Rules on personal data protection (Confidentiality policy)
General provisions
1.1. The present Rules on personal data protection (hereinafter– «the Rules») establish mandatory for compliance rules and guarantees for personal data protection of visitors (users) of the web-site, situated at the address in information-telecommunication Internet network at: https://gala-grp.com, and also of other persons, mentioned in the present Rules.
1.2. In some countries and regions, such as the European Union, the legislation adopts the standards of natural person data protection («the personal data» equally to the term «the data»), including the requirement, that such data shall be permitted to transfer to other countries, at the place of destination only where the appropriate level of data protection is maintained.
1.3. The present Rules establish the unified and suitable standards on data protection within the framework of the company. Steuer Nr.: 085259679, AT76 1200 0100 2552 6731, Bank Austria,
BKAUATWWXXX as for:
(a) personal data processing in such regions, as the EU/European economic area (the EUA) (hereinafter collectively referred to as «the EU/EUA»), the Russian Federation, so for
(б) personal data cross-border transfer for the companies beyond territory of the EU/EUA, Russian Federation (including their further processing there).
1.4. The company bears a responsibility for personal data processing, which we process according to the user wishes and in compliance with the provisions of the EU national legislation and data protection. The user personal (individual) data will be processed by the Company only in the case, if this has been permitted by law.
1.5. The users are entitled to contact the Company at the postal address:
Olga Shchukina, Linzackergasse 12/2, 1130 Wien. Besides the mentioned postal address, the users may also contact us via electronic mail info@gala-grp.com.
1.6. The company also attracts for work the suppliers of services, works, goods, including the sponsors and partners (hereinafter– «the Suppliers»). In such way, while data processing, as described below, these suppliers also may receive the data and process thereof on behalf of the Company’s name for the purposes stated below. The Company’s suppliers include the printing houses, marketing (advertising) agencies, organizers of the events, designers, decorators, leading events, music group bands, theater and concert organizations, logistic companies, payment service suppliers, tax and legal consultants, administrators of areas (places of event arrangement), and also other suppliers of services, jobs, goods.
1.7. The operation of Rules applies to, fully or in part, the automated personal data processing, and also not automated processing in the file systems, if the national legislation does not extend beyond the sphere of their operation only. The present Rules also are valid for all data on the employees in a paper form.
1.8. The present Rules with respect to natural persons for the purposes of simplification are used in the male form only. It assumes the representatives of all gender identities.
1.9. The operation of present Rules may apply to the countries beyond territory of the EU/EUA. In the countries, in which these legal entities are protected to an equal extent to the personal data, the present Rules shall act to the same extent and for the same legal persons.
1.10. The present Rules do not replace themselves the regulation by the EU and national laws. These rules add the national law on the data protection. Such regulations and laws have a priority, if the compliance of these Rules may result to breach in the national legislation. The content of the present Rules also should be complied while absence of corresponding national laws. If the compliance with the present Rules may result to the breach in norms of national legislation or if pursuant to the norms of national legislation, the regulations should be required, which differ from the present Rules then within the framework of monitoring of the data protection legislation, it is need to inform the Authorized person on matters of data protection. In the case of contradictions between the norms of national legislation and present Rules, the Authorized person on matters of data protection and the central organization for matters of normative-legal regulation, jointly with the Company, will work to find the practical solution, that meeting targets of the present Rules.
1.11. On any matters on the data protection, the users may address the Authorized person on matters of data protection via electronic mail info@gala-grp.com or by post to Olga Shchukina, at Linzackergasse 12/2, 1130 Wien
- Category of data
2.1. The personal data means — any information, related to the natural person identified or to be identified (art. 4 (1) of EU General Data Protection Regulation (the GDPR)).
2.2. The company collects an information about a user, when a user interacts with the Company’s web-site, pages in social networks or applications (if such available). The company also receives such information from outside resources, including the data suppliers, IT outside agencies, consultants and suppliers. The company collects such information only, which is needed, actual and adequate for such target, for which the user it provides.
2.3. The part of this information does not personally identify the user, but provides the Company with the information that the user uses the services and interacts with the Company (the Company uses this information, in order to improve the services and to make these more useful for users).
2.4. The information, which the Company collects, includes some or all of the following: surname, name, second name; year of birth; month of birth; date of birth; place of birth; address; family status; social status; property status; education; profession; profits; personal data special categories: state of health; image of face, and also: previous surname; previous name; previous second name; citizenship; migrant’s card/work permit; sex; photo; address of living and/or actual residence; postal address; data of the document, certifying the identity: name, series (if available) and number, date of document issue, name of authority, which issued the document, code of subdivision (if available) (various for RF citizens and for foreign citizens; taxpayer’s identification number; length of work; information from insurance policies of mandatory (voluntary) medical insurance; Certificate of Compulsory Pension Insurance (SNILS); information on education; information of salary; information on labor activity; information on military record; information on family status; information on presence of major children (data of birth certificate); information on facts of attraction to criminal, civil and administrative liability; bank details; city and/or mobile phone numbers; electronic mail address; number of children (dependents); date of registration/date of start of living; information on transport vehicle and immovable property into ownership; information about job place (name, title, length of work, contact data); registration and authorization data (login, password and etc.), technical information on user devices and identifiers, including the cookies files, information on user location, information on bought goods (services) and other data, independently provided by such users to the Company’s address; web-sites, which the users visited at web-site, functions, which the users used, and as long the users visited the Company’s web-site; IP-address; location via GPS (if the user permitted access thereto); Internet-browser and devices, which are used by the user; detailed information on any transactions between the user and Company; records of «live chat»; any information in correspondence, which the user sends; the user’s name and identification number in social networks, any information, which the user publishes at the Company’s pages in social networks, messages, in which the user switches the hash tag or mentions the Company, and also the information on action by users at the pages in social networks in a whole (for example, time and date of publication), posts and likes); preferences in a field of direct marketing and advertising.
2.5. Any personal information, which the Company directly receives from the user, the Company provided on voluntary basis. However, if the user does not provide the Company with such information, the user could not receive the defined services from the Company, suppliers, sponsors and partners of the Company or, in an effective way, communicate with them.
- Targets, principles and procedure for data processing
3.1.The personal data should be processed in a legitimate and bona fide way. The data processing may be made only in the case and to such extent that exists to be sufficient as the legal grounds to make the processing.
3.2. Data processing within framework of contract relations
The personal data of potential customer, client or partner (user) may be processed within the framework of conclusion, fulfillment and cancellation of contract. It also includes the servicing of the client or partner, if such servicing is related with the targets of contract. Prior to the conclusion of the contract, the personal data may be processed for preparation of the offers or orders, and also for performance of other requests from the potential customer, related with the conclusion of contract. During preparation of the contract, it is permitted to establish a contact with the interested persons, by using the data provided by them. It is needed to comply with the possible restrictions, said by interested persons.
3.3. Data processing for advertising targets
If the subject of data addresses the Company with the request on information (for example, with the request on receipt of the information materials about the products (goods), services, jobs), then the data processing to satisfy such request shall be permitted. The measures to strength the relations with the clients and advertisings arrangements require the further lawful prerequisites. The personal data may be processed for advertising purposes or with the purposes of study of market and of public opinion subject to, that such processing shall meet the target, for which these data have been originally collected. The subject of data should be informed, in advance, about use of its personal data for the advertising purposes. If the data is collected exclusively for the advertising purposes, then mention thereof by the concerned persons shall be made on the voluntarily basis. The subject of data should be informed that the provision of data for this purpose is voluntary. Within the framework of communication process, the consent should be received from the subject of data. By giving its own consent, the subject of data should have the possibility to make a choice between the accessible communication channels, such as an electronic mail and telephone. If the subject of data makes objection against using of its own data for the advertising purposes, these could not be used longer for these purposes and it should be restricted or blocked for using for these purposes. It is needed to comply with the restrictions coming beyond the frameworks of this provision, which act in few countries with respect to using of the data for the advertising purposes.
3.4. Consent on data processing
The data processing may be made on the basis of consent by concerned person. Before to give the consent, the subject of data should be informed in accordance with the present Rules. For evidence purpose, the application for consent should be principally submitted in a written or electronic form. Upon defined circumstances (for example, while consultation by phone), the consent may be executed in an oral form, that should be documented.
3.5.Data processing on basis of legitimate permission or duty
Personal data processing is allowed only and in the case, if the legislative norms require, suppose or permit the data processing. The type and scope of data processing should correspond to the requirements to the data processing allowable on the legitimate basis and it should be identified by these legislative norms.
3.6. Data processing on basis of legitimate interest
The personal data may also be processed, if this is needed for the legitimate interests. The legitimate interests, as a rule, have the lawful nature (for example, collection of outstanding debt) or commercial nature (for example, prevention of the contract’s breaches). The processing could not be made on the basis of legitimate interest, if in the specified case, the interests of the subject of data worthy to be protected have take the precedence over the legitimate interests, related with the processing. The interests are worth to be protected shall subject to the check during any processing.
3.7. Data processing within the framework of labor relations
Within the framework of labor relations, the personal data may be processed in the case of necessity to establish, handle and cancel the labor relations. For purposes of acceptance of the resolution on conclusion of the labor relations, the personal data of candidates may be processed for titles. After refusal to hold the title, the data of candidate should be deleted subjected to compliance with the evidence periods, in this case if the candidate has not given its own consent on the further saving of its own data for much later selection procedure. The receipt of the consent is also needed for using the data for further procedures to file the application for a vacant title. In the existent labor relations, the data processing should always be related with the purpose of labor relations, except for the cases, when one of the following grounds shall be applied for the permission on data processing. If within the framework of establishing of labor relation or existent labor relations, the collection of additional information about candidate from the third parties is needed, then these shall be subjected to compliance with corresponding requirements of national legislation. In the case of doubt, if it is admissible, it is needed to receive the consent from the subject of data. For personal data processing, related with the labor relations, but not originally served to establish or cancel the labor relations (the data of employees), the one of the below mentioned legitimate grounds should exist.
3.8. Data processing on the basis of legitimate permission or duty
The data processing of employee is also allowed in the case, if the legislative norms require, suppose or permit such data processing. The type and scope of the data processing should correspond to the requirements to the data processing allowable on the legitimate grounds and it should be defined by these legislative norms. If the legislation provides a freedom of action, then the employee’s interests worthy for protection should be taken into account.
3.9. Collective agreement for data processing
If the data processing comes beyond the framework of targets of the contract’s performance, it may be legitimate, if this is permitted by the collective agreement. The regulations should cover the specified target required for the data processing and should be prepared in accordance with the EU regulations and norms of national legislation.
3.10. Consent on data processing by employer (employee)
The employee’s data processing may be made on the basis of consent of concerned employee. The filing of applications for the consent is made under the voluntary procedure. Any sanctions could not be imposed on refusal from the consent. The applications for consent, made not under the voluntary procedure, shall be invalid. For evidence purposes, the application for consent should be principally provided in a written or electronic form. If in the exclusive cases, the circumstances prevent it, then the consent may be made in an oral form. In any case, the provision of the consent should be documented in a proper way. Before giving consent, the subject of data should be informed in accordance with the present Rules.
3.11. Data processing on the basis of legitimate interest
These employees may also be processed if this is needed in the Company’s legitimate interests. The legitimate interests, as a rule has a lawful nature (for example, filing, making or defense of legal suits) or commercial nature (for example, acceleration of business-processes, evaluation of the Company). Before to begin the data processing, it should be defined, that there are interests which are worthy of protection. The personal data of the employees may be processed on the basis of legitimate interests, if the employee’s interests, worthy of protection, does not prevail over the interests, related with processing. The measures of control, requiring the data processing of employees beyond the framework of labor relations (for example, the results of outcome), could not be accepted, if only, there are legal or grounded reason are exist for this. Even if the grounded reasons are exist, it is needed to consider the matter on proportionality of the measures of control. For this purpose, the Company’s legitimate interests for taking measures of control (for example, the compliance with requirements of legislation and the Company’s internal rules) should be proportionately to the possible legitimate interests of corresponding employee for exclusion of this measure. These measures may be accepted only, if they are appropriate in the specified case. Before acceptance of any measures, the Company’s legitimate interests and possible legitimate interests of the employee should be defined and documented. Besides that, it should be taken into account other requirements of current legislation (for example, the right of workers and officers to participate in the management of production and the right of subjects for receipt of the information).
3.12. Processing of strictly confidential data
The processing of strictly confidential personal data may be made only in the case, if this is permitted or prescribed by the legislation. The processing of such data by the Company is allowed, particularly, if the subject of data gave its evident consent on such processing, if the processing is needed for filing, making and defending of legal claims with respect to the subject of data or if the filing is needed to exercise the rights and obligations in a field of labor or social law. In the case when the processing of strictly confidential data is required, then it is needed to notify the Authorize person on matters of data protection.
3.13. Obligation to inform/transparency
The responsible structural subdivision should inform the subjects of data about targets and circumstances of processing of their personal data in accordance with the articles 13 and 14 of GDPR. If these data is not within the sphere of operation of the General Data Protection Regulation (the GDPR), the information shall be provided in accordance with the applicable national legislation. The information should be provided in an accurate, transparent, illegible and easy accessible form, and also in a clear and simple language. The requirements of the Authorized person on matters of data protection and of Subdivision of normative-legal compliance of the data should be complied (the Data Compliance). This information should always be provided while first collection of the personal data. If the Company receives the personal data from the third party, it should provide the information about this to the subject within the reasonable period of time after receipt of the data, except for cases, when:
– subject of data has already this information, or
– it could be impossible, or
– extremely difficult to provide this information.
3.14. The personal data may be processed for legitimate purposes only, defined prior to the data collection. The further change in the target of processing is allowed only subject to compatibility of the processing with targets, for which, the personal data originally have been collected.
3.15. Any personal data processing should be, as in quantity, so in quality, restricted by what is needed to reach the targets, for which these data shall be processed on the legitimate grounds. It is also needed to take into account while defining the scope of data to be collected. If the target allows, and the efforts are proportionate to the intended target, the anonymous or statistic data should be used.
3.16. The saved personal data should be objectively accurate and, if needed, actual. The responsible structural subdivision should take corresponding measures to make deletion, correction, addition or updating or incomplete data.
3.17. The personal data may be stored only for the period of time, when these are needed for the target, for which these are processed. This means that the personal data should be deleted or anonymized, as soon as the target, for which these had been processed, has been reached or necessity to reach it, passed by any reason, except for such cases, when the requirements to storage or evidence continue to be in effect and valid. The responsible persons for separate procedures should provide the performance of procedures on deletion or anonymisation within the framework of its own procedures. Each system should have the procedure on manual and automated deletion. The requests from the subjects of data on deletion or elimination of the personal identifiers should be technically possible to do in the systems.
3.18. The personal data should be protected from the unsanctioned access and illegitimate processing or transfer, and also from accident loss, change or destruction. Before implementation of new methods of data processing, particularly new IT-systems, the technical and organizational measures on personal data protection should be defined and implemented. These measures should be based on modern level of technology, risk processing and necessity in the data protection. The technical and organizational measures related to the data protection should be documented by responsible person within the framework of evaluation of the effect on data protection and Register of data processing.
- Cross-border transfer of data
4.1. Transfer of personal data by receiver beyond or within the Company is made subject to compliance with the requirements to admissibility of personal data processing in accordance with the present section. The data receiver should use these only for the defined targets. In case of cross-border transfer of personal data (including the provision of access from other country) should be made in compliance with corresponding national requirements to transfer of the personal data abroad.
4.2. Particularly, the personal data from the EU/ЕUA countries may be processed in the third country only in the case, if the receiver may prove that it has the level of data protection, corresponding to the present Rules. The suitable tools may be:
– EU agreement for contract’s standard conditions,
– the receiver’s participation in the EU accredited certification system for provision of proper level of data protection or
– recognition of the receiver’s obligatory corporate rules for creation of adequate level of data protection by responsible supervision authorities. The transfer of personal data to any state authority is allowed only in the case, if it is not being mass, not proportionate or not selective and in this context it does not comes beyond what is needed in the democratic society. In the case of arising of contradictions between these requirements and requirements of state authorities, the Company will work for search of practical solution, meeting the targets of the present Rules. All obligations, listed in the present section, are beneficiary rights of the third party for the subject of the data.
- Evaluation of the effect of data protection
5.1. Upon implementation of new processing processes or in the case of significant changes in existent processing process, particularly, for account of using new technologies, the Company should evaluate, whether this processing presents a high level of risk for confidentiality of the subjects of data. In this case, the nature, scope, context and purpose of data processing should be taken into account. Within the framework of analysis of risks, the responsible structural business subdivision shall make the evaluation of effect of the planned processing on personal data protection (the evaluation of effect of data protection). If after making the evaluation of effect on data protection and taking of corresponding measures to decrease the risk, the high risk exists for the rights and freedoms of the subjects of data, needed to inform the Authorized person on matters of data protection, in order it could consult the responsible authority for supervision of data protection. It is needed to comply with the provisions, established by the Company for making evaluation of the effect on data protection (for example, the software tools, regulations under documentation).
- Documentation on data processing procedures
6.1. The Company should document the procedure on personal data processing in the register of data processing. The data processing register is needed to keep in a written form (including in an electronic) and by request, to provide to the supervision authority on data protection. It is needed to comply with the provisions, established by the Company for keeping documentation (for example, the software tools, regulations under documentation).
- User rights
7.1. If the user has any questions on personal data processing, the Company shall be obliged to provide the information about data, related to users (article 15 of GDPR).
7.2. Besides that, the user has the right to make correction (article 16 of GDPR), deletion (article 17 of GDPR), limitation of processing (article 18 of GDPR), objection (article 21 of GDPR) and data transfer (article 20 of GDPR).
In all these cases, the User should contact the Company or Authorized person for data protection at the addresses stated there.
7.3. The user also has the right to file a petition to competent authority for supervision on data protection (article 77 of GDPR).
- Periods of data storage
8.1. If the Company has the law relations with the user or employee within the framework of contract law relations, the Company shall store the information within 6 years from the date of cancellation of such relations, including, in order to make, file or defend the law suits.
8.2. If the Company received the information after request of information, brochure, commercial offer or any other information on any of the products or services, the Company shall store the information within 1 year and 6 months from the date of collection of such information, if during this period, the conclusion of contract’s law relations has not occurred
If the user have the consent on receipt of marketing information, regardless from whether the Company has or has not the supposed relations on the basis of request on the information, the Company will store the information, needed for marketing advertising, within 3 years and 6 months from the date of the consent made. Each time, when the user gives its own consent, the period of time will be updated.
8.3. The sole exclusions from the mentioned above periods are the cases, when:
8.3.1. The law requires so that the Company stores the information within the long period of time or deleted it early.
8.3.2. If the user filed a suit, petition or has a concern with respect to the product or service, proposed by the Company, and in this case the Company will store the information within 6 years after the date of this petition or request; or
8.3.3. The user exercised its own right to delete the information (where it is applicable), and the Company should not needed to store it in connection with any of the reasons, permitted or required in accordance with the law.