Personal Data and Cookie Policy
-
Terms and Definitions
- “Policy” means this Personal Data and Cookies Policy available online at: whitewill.ae/arthouse/privacy-agreement .
- “We”, “Our”, “Us,” etc., as well as the “Operator” means WHITEWILL Limited Liability Company, TIN: 5032309922, Register number: 1195081051846, address: 143084, Moscow region, p. Usovo, Odintsovo, building 100, room. 13, email: info@whitewill.ae .
- “You”, “Yours”, etc., as well as the “Personal Data Subject” means our counterparty under the User Agreement, which may be an individual who uses the Site in the manner and on the terms established by the User Agreement.
- “User Agreement” means an offer regulating the using the Site by Users available at: whitewill.ae/arthouse/policy .
- “Personal Data” means any information that relates to an identified or identifiable natural person. An identifiable person is a person who can be identified directly or indirectly, in particular by reference to such identifiers as name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Personal Data Processing” or “Processing” means any action (operation) or a set of actions (operations) performed with or without the use of such tools with Personal Data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of Personal Data. Personal Data Processing is carried out by mixed (including automated) processing.
- “Automated Personal Data Processing” means Personal Data Processing performed using computer technology.
- “Confidentiality of Personal Data” means a mandatory requirement for Us or another person who has gained access to Personal Data not to allow their distribution without the consent of the Personal Data Subject or other legal grounds.
- “Personal Data Depersonalization” means actions performed to make it impossible, without the use of additional information, to determine whether Personal Data belongs to a specific Personal Data Subject.
- “Site” means Our website addressed at whitewill.ae .
- “Cookies” means a small text file placed by the Site system on Your computer or device when, for example, You visit specific sections of the Site and(or) when You use certain Site features.
- “Federal Law No. 152-FZ” means Russian Federal Law On Personal Data No. 152-FZ dated July 27, 2006.
- “GDPR” or “Regulation” means General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of their Personal Data and on the free movement of such data, repealing Directive 95/46/EC as amended it by amendments, changes and additions applied from time to time and included in the national legislation of the participating countries.
- “California Online Privacy Protection Law” or “CalOPPA” means the California Online Privacy Protection Act.
- “California Consumer Privacy Act” or “CCPA” means the first comprehensive privacy law in the United States, passed in late June 2018, introducing various privacy rights to California consumers.
- “U.S. Privacy Act 1974” or “UPA” means the Privacy Protection Act, which governs the handling of Personal Data of US citizens or US residents.
- “PECR” means Privacy and Electronic Communications Regulations (EU Directive) 2003.
- “UAE data protection and privacy laws” means all and any laws and regulations governing Personal Data Processing, including, but not limited to (1) Dubai Data Protection and Privacy Law, (2) Federal Data Protection Law (Law No. 45 of 2021) ), effective January 2, 2022, (3) Constitution of the United Arab Emirates (UAE), (Federal Law No. 1 of 1971); (4) Crime and Punishment Law (Federal Law No. 31 of 2021 repealing Federal Law No. 3 of 1987); (5) Cybercrime Law (Federal Law No. 5 of 2012 on Combating Information Technology Crimes) (as amended by Federal Law No. 12 of 2016 and Federal Decree-Law No. 2 of 2018); (6) Communications Regulation Law (Federal Law under Decree 3 of 2003, as amended), including regulations/policies adopted by the State Telecommunications and Digital Regulatory Authority (TDRA) regarding the protection of telecommunications consumer data in the UAE.
-
Subject and Grounds for the Personal Data Processing
- Subject. The provisions of this Policy apply to Our Processing of Your Personal Data arising out of Your use of the Site performed based on Your acceptance of the User Agreement.
- Grounds. The basis for the processing of Your Personal Data is always Your consent. Without agreeing to the terms of this Policy, We will not be able to fully ensure the fulfillment of obligations under the agreements concluded with You (including, but not limited to, the User Agreement).
-
Policy Acceptance
- In this Section, You can learn about the actions entailing Your consent to the Processing of Your Personal Data (Processing Consent).
- Content of the Processing Consent. By submitting the Processing Consent, You confirm that You have fully read and agree with the User Agreement, Personal Data and Cookies Policy, and You provide specific, substantive, informed, conscious, and unambiguous Processing Consent.
- Please note that Processing Consent means that You, among other things, express Your consent to the Automated Processing of Your Personal Data, as well as non-automated Processing of Your Personal Data, under the conditions set out herein, as well as under the Personal Data Processing Consent.
- Callback Order. If You order a callback by using the relevant functionality of the Site, You are deemed to have given Your Processing Consent at the moment You click on the “Order a Call” button (or equivalent).
- Outgoing Call. By making a call to the Operator and continuing the conversation with the Operator's employee, You provide Your Processing Consent.
- Messaging. If You send a message to Us via messenger, including by using the corresponding functionality of the Site, Your Processing Consent shall be deemed to be granted at the moment of sending the first message to Us.
- Site Browsing. If You simply browse the Site, You are deemed to have given Us Your Processing Consent to the extent set out herein (technical data, cookies (unless a different consent procedure in relation to the processing of cookies is implemented on the Site).
- Retention of Consent Information. Please note that We may retain data about Your actions (by means of a system of logging Your actions or an analog) confirming Your Processing Consent as specified in this Section for three (3) years after You have given Your consent to the Policy unless a different period of time is provided by law.
-
Term of Policy and Personal Data Processing
- Validity of the Policy. After accepting the terms of the Policy, the Policy is valid indefinitely. However, this does not affect the period for processing Your Personal Data established by this Policy.
- Personal Data Processing Period. As a general rule, We process Your Personal Data until We contact You at Your request, as well as within 3 (Three) years after this if another period is not established by applicable law, the User Agreement, or another agreement related to the use of the Site or the Processing of Your Personal Data. In other cases, We will stop processing Your Personal Data if You object such Processing or withdraw Your previously given consent to Processing following the Policy terms and the provisions of the law. However, We may not be able to perform Our obligations under contracts with You.
- Policy Amendment. We can amend this Policy at any time. Amendments may be caused by a change in Our business processes, the influence of external factors, and other reasons. Upon amending, We immediately publish the new Policy on the Site so that You can study it. Your use of the Site after the latest version of the Policy is published on the Site will be unconditionally interpreted as Your acceptance of amended terms of the Policy.
-
Legal Basis, Goals, Principles
- Legal Basis. The Policy has been developed based on the following laws: (a) GDPR; (b) CalOPPA; (c) CCPA; (d) PECR; (e) Federal Law No. 152-FZ; (f) GDPR; (g) Laws of the UAE on data protection and privacy, (h) as well as other laws and by-laws that determine the cases and features of the Personal Data Processing of the Personal Data Subject.
-
Goals. This Policy pursues the following objectives: (1) ensuring the requirements for the protection of the rights and freedoms of a person and citizen in the Personal Data Processing, including the protection of the rights to privacy, personal and family secrets, (2) exclusion of unauthorized actions (illegal or accidental access) of any third parties to Your Personal Data, as well as the destruction, modification, blocking, copying and distribution of Personal Data, (3) ensuring the legal and regulatory regime of confidentiality and control of Your Personal Data, (4) protecting the constitutional rights of citizens to personal secrecy, the confidentiality of information, constituting Personal Data, and preventing the occurrence of a possible threat to Your security.
Thus, the primary purpose of the Policy is to provide You with a complete and transparent understanding regarding the legal basis for the collection and processing of Your Personal Data, the categories of Your Personal Data We may collect, what happens to the Personal Data We collect; where We process Your Personal Data; how long We keep Your Personal Data; to whom We may share Your Personal Data; and explain Your rights as a Personal Data Subject.
- Principles. We pursue the following principles of Personal Data Processing: (1) the Personal Data Processing must be carried out on a lawful and fair basis, (2) the Personal Data Processing must be limited to the achievement of specific, predetermined, and legitimate purposes; Personal Data Processing that is incompatible with the purposes of collecting Personal Data is not allowed, (3) the content and scope of the processed Personal Data must correspond to the stated purposes of the processing; the processed Personal Data should not be excessive concerning the stated purposes of their processing, (4) during the Personal Data Processing, the accuracy of the Personal Data, their sufficiency, and relevance in relation to the purposes of the Personal Data Processing, (5) storage of Personal Data should be carried out no longer than required by the purposes of Personal Data Processing, unless a different period of storage of Personal Data (or the procedure for determining it) is provided by the Policy.
-
Range of Personal Data Collected
- Callback Request. You can request a callback by leaving the following data through a special form on the Site: (1) mobile phone number, (2) name. Please note that by providing the data of third parties, You agree to comply with the guarantees specified in this Policy. Also, please note that You can use any name by entering the relevant information in the form, including those that do not match Your name. However, in this case, please consider that the name You enter must meet the requirements of ethics and morality.
- Messengers Data. On our Site, it is possible to write to Us via What's App, Telegram, or other messengers (if available). At the same time, the Site has special URL links (of the form https://messenger-bot.whitewill.ru/web/... and (or) equivalent), enabling You to send us a message to the selected messenger. When sending such a message, We will receive data about the address of Your account in the corresponding messenger and other data that You have indicated in such an account and made publicly available.
- Technical Data. While using the Site, We automatically collect some of Your Personal Data. Such data includes, for example, technical information, including the Internet Protocol (IP) address used to connect Your computer to the Internet, login information, browser type and version, time zone setting, browser plug-in types and versions, operating system, and platform, information about Your visits to websites, etc.
- Other Data. In exceptional cases, We may ask You to provide additional Personal Data. We will notify You in advance about this and ask You to provide additional consent to Processing additional Personal Data.
- Third-Party Data. Please note that if You provide us with the Personal Data of third parties, You guarantee that You have received from them all the necessary consents (including consent to the transfer of Personal Data), other documents essential for the implementation of the provisions of this Policy in full, executed by them in the form and following their personal applicable law (Third Parties Consent), and if You act as the operator of the Personal Data of such persons, You also guarantee that You ensure the procedure for the transfer and protection of their Personal Data to the extent not less than provided for in this Policy. At the same time, the Third Parties Consent must be executed by them in writing, the original of which must be provided by You no later than 7 (seven) calendar days from the date of sending the corresponding request from the Operator. Providing Personal Data to third parties without complying with this warranty is unacceptable, and You fully accept all responsibility for breach of this warranty.
-
Personal Data Subject Rights
- Receiving the Information. You have the right to obtain information about Us, Our location, and whether We have Your Personal Data, as well as to get acquainted with such Personal Data.
- Clarification. You have the right to request to clarify Your Personal Data, block it or destroy it if it is incomplete, outdated, inaccurate, illegally obtained, or not necessary for the stated purpose of processing, and take legal measures to protect Your rights.
- Submission Form. Information about whether We have Personal Data will be provided to You in an accessible form, and it will not contain Personal Data relating to other Personal Data Subjects.
- Access Order. You (or Your legal representative) may access Your Personal Data in person or by sending a written request. In this case, the request must contain the number of the main document proving Your identity or Your legal representative, information about the date of issue of the specified document and the authority that issued it, and a handwritten signature. The request may be sent electronically. We must respond to Your request within thirty (30) days from the date it was received, which may be extended up to sixty (60) days depending on the complexity and number of requests.
- Response Content. In a request for access to Personal Data, You have the right to obtain information regarding Our Processing of Your Personal Data, including (1) confirmation of the fact of Personal Data processing, as well as the purpose of such processing, (2) how Personal Data is processed, (3) the name and location of the Operator, information about the persons who have access to Personal Data or who may be granted such access, (4) the list of processed Personal Data and the source of their receipt, (5) the terms for Personal Data Processing, including the terms their storage, (6) information about what legal consequences for the Personal Data Subject the Processing of his Personal Data may entail.
- Consent Withdrawal. You have the right to withdraw consent to the Personal Data Processing, limit the methods and forms of Personal Data Processing, and prohibit any transfer of Your Personal Data without relevant permission.
- Right to Contest. You have the right to contest Our actions or omissions to the authorized body to protect the rights of Personal Data Subjects or in court.
- Right to Protection. You have the right to protect Your rights and legitimate interests, including compensation for damages and compensation for moral damage in court.
-
Data Subject Rights (GDPR)
If You are a citizen of a member state of the European Economic Area or the United Kingdom (or legally provide us with such person's Personal Data), You also have the following rights. You can use them by sending an appropriate e-mail to Our Contact Information.
- Right to Be Informed (Art. 12-14 of the Regulations). You have the right to be informed about the collection and use of Your Personal Data, in particular, the purposes for which that Personal Data is processed, the retention periods, and to whom it will be shared. This information must be provided at the time We collect Your Personal Data. If We receive Personal Data from other sources, We will notify You within a reasonable time after We receive the data and no later than one month unless You already have such information and if it does not require a disproportionate effort to provide it. Information should be concise, transparent, understandable, easily accessible, and expressed in clear and understandable language, so We try to explain our data processing policy in detail. We will bring to Your attention any new use of Your Personal Data before processing it.
- Right of Access (Art. 15 of the Regulations). You have the right to receive confirmation from the Operator as to whether Personal Data concerning You are being processed and, if necessary, access to Personal Data and the following information: the purposes of processing; categories of relevant Personal Data; recipients or categories of recipients to whom Personal Data has been or will be disclosed, in particular recipients from third countries or international organizations; if possible, the envisaged period for which the Personal Data will be stored or, if this is not possible, the criteria, used to determine such a period; the existence of the right to demand from the Operator the correction or deletion of Personal Data or restriction of the Personal Data Processing in relation to the data subject or to object to such processing; the right to file a complaint with a supervisory authority; the existence of an automated decision-making process, including profiling, referred to in Articles 22(1) and (4) of the Regulation and, at least in these cases, meaningful information about the underlying algorithm and the meaning and intended consequences of such processing for the data subject. If Personal Data is transferred to a third country or international organization, You have the right to be informed about the safeguards in place associated with such transfer. The Operator also provides a copy of the processed Personal Data upon request. For all additional copies requested by the Personal Data Subject, the Operator may charge a reasonable fee based on administrative costs. If You request by electronic means, and unless otherwise required, the information must be provided in a commonly used electronic form.
- Right to Alteration (Art. 16 of the Regulations). You have the right to have incorrect or inaccurate information regarding Personal Data corrected upon request for correction, either orally or in writing. The Operator has one (1) calendar month to respond to the request of the Personal Data Subject.
- Right to erasure (“right to be forgotten”) (Art. 17 of the Regulations). The regulation grants individuals the right to delete Personal Data. You may request erasure by contacting our Data Protection Officer, who has one (1) month to respond to Your request. Please note that this right is not absolute and only applies under certain circumstances, provided for in Art. 17 of the Regulations.
- Right to Restrict Processing (Art. 18 of the Regulations). You have the right to request the restriction or termination of the processing of Your Personal Data. If the processing has been restricted, such Personal Data, other than storage, are processed only with the consent of the data subject or for the establishment, exercise, or defense of legal claims or the protection of the rights of another natural or legal person, or the protection of the public interest of the union or state -member. Please note that this right is not absolute and only applies under certain circumstances, provided for in Art. 18 of the Regulations.
- Right to Data Portability (Art. 20 of the Regulations). The right to data portability allows You to obtain and reuse Your Personal Data for Your purposes across various services. It allows You to easily move, copy or transfer Personal Data from one IT environment to another safely and securely without affecting the usability of Personal Data. You can transfer Personal Data directly from one Operator to another, where this is technically possible.
- Right to Object (Art. 21 of the Regulations). You have the right to object to processing Your Personal Data at any time on grounds relating to Your particular situation. We will not further process Your Personal Data unless We have compelling legitimate grounds for processing that are more significant than the interests, rights, and freedoms of the data subject or to establish, exercise or defend legal claims. If Your Personal Data is processed for direct marketing purposes, You have the right to object to the Personal Data Processing relating to You for such marketing purposes, including profiling insofar as it relates to direct marketing.
- Rights Related to Automated Decision-Making, Including Profiling (Art. 22 of the Regulations). You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on him or her or significantly affects him or her. Please note that this right is not absolute and only applies under certain circumstances provided for in Art. 22 of the Regulations. You may withdraw Your consent to the Personal Data Processing at any time. Please remember that withdrawal of consent only applies to the future — any actions related to processing carried out before such revocation shall not be affected by it.
-
Personal Data Transfer
- Personal Data Transfer. To achieve the purposes of Personal Data Processing, We may need to provide Your Personal Data to our counterparties, including, but not limited to, Amotsrm JSC, TIN: 7709477879, OGRN: 5157746087681. Also, Your Personal Data may be transferred to state authorities, in particular, authorities’ executive power, based on their request.
- Mandatory and Optional Transmission. The transfer of information may be compulsory, for example, in terms of information about the user equipment: IP address, OS, geographical data, ID/type of equipment, channel used: browser/application, payment authorization, identification/verification, or optional, for example, in terms of information about indicators of address matching, account information, etc.
-
Personal Data Storage
- Personal Data Localization. If You are a citizen of the Russian Federation, then We store Your data on servers located on the territory of the Russian Federation. If You are a citizen of one of the member states of the European Economic Area, the United Kingdom, or another country whose Personal Data laws require that Personal Data be Processed in the territory of such country, then Your Personal Data is collected and Processed in the territory of the European Economic Area or such country, respectively.
-
Principles and Measures for the Personal Data Protection
- Protection principles. We apply legal, organizational, administrative, technical, and physical measures to protect Personal Data to ensure the protection of Your Personal Data.
- Protective Measures. Measures to ensure the security of Personal Data during their processing are planned and implemented to ensure compliance with the requirements of legislation in the field of Personal Data and regulations adopted in accordance with it. We ensure the security of Your Personal Data, including in the following ways: (1) limiting and specifying the composition of the Operator’s employees who have access to Personal Data, (2) appointing a person responsible for organizing the Personal Data Processing, (3) developing and implementing local acts on issues of Personal Data processing, (4) identification of threats to the security of Personal Data during their processing in Personal Data information systems, (5) application of organizational and technical measures to ensure the security of Personal Data, (6) the use of information security tools that have passed the conformity assessment procedure in accordance with the established procedure, (7) taking into account electronic media, (8) establishing rules for access to Personal Data, (9) restricting access to premises where the technical means that process Personal Data are located, as well as storage media, (10) detection of facts of unauthorized access to Personal Data and taking measures to prevent such access, (11) Entering Personal Data (which are not publicly available, requiring confidentiality ) to the list of the Operator’s confidential information, (12) obtaining an obligation not to disclose confidential information, including Personal Data, from all the Operator’s employees directly involved in the Personal Data Processing, (13) restoring Personal Data modified or destroyed due to unauthorized access to him, (14) familiarization of the Operator’s employees directly involved in the Personal Data Processing with the provisions of the legislation on Personal Data, including the requirements for the protection of Personal Data, local acts on the Personal Data Processing, (15) control over the measures taken to ensure the security of Personal Data.
-
Cookies
- Use of Cookies. The Site uses cookies. When You visit the Site, Your Internet browser transmits certain information to Our server: (1) date and time of visit, (2) browser type, (3) language settings, (4) operating system. This information is stored in connection logs for a limited time (from a session to a year) to ensure the security and proper operation of the Site and collect statistical information.
- Functions Cookies. There are different groups of Cookies that are used on the Site. The first group is functional and technical Cookies. The main function of such files is to allow the Site server to obtain information about Your session, language, browser, etc., and to ensure the full operation of the Site. These cookies are needed to recognize You when You revisit the Site. This allows us to personalize the Site’s content to Your needs and to remember Your preferences. The second group is analytical cookies. They allow us to evaluate and count the number of visitors and understand how they move around the Site while using it. This helps Us improve the Site’s operation, for example, by optimizing the search for the desired sections, making it simple and efficient. You have the right to refuse the use of analytical cookies by making the appropriate settings in Your web browser.
- Cookies Storage Period. When they are stored on Users' devices, Cookies are divided into Persistent Cookies and Session Cookies: “Session Cookies” are files stored on Your device until You close Your browser. “Persistent Cookies” are stored on Your device until they expire, or You delete them.
- Disabling Cookies. You can accept or decline all cookies on all websites You visit by changing Your browser settings. For example, when You are using Internet Explorer version 11.0, You should do the following: (1) select "Settings", then "Internet Options", (2) go to the "Privacy" tab, (3) use the mouse to select Your preferred settings. Each browser must use its settings to change and delete cookies. Certain Site features may not be available if You disable Cookies. For more information on adjusting or changing Your browser settings, please refer to Your browser instructions or go to www.aboutcookies.org or www.allaboutcookies.org . If You use different devices to access the Site (e.g., smartphone, tablet, computer, etc.), You should ensure that each browser on each device is set according to Your cookie preferences.
-
Legally Significant Communication
- Parties Details. In the course of fulfilling obligations under this Policy and(or) other obligations as a Personal Data Operator, there may be (and in some cases must be) an exchange of legally significant messages between Us. Such an exchange occurs through the Parties' official contacts, both in writing and in electronic form (equivalently). At the same time, the conclusion of a separate agreement on using electronic document management is not required. Our data is indicated in the Legal Notice (at the bottom of the document). You indicate Your data when You leave a request for a callback by sending Us a message via messenger or other communication channels. Please remember that You bear all the risks associated with the fact that Your data for exchanging legally significant messages is no longer relevant.
- Correspondence exchange. The exchange of correspondence is possible only using the Parties’ data, determined by the rules of this Policy.
-
Miscellaneous
- Divisibility clause. If one or more provisions of the Policy are declared invalid/irreconcilable, etc., then such provisions are considered to be replaced by valid provisions as close as possible in their meaning. At the same time, the Policy cannot be invalidated in full under any circumstances.
-
Legal Notice
Company number 12476398
Address: 42 Upper Berkeley Street, Suite 306/307, London, England, W1H 5QL
Email: info@whitewill.london