provisions
1.1. This Policy defines the goals, objectives, and key measures for ensuring the security of personal data in "AIRGLOBUS" (hereinafter referred to as the Company) against unauthorized access, unlawful use, or loss.
1.2. This Policy is developed in accordance with the current legislation of the Russian Federation on personal data protection:
1.4. This Policy applies to Company employees and employees of third-party organizations interacting with the Company based on regulatory, legal, or administrative documents.
2. Terms and Abbreviations
3. Personal Data Processing3.1. Data Collection
3.1.1. PD must be collected directly from the subject. If collected from third parties, the subject must be informed or give consent.
3.1.2. The operator must inform the subject about the purposes, sources, methods, actions, duration of consent, withdrawal procedures, and consequences of refusal.
3.1.3. PD can be documented by:
3.2.1. Processing is carried out:
3.3.1. PD can be stored on paper or electronically.
3.3.2. Paper documents are stored in fireproof locked cabinets.
3.3.3. Electronic PD is organized into separate folders based on purpose.
3.3.4. PD must not be stored in open file-sharing systems.
3.3.5. Data is retained no longer than necessary and destroyed once the purpose is achieved or becomes irrelevant.
3.4. Data Destruction
3.4.1. Paper documents are destroyed by burning or shredding.
3.4.2. Electronic PD is deleted by erasing or formatting the storage device.
3.4.3. A commission conducts and documents destruction with an official report.
3.5. Data Transfer
3.5.1. PD may be entrusted to third parties if:
4. Personal Data Protection
4.1. The Company has a Personal Data Protection System (PDPS) consisting of legal, organizational, and technical subsystems.
4.2. Legal subsystem: A set of documents ensuring creation, operation, and improvement of the PDPS.
4.3. Organizational subsystem: Includes management structure, access control, employee and third-party protocols, publication and PR procedures, and analytics.
4.4. Technical subsystem: Certified tools (hardware/software) ensuring PD protection.
4.5. Main protective measures include:
5. Data Subject Rights and Operator Obligations5.1. Data Subject Rights
5.1.1. Subjects may request correction, blocking, or destruction of incomplete, outdated, inaccurate, illegally obtained, or irrelevant PD.
5.1.2. Subjects may request the following information:
5.1.4. Right to appeal operator actions or inaction.
5.2. Operator Obligations
The operator must:
1.1. This Policy defines the goals, objectives, and key measures for ensuring the security of personal data in "AIRGLOBUS" (hereinafter referred to as the Company) against unauthorized access, unlawful use, or loss.
1.2. This Policy is developed in accordance with the current legislation of the Russian Federation on personal data protection:
- 1.2.1. Federal Law No. 152-FZ of 27.07.2006 "On Personal Data";
- 1.2.2. Decree of the Government of the Russian Federation No. 687 of 15.09.2008 "On approval of the Regulation on the specifics of personal data processing carried out without the use of automation tools";
- 1.2.3. Decree of the Government of the Russian Federation No. 1119 of 01.11.2012 "On approval of requirements for the protection of personal data during their processing in personal data information systems".
1.4. This Policy applies to Company employees and employees of third-party organizations interacting with the Company based on regulatory, legal, or administrative documents.
2. Terms and Abbreviations
- Personal Data (PD): Any information relating directly or indirectly to an identified or identifiable individual (personal data subject).
- Personal Data Processing: Any action (operation) or set of actions (operations) performed with or without automation tools, including collection, recording, systematization, accumulation, storage, updating, extraction, use, transfer, anonymization, blocking, deletion, and destruction.
- Automated Processing: Processing of personal data using computing technology.
- Personal Data Information System (PDIS): A set of personal data contained in databases and technologies/tools used for processing them.
- Publicly Available PD: PD made accessible to an unlimited number of persons by the subject or at their request.
- Blocking: Temporary suspension of processing (except where necessary for clarification).
- Destruction: Irrecoverable erasure of PD from PDIS or physical media.
3. Personal Data Processing3.1. Data Collection
3.1.1. PD must be collected directly from the subject. If collected from third parties, the subject must be informed or give consent.
3.1.2. The operator must inform the subject about the purposes, sources, methods, actions, duration of consent, withdrawal procedures, and consequences of refusal.
3.1.3. PD can be documented by:
- Copying original documents (passport, education certificates, tax ID, pension ID);
- Entering information into registration forms;
- Receiving originals of required documents (employment record, reference letters, etc.).
3.2.1. Processing is carried out:
- With the subject's consent;
- If required to fulfill legal obligations of the Company;
- If data is made publicly available by the subject or upon their request.
- Compliance with RF law (HR, accounting, labor laws);
- Fulfillment of contracts with AIRGLOBUS clients;
- Booking services for flights and air transport;
- Marketing services;
- Loyalty programs for individuals.
- Employees (past and present), their relatives, job applicants, clients requesting services, and persons listed in contracts or callback forms.
- Data obtained in employment relationships;
- Data obtained in civil law relationships.
3.3.1. PD can be stored on paper or electronically.
3.3.2. Paper documents are stored in fireproof locked cabinets.
3.3.3. Electronic PD is organized into separate folders based on purpose.
3.3.4. PD must not be stored in open file-sharing systems.
3.3.5. Data is retained no longer than necessary and destroyed once the purpose is achieved or becomes irrelevant.
3.4. Data Destruction
3.4.1. Paper documents are destroyed by burning or shredding.
3.4.2. Electronic PD is deleted by erasing or formatting the storage device.
3.4.3. A commission conducts and documents destruction with an official report.
3.5. Data Transfer
3.5.1. PD may be entrusted to third parties if:
- The subject consents;
- Required by Russian or applicable law.
- Russian Pension Fund (for legal accounting);
- Russian tax authorities (for legal compliance).
4. Personal Data Protection
4.1. The Company has a Personal Data Protection System (PDPS) consisting of legal, organizational, and technical subsystems.
4.2. Legal subsystem: A set of documents ensuring creation, operation, and improvement of the PDPS.
4.3. Organizational subsystem: Includes management structure, access control, employee and third-party protocols, publication and PR procedures, and analytics.
4.4. Technical subsystem: Certified tools (hardware/software) ensuring PD protection.
4.5. Main protective measures include:
- Appointing a responsible data officer;
- Identifying security threats and implementing protection measures;
- Developing local regulations;
- Setting access rules and audit trails;
- Assigning personal access credentials;
- Using certified data protection tools;
- Installing certified antivirus software and firewalls;
- Preventing unauthorized access;
- Detecting and responding to data breaches;
- Recovering lost/damaged data;
- Employee training on legal and regulatory data protection requirements;
- Performing internal audits and monitoring.
5. Data Subject Rights and Operator Obligations5.1. Data Subject Rights
5.1.1. Subjects may request correction, blocking, or destruction of incomplete, outdated, inaccurate, illegally obtained, or irrelevant PD.
5.1.2. Subjects may request the following information:
- Confirmation of processing;
- Legal basis and purpose;
- Methods used;
- Operator’s name, address, and list of those granted access;
- Processed data and its sources;
- Duration of processing/storage;
- Rights under the law;
- Information on cross-border transfers;
- Name and contact of the processor (if outsourced);
- Any other information provided by law.
5.1.4. Right to appeal operator actions or inaction.
5.2. Operator Obligations
The operator must:
- Provide the subject with information upon request;
- Notify the subject if data was obtained from a third party;
- Inform of legal consequences if consent is refused;
- Publish the privacy policy and access control measures;
- Take legal, organizational, and technical measures to protect PD from unlawful access, destruction, modification, copying, disclosure, or distribution;
- Respond to subject and authority inquiries.