POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
LLC “KRAFT KITCHEN KIEVSKAYA”, restaurant “Grande Osteria” (hereinafter referred to as the “Company” or the “Operator”)

1. General Provisions
1.1. This Policy of the Company regarding the processing of personal data (hereinafter – the “Policy”) has been developed in accordance with the requirements of paragraph 2, part 1, article 18.1 of the Federal Law No. 152-FZ “On Personal Data” dated 27.07.2006 (hereinafter – the “Personal Data Law”) in order to ensure the protection of the rights and freedoms of individuals in the processing of their personal data, including the protection of the right to privacy, personal and family confidentiality.
1.2. This Policy applies to all personal data processed by the Company (hereinafter – the “Operator”).
1.3. This Policy applies to relations in the field of personal data processing that arose both before and after the approval of this Policy.
1.4. In accordance with part 2 of article 18.1 of the Personal Data Law, this Policy is published for free access on the Operator’s website via the Internet.
1.5. This document defines the privacy policy regarding personal data (hereinafter – the “Policy”) in relation to Users of the website https://grandeosteria.ru/ (hereinafter – the “Website”) of the Operator, LLC “KRAFT KITCHEN KIEVSKAYA” (119607, Moscow, Ulitsa Udaltsova 85B, OGRN 1177746311203, INN 7730232896, KPP 773001001).
1.6. Use of the Website functionality by the User, completion and/or submission of the User’s personal data through relevant electronic feedback/information collection forms on the Website or via email/messengers (linked through the Website), as well as the User’s registration on the Website (if such an option is available), constitutes consent to this Policy.
1.7. The Operator processes the personal data of the Website User on the basis of their voluntary, specific, and explicit consent, freely given by the User through a clear affirmative action (conclusive act), namely: when filling out and submitting their personal data through the relevant feedback forms on the Website (Active User), and/or during registration on the Website and/or confirmation of their mobile phone number by SMS code (Registered User), if such an option is available, or by transmitting personal data via email or messengers linked to the Website. By submitting their personal data through any of the listed methods, the User consents to the processing of their personal data in accordance with this Policy and acknowledges that they provide such personal data for the Operator to use in providing services and disclosing them to third parties.
1.8. If the User disagrees with the terms of the Policy, they have the right to stop using the Website and other services of the Operator/withdraw their consent.
1.9. This Policy applies only to the Website and services of the Operator. The Operator does not control and is not responsible for third-party websites to which the User may navigate through links available on the Website or in applications. The Operator does not verify the accuracy of the personal data provided by the User during registration.
1.10. This Policy applies to any information that may be obtained about the User during their use of the Website’s functionality.
1.11. The categories of personal data subjects (hereinafter – “PD Subjects”) processed by the Operator and on its behalf by Data Processors include:

  • Visitors of the Website (Users);
  • Users who have filled out and submitted their personal data via relevant feedback forms on the Website (Active Users);
  • Users who have completed registration/authorization on the Website (with a personal account), if such an option is available (Registered Users);
  • Mobile Application Users (Registered Users), if such an option is available.
1.12. Consent to provide personal data is given by the personal data subject in accordance with this Policy.
1.13. The Operator is entitled to transfer personal data of PD Subjects to its partners for the provision of Website services. The Operator and its Data Processors ensure the security and confidentiality of all information used on the Website.
1.14. Consent to provide personal data is valid until the purpose of processing has been achieved, or until consent is withdrawn, in the manner provided by this Policy.
1.15. The period of processing personal data: from the date of provision until the achievement of processing purposes or withdrawal of consent by the data subject.
1.16. The Operator guarantees that personal data processing is not carried out longer than necessary to achieve the stated purposes. The Operator takes measures to ensure the relevance and accuracy of processed personal data, as well as their clarification/deletion in cases provided by law.


2. Terms and Definitions


  • Personal Data Subject (PD Subject) – an individual whose personal data is being processed.
  • Personal Data (PD) – any information relating directly or indirectly to an identified or identifiable individual (personal data subject).
  • Personal Data Authorized by the Subject for Distribution – personal data to which an unlimited number of persons are granted access by the subject through consent for processing and distribution.
  • Personal Data Operator (Operator) – a state or municipal authority, legal entity, or individual that independently or jointly with others organizes and/or carries out the processing of personal data, as well as determines the purposes of processing, the composition of personal data, and the actions (operations) performed with personal data.
  • Processing of Personal Data – any action (operation) or set of actions performed on personal data, with or without the use of automation tools, including:
  • collection;
  • recording;
  • systematization;
  • accumulation;
  • storage;
  • clarification (updating, modification);
  • retrieval;
  • use;
  • transfer (provision, access);
  • dissemination;
  • anonymization;
  • blocking;
  • deletion;
  • destruction.

Automated Processing of Personal Data – processing of personal data using computer technology.
Provision of Personal Data – actions aimed at disclosing personal data to a specific person or group of persons.
Blocking of Personal Data – temporary suspension of personal data processing (except where processing is necessary to clarify data).
Destruction of Personal Data – actions making it impossible to restore the content of personal data in an information system or resulting in the destruction of tangible carriers of personal data.
Anonymization of Personal Data – actions making it impossible, without additional information, to determine the identity of the data subject.
Personal Data Information System – a set of databases containing personal data and information technologies and tools that process them.
Cross-Border Transfer of Personal Data – transfer of personal data to the territory of a foreign state, to its government authority, foreign individual, or foreign legal entity.
Website https://grandeosteria.ru/ – a site consisting of several interlinked web pages hosting the Operator’s information, where the User can place an order, conclude and execute a sales agreement for goods/catering services remotely (if such option is available), and use other privileges in receiving catering services.
Registered User – a personal data subject, a Website User who has registered a personal account on https://grandeosteria.ru/.
Electronic Cash Receipt – a primary accounting document generated electronically at the time of transaction, containing information about the payment, confirming its completion, and complying with the requirements of Russian legislation on cash register use.
Cookie – a small piece of data sent by a web server and stored on the User’s computer, transmitted each time the browser sends an HTTP request to the web server when accessing a page of the Website.
IP Address – a unique network address of a node in a computer network built on the IP protocol.
User – a personal data subject visiting https://grandeosteria.ru/ and using the Website’s services.


3. Procedure, Conditions for Processing, and Storage of Personal Data


3.1. The processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Russian Federation.
3.2. Personal data is processed with the consent of personal data subjects to the processing of their personal data, as well as without such consent in cases provided for by the legislation of the Russian Federation.
3.3. By completing and submitting personal data via the relevant electronic feedback/messenger forms on the Website and/or by registering/logging in on the Website (if such an option is available), the User gives the Operator consent to process their personal data by automated and non-automated means, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (provision, access), anonymization, blocking, deletion, and destruction of personal data for the purposes set out in this Policy. Consent to the processing of personal data is expressed at the time the User fills out and submits personal data via the relevant feedback forms on the Website, and also when registering/logging in on the Website and confirming their mobile phone number by SMS code. The Operator receives personal data directly from the User when they fill out and submit personal data via the relevant feedback forms on the Website and when they register/log in on the Website.
3.4. Consent to the processing of personal data permitted by the personal data subject for dissemination may be provided to the Operator:
• directly;
• using an information system.
3.5. The Operator performs both automated and non-automated processing of personal data.
3.6. Employees of the Operator whose job duties include the processing of personal data are permitted to process personal data.

3.7. Personal data is processed by:
• obtaining personal data in oral and/or written form directly with the consent of the personal data subject to process or disseminate their personal data;
• entering personal data into the Operator’s journals, registers, and information systems;
• using other methods of processing personal data.

3.8. Disclosure to third parties and dissemination of personal data without the consent of the personal data subject is not permitted unless otherwise provided by federal law.
3.9. Transfer of personal data to inquiry and investigative bodies, the Federal Tax Service, the Pension Fund, the Social Insurance Fund, and other authorized executive authorities and organizations is carried out in accordance with the requirements of the legislation of the Russian Federation.

3.10. The Operator takes the necessary legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, dissemination, and other unauthorized actions, including:
• determining threats to the security of personal data during processing;
• adopting local regulations and other documents governing relations in the field of processing and protection of personal data;
• appointing persons responsible for ensuring the security of personal data in the Operator’s structural divisions and information systems;
• creating the necessary conditions for working with personal data;
• organizing the accounting of documents containing personal data;
• organizing the operation of information systems in which personal data is processed;
• storing personal data under conditions that ensure its preservation and exclude unauthorized access;
• organizing training for the Operator’s employees who process personal data.

3.11. The Operator stores personal data in a form that allows identification of the personal data subject no longer than required by the purposes of personal data processing, unless the storage period is established by federal law, contract, or agreement.
3.12. When collecting personal data, including via the information and telecommunication network Internet, the Operator ensures the recording, systematization, accumulation, storage, clarification (updating, modification), and retrieval of personal data of citizens of the Russian Federation using databases located within the territory of the Russian Federation, except in cases specified by the Personal Data Law.

3.13. When a User registers on the Website (creates a personal account) (if such an option is available), the Operator receives the following personal data of the Registered User:
• Surname;
• First name;
• Patronymic;
• Gender;
• Phone number;
• Date of birth;
• Email address;
• Delivery address;
• History of services provided and being provided to the Registered User, order history, and purchase history of the Registered User;
• History of requests by the Registered User to the Operator and interactions with the Operator.

3.14. When the User completes and submits the relevant electronic (feedback) forms on the Website, the Operator receives the following data of the Active User:
• Surname;
• First name;
• Patronymic;
• Gender;
• Phone number;
• Date of birth;
• Email address;
• Delivery address;
• History of services provided and being provided to the Registered User, order history, and purchase history of the Registered User;
• History of requests by the Registered User to the Operator and interactions with the Operator.

3.15. The Operator may analyze Website User preferences and monitor consumer behavior using a third-party analytics service placed on the Website. The analytics service collects:
• IP address;
• information from the Website’s cookies;
• geolocation information;
• browser language;
• external referrer to the Website;
• device model;
• operating system;
• browser type and version;
• screen size information.

3.16. The Website uses first-party cookie technology to tailor its operation to the User personally. Disabling cookies may result in the inability to access parts of the Website that require authorization. If the User wishes to disable this feature, they must use their browser’s cookie settings.

3.17. The Website also contains so-called “social plugins” — buttons of the VKontakte and Telegram networks, etc. If the PD Subject is a member of a social network and clicks the corresponding social plugin, the owner of that social network may link information about the Website visit to the User’s profile in that social network.

3.18. The Website contains links to third-party sites. The Operator is not responsible for the information published on such sites and provides links solely to enable the use of the Website’s functionality and for the convenience of Website Visitors.

3.19. The Website Operator processes the User’s personal data to enable the use of the Website’s functionality and to ensure the most convenient and beneficial mutual cooperation (including remote sales contracts and order delivery), namely:
• for using the Website’s functionality in the form of Website registration (creating a personal account) to identify the User, to place orders and/or conclude and perform a remote sales contract for goods/catering services, to view bonus balance (if available), to edit personal information, and to send messages via the feedback form. In this case, the User’s email address and phone number are used to manage the account on the Website and other Website applications that require registration by email and phone;
• for conducting statistical and marketing research, analyzing preferences, and monitoring consumer behavior of the User; analysis and monitoring may be performed, among other things, using a third-party analytics service;
• for providing delivery services for the Order;
• for sending electronic receipts via electronic communications networks to the email address regarding purchases made on the Website;
• for receiving personalized information about vacancies and services on the Website as a response/comment to the electronic feedback form completed by the User. The Operator respects the Registered User’s freedom to receive only those emails they wish to receive. Each Registered User voluntarily chooses whether to subscribe to mailings.

3.20. For the use of the Website, it is not important to the Operator and the Processors acting on its behalf whether the PD Subject uses their real name, gender, or age.

3.21. The Website does not collect biometric data of PD Subjects. The Website does not require the User to upload their image to use the Website’s functionality. The User must not violate the personal, copyright, exclusive, or patent rights of third parties by transmitting any data of a personal nature, including the use of any images, to use the Website’s functionality. The Operator and the Processors acting on its behalf do not perform cross-border transfers of personal data.

3.22. The PD Subject has the right to make changes and additions to their personal data if the personal data is outdated, inaccurate, or incomplete for any reason.

3.23. All personal data processed by the Operator constitutes confidential, strictly protected information in accordance with the legislation of the Russian Federation.

3.24. When previously entered personal data changes, the PD Subject has the right to notify the Operator by contacting the Operator, or via email, and/or in the Personal Account or by other means of communication, to request clarification of their personal data. Adverse consequences associated with the failure to notify the Operator about changes to personal data lie entirely with the PD Subject. The Operator is not liable for failure to fulfill obligations provided for by the Website that arose through the User’s fault, including in the event the User failed to notify the Operator about changes to their personal data.

3.25. In order to transition to electronic interaction between the Operator and the PD Subject, the latter grants the Operator the right to use the email address provided during registration for sending electronic receipts for purchases paid on the Website.

3.26. The PD Subject agrees that the Operator has the right to transfer their personal data to third parties, the Operator’s partners, for the provision of Website services, for delivery services, as well as the right of the Operator to instruct Processors to process their personal data where such transfer is carried out to serve the interests of the Registered User. The Operator may amend the list of third parties specified in the Policy. Changes to the list take effect and become binding on the date they are posted.

3.27. Personal data of the Active and Registered User may be transferred to authorized state authorities of the Russian Federation only on the grounds and in the manner established by the legislation of the Russian Federation.

3.28. The Operator takes the necessary organizational and technical measures to protect personal information from unlawful or accidental access, destruction, alteration, blocking, copying, dissemination, as well as from other unlawful actions by third parties.

3.29. By familiarizing themselves with this Policy, when visiting and using the Operator’s websites, services, and offerings, the PD Subject provides their personal data and gives consent to the processing of their personal data for the purposes specified in this Policy freely, of their own will, and in their own interest.

3.30. Purposes of personal data processing:
3.30.1. Only personal data that meets the purposes of its processing is subject to processing.
3.30.2. The Operator processes personal data for the following purposes:
• ensuring compliance with the Constitution, federal laws, and other regulatory legal acts of the Russian Federation;
• conducting activities in accordance with the charter;
• identifying a party within the framework of the use of agreements and contracts with the Company;
• providing the possibility of personalized use and performance of agreements and contracts;
• communicating with the PD Subject, including sending notifications, requests, and information regarding use and performance of agreements and contracts, as well as processing inquiries and applications from the PD Subject, including possible informational and advertising mailings;
• improving quality, convenience of use, and developing new features and options;
• targeting advertising materials;
• conducting statistical and other research based on anonymized data;
• maintaining HR records;
• assisting employees with employment, education, and career advancement, ensuring personal safety of employees, monitoring the quantity and quality of work performed, ensuring safekeeping of property;
• attracting and selecting job candidates for the Operator;
• arranging for employees’ personal (individual) accounts within the compulsory pension insurance system;
• completing and submitting required reporting forms to executive authorities and other authorized organizations;
• conducting civil-law relations;
• maintaining accounting records;
• implementing access control procedures.
3.30.3. Processing of employees’ personal data may be carried out exclusively to ensure compliance with laws and other regulatory legal acts.

3.31. Categories of personal data subjects. The following PD Subjects’ data is processed:
• individuals employed by the Company;
• individuals who have left the Company;
• individuals who are job candidates;
• individuals in civil-law relations with the Company.

3.32. Personal data processed by the Operator:
• data obtained in the course of employment relations;
• data obtained for recruiting purposes;
• data obtained in the course of civil-law relations.

3.33. Storage of personal data.
3.33.1. Personal data may be obtained, further processed, and transferred for storage both on paper and in electronic form.
3.33.2. Personal data recorded on paper is stored in locked cabinets or locked rooms with restricted access.
3.33.3. Personal data processed by automated means for different purposes is stored in separate folders.
3.33.4. Storing and placing documents containing personal data in open electronic directories (file shares) within PD information systems is not permitted.
3.33.5. Personal data is stored in a form that allows identification of the PD Subject no longer than required by the purposes of processing and must be destroyed upon achievement of the processing purposes or when the need to achieve them is lost.
3.34. Destruction of personal data.
3.34.1. Destruction of documents (media) containing personal data is carried out by burning, crushing (shredding), chemical decomposition, or turning into an amorphous mass or powder. A shredder may be used to destroy paper documents.
3.34.2. Personal data on electronic media is destroyed by erasing or formatting the medium.
3.34.3. The fact of destruction of personal data is confirmed by an official act of destruction of the media.


4. Protection of Personal Data

4.1. In accordance with regulatory requirements, the Operator has established a Personal Data Protection System (PDPS) consisting of legal, organizational, and technical protection subsystems.
4.2. The legal protection subsystem is a set of legal, organizational-administrative, and regulatory documents ensuring the creation, functioning, and improvement of the PDPS.
4.3. The organizational protection subsystem includes organizing the PDPS management structure, the authorization system, and information protection when working with employees, partners, and third parties.
4.4. The technical protection subsystem includes a set of technical, software, and hardware-software tools that ensure the protection of personal data.

4.5. The main PD protection measures used by the Operator include:
• appointing a person responsible for personal data processing who organizes PD processing, training and instruction, and internal control over compliance by the institution and its employees with PD protection requirements;
• identifying current PD security threats during processing in PD information systems and developing PD protection measures and activities;
• developing a policy regarding personal data processing;
• establishing rules for access to PD processed in PD information systems, as well as ensuring logging and accounting of all actions performed with PD in such systems;
• establishing individual employee passwords for access to the information system in accordance with their job duties;
• using information protection tools that have passed the prescribed conformity assessment procedure;
• certified antivirus software with regularly updated databases;
• observing conditions that ensure the safekeeping of PD and prevent unauthorized access;
• detecting incidents of unauthorized access to personal data and taking remedial measures;
• restoring PD modified or destroyed as a result of unauthorized access;
• training the Operator’s employees who directly process personal data on the provisions of the RF legislation on personal data, including PD protection requirements, documents defining the Operator’s PD processing policy, and local acts on PD processing;
• conducting internal control and audit.

5. Fundamental Rights of the Personal Data Subject and Obligations of the Operator
5.1. Fundamental rights of the personal data subject

The subject has the right to access their personal data and to the following information:

  • confirmation of the fact that the Operator processes personal data;
  • the legal grounds and purposes of personal data processing;
  • the purposes and methods of processing used by the Operator;
  • the name and location of the Operator, as well as information about persons (other than the Operator’s employees) who have access to the data or to whom the data may be disclosed under a contract with the Operator or pursuant to federal law;
  • the time frames for processing personal data, including retention periods;
  • the procedure for exercising the rights of the personal data subject provided by the Personal Data Law;
  • the name (or surname, first name, patronymic) and address of the person processing personal data on behalf of the Operator, if processing has been or will be entrusted to such person;
  • the ability to contact the Operator and submit requests;
  • the right to appeal actions or inaction of the Operator.

5.2. Obligations of the Operator
The Operator shall:

  • upon collection of personal data, provide information about its processing;
  • if the data was obtained not from the subject, notify the subject;
  • in case of refusal to provide personal data to the subject, explain the consequences of such refusal;
  • publish or otherwise ensure unrestricted access to the document defining its policy regarding personal data processing and to information on the implemented requirements for personal data protection;
  • take the necessary legal, organizational, and technical measures (or ensure such measures are taken) to protect personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, dissemination, as well as other unlawful actions with respect to personal data;
  • respond to requests and inquiries from personal data subjects, their representatives, and the authorized supervisory authority for the protection of personal data subjects’ rights;
  • process information about the personal data subject obtained as a result of information exchange with third parties via OpenID and OAuth protocols, provided that such third parties have obtained the prior consent of the personal data subject for the specified processing.

6. Updating, Rectifying, Deleting, and Destroying Personal Data; Responses to Subjects’ Access Requests

6.1. Confirmation of the fact of processing by the Operator, the legal grounds and purposes of processing, as well as other information specified in part 7, article 14 of the Personal Data Law, shall be provided by the Operator to the personal data subject or their representative upon contact or upon receipt of a request from the subject or their representative. The information provided shall not include personal data relating to other subjects, except where there are lawful grounds to disclose such data.
A request must contain:

  • the number of the primary identity document of the subject or their representative, the date of issue and the issuing authority;
  • information confirming the subject’s relationship with the Operator (contract number, contract date, conventional verbal designation and/or other information), or other information confirming the fact of processing by the Operator;
  • the signature of the personal data subject or their representative.

A request may be submitted in electronic form and signed with an electronic signature in accordance with the legislation of the Russian Federation.
If the subject’s request does not contain all information required by the Personal Data Law, or if the subject does not have the right to access the requested information, a reasoned refusal shall be sent to the subject.
The subject’s right of access may be restricted under part 8, article 14 of the Personal Data Law, including where access would infringe the rights and legitimate interests of third parties.

6.2. If inaccurate personal data is identified upon contact by the subject or their representative, or upon their request or the request of Roskomnadzor, the Operator shall block the personal data relating to that subject from the moment of such contact or receipt of the request for the period of verification, provided that blocking does not infringe the rights and legitimate interests of the subject or third parties.
If the inaccuracy is confirmed, the Operator shall, on the basis of information provided by the subject or their representative, or by Roskomnadzor, or other necessary documents, correct the personal data within seven (7) business days from the date such information is provided and lift the blocking.

6.3. If unlawful processing is identified upon contact (request) by the subject or their representative, or by Roskomnadzor, the Operator shall block the unlawfully processed personal data relating to that subject from the moment of such contact or receipt of the request.

6.4. Upon achieving the purposes of processing, as well as in the event the subject withdraws consent to processing, the personal data shall be destroyed if:

  • otherwise not provided for by a contract to which the subject is a party, beneficiary, or guarantor;
  • the Operator has no right to process the data without the subject’s consent on the grounds provided by the Personal Data Law or other federal laws;
  • otherwise not provided for by another agreement between the Operator and the subject.

7. Legal Grounds for Processing Personal Data

7.1. The set of legal acts pursuant to and in accordance with which the Operator processes personal data:

  • the Constitution of the Russian Federation; articles 86–90 of the Labor Code of the Russian Federation; federal laws and subordinate regulatory legal acts governing relations connected with the Operator’s activities;
  • the Operator’s charter documents;
  • conclusion and performance of a contract (sub-para. 5, para. 1, art. 6 of Federal Law No. 152-FZ);
  • consent to the processing of personal data (sub-para. 1, para. 1, art. 6 of Federal Law No. 152-FZ);
  • fulfillment of the Operator’s legal obligations regarding personal data (sub-para. 2, para. 1, art. 6 of Federal Law No. 152-FZ);
  • exercise of the Operator’s rights and legitimate interests (sub-para. 7, para. 1, art. 6 of Federal Law No. 152-FZ).


Website: https://grandeosteria.ru/en