Approved by
the order of KazHackStan LLP
dated July 28, 2022 No. 65/22 -П

Personal Data Collection and Processing Policy

  1. General provisions

    1. This Personal Data Collection and Processing Policy of KazHackStan LLP (hereinafter referred to as the Policy) was developed in pursuance of the requirements of the Law of the Republic of Kazakhstan dated May 21, 2013 N 94-V “On Personal Data and their Protection” (hereinafter referred to as the Law) and other regulatory legal acts of the Republic Kazakhstan, in order to ensure the protection of the rights and freedoms of people and citizens in collecting and processing of his/her personal data, including the protection of the rights to privacy, personal and family secrets.
    2. The Policy applies to all personal data collected and processed by KazHackStan LLP (hereinafter referred to as the Operator or KazHackStan LLP).
    3. The Policy applies to the Operator’ relations arose in the field of personal data processing both before and after the approval of this Policy.
    4. This Policy is published in the public domain in the information and telecommunication network Internet on the Operator’s website
    5. Basic concepts used in the Policy:
      • biometric data

        – personal data that characterize the physiological and biological characteristics of the personal data subject, on the basis of which it is possible to establish his/her identity;
      • personal data

        – information relating to a certain personal data subject or a personal data subject determined on their basis, recorded on electronic, paper and (or) other tangible media;
      • personal data subject

        – an individual (or a legal entity) to whom personal data relates;
      • personal data operator

        – a state body, an individual and (or) a legal entity that collects, processes and protects personal data;
      • collection of personal data

        – actions aimed at obtaining personal data
      • processing of personal data

        – actions aimed at the accumulation, storage, modification, addition, use, distribution, depersonalization, blocking and destruction of personal data;
      • storage of personal data

        – actions to ensure the integrity, confidentiality and availability of personal data;
      • automated processing of personal data

        – processing of personal data by means of computers;
      • distribution of personal data

        – actions resulting in the transfer of personal data, including through the media or providing access to personal data in any other way, if the rights and freedoms of the subject are not violated;
      • provision of personal data

        – actions aimed at disclosing personal data to a certain person or a certain circle of persons;
      • blocking of personal data

        – actions to temporarily stop the collection, accumulation, modification, addition, use, distribution, depersonalization and destruction of personal data (except when processing is necessary to clarify personal data);
      • destruction of personal data

        – actions, as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;
      • depersonalization of personal data

        – actions, as a result of which it is impossible to determine the ownership of personal data by the personal data subject;
      • personal data information system

        – a set of personal data contained in databases and information technologies and technical means that ensure their processing;
      • confidentiality of personal data

        – actions aimed at maintaining confidentiality of personal data by complying with the requirements to prevent their distribution without the consent of the subject or his/her legal representative, or other legal grounds. In case of disagreement with these conditions, the user must refrain from using the services;
      • transboundary transfer

        – transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity.
    6. Basic rights and obligations of the Operator
      1. The operator has the right:
        1. to independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the Law and its regulatory legal acts of the Republic of Kazakhstan;
        2. to entrust the processing of personal data to another person with the consent of the personal data subject, unless otherwise provided by the regulatory legal acts of the Republic of Kazakhstan, on the basis of a contract concluded with this person. The person who processes personal data on behalf of the Operator is obliged to comply with the principles and rules for the processing of personal data provided for by the current legislation of the Republic of Kazakhstan;
        3. in the event that the personal data subject withdraws consent to the processing of personal data, the Operator has the right to continue personal data processing without the consent of the personal data subject if there are grounds specified in the Law.
      2. The Operator is obliged:
        1. to approve the list of personal data necessary and sufficient to perform the tasks they perform, unless otherwise provided by the laws of the Republic of Kazakhstan;
        2. to take and comply with the necessary measures, including legal, organizational and technical ones, to protect personal data in accordance with the legislation of the Republic of Kazakhstan;
        3. to comply with the legislation of the Republic of Kazakhstan on personal data and their protection;
        4. to take measures to destroy personal data if the purpose of their collection and processing is achieved, as well as in other cases established by the Law and other regulatory legal acts of the Republic of Kazakhstan;
        5. to provide evidence of obtaining the consent of the subject to the collection and processing of his/her personal data in cases provided for by the legislation of the Republic of Kazakhstan;
        6. to provide information related to the subject, within three working days from the date of receipt of the application of the subject or his/her legal representative, unless other terms are provided by the laws of the Republic of Kazakhstan;
        7. in case of refusal to provide information to the subject or his/her legal representative within a period not exceeding three working days from the date of receipt of the application, to submit a reasoned response, unless other terms are provided by the laws of the Republic of Kazakhstan;
        8. withing one working day:
          • to change and (or) supplement personal data on the basis of relevant documents confirming their authenticity, or destroy personal data if it is impossible to change and (or) supplement them;
          • to block personal data related to the subject, in case of availability of information on violation of the conditions for their collection, processing;
          • to destroy personal data in case of confirmation of the fact of their collection, processing in violation of the legislation of the Republic of Kazakhstan, as well as in other cases established by the Law and other regulatory legal acts of the Republic of Kazakhstan;
          • to remove the blocking of personal data in case of failure to confirm the fact of violation of the conditions for the collection, processing of personal data;
        9. to provide free of charge to the subject or his/her legal representative the opportunity to get acquainted with personal data relating to this subject;
        10. to appoint a person responsible for organizing the processing of personal data;
        11. at the request of the authorized state body, to provide the necessary information within the time limits stipulated by the current legislation of the Republic of Kazakhstan;
        12. to bear other obligations stipulated by the current legislation of the Republic of Kazakhstan.
    7. Basic rights of personal data subject.

      The personal data subject has the right:

      1. to know about the fact that the Operator, as well as a third party, possesses his/her personal data, as well as to receive information containing:
        • confirmation of the fact, purpose, sources, methods of collecting and processing personal data;
        • list of personal data;
        • terms of processing personal data, including the terms of their storage;
      2. o demand of the Operator to change and supplement his/her personal data if there are grounds, confirmed by relevant documents;
      3. to demand of the Operator, as well as a third party, to block his/her personal data if there is information about a violation of the conditions for the collection, processing of personal data;
      4. to demand of the Operator, as well as a third party, to destroy his/her personal data, the collection and processing of which was carried out in violation of the legislation of the Republic of Kazakhstan, as well as in other cases established by the Law and other regulatory legal acts of the Republic of Kazakhstan;
      5. to withdraw consent to the collection, processing of personal data, except for the cases provided for in paragraph 2 of Article 8 of the Law;
      6. to give consent (refuse) to the Operator to distribute his/her personal data in publicly available sources of personal data;
      7. to protect his/her rights and legitimate interests, including compensation for moral and material damage;
      8. to exercise other rights provided for by the Law and other laws of the Republic of Kazakhstan.
    8. Control over the fulfillment of the requirements of this Policy is carried out by an authorized person responsible for organizing the processing of personal data by the Operator.
    9. Responsibility for violation of the Law and other regulatory legal acts on the protection of personal data and their processing is determined in accordance with the legislation of the Republic of Kazakhstan.
  2. PURPOSE OF COLLECTION AND PROCESSING OF PERSONAL DATA

    1. The processing of personal data is limited to the achievement of specific, predetermined and legitimate purposes. It is not allowed to process personal data that is incompatible with the purposes of collecting personal data.
    2. Only personal data that meet the purposes of their processing are subject to processing.
    3. The processing of personal data by the Operator is carried out for the following purposes:
      • ensuring compliance with the legislation of the Republic of Kazakhstan on personal data and their protection;
      • implementation of the activities in accordance with the Charter of KazHackStan LLP;
      • organization of access and participation of the personal data subject at KazHackStan Toitarys 2022 conference organized by KazHackStan LLP;
      • maintaining personnel records;
      • attraction and selection of candidates for work with the Operator;
      • organization of individual (personalized) registration of employees in the compulsory pension insurance system;
      • completion and submission to the authorized state bodies and other authorized organizations of the required reporting forms;
      • implementation of civil law relations;
      • accounting;
      • implementation of access control.
    4. The processing of personal data of employees may be carried out solely for the purpose of ensuring compliance with laws and other regulatory legal acts.
  3. LEGAL BASIS FOR PROCESSING PERSONAL DATA

    1. The legal basis for the processing of personal data is a set of regulatory legal acts, in pursuance of which and in accordance with which the Operator processes personal data, including:
      • Constitution of the Republic of Kazakhstan;
      • Civil Code of the Republic of Kazakhstan;
      • Labor Code of the Republic of Kazakhstan;
      • Law of the Republic of Kazakhstan “On Limited and Additional Liability Partnerships”.
      • Law of the Republic of Kazakhstan “On mass media”;
      • Law of the Republic of Kazakhstan “On the Prosecutor’s Office”; and other regulatory legal acts of the Republic of Kazakhstan regulating relations and related to the activities of the Operator within the framework of the Law of the Republic of Kazakhstan on personal data and their protection.
    2. The legal basis for the processing of personal data is also:
      • Charter of KazHackStan LLP;
      • Agreements concluded between the Operator and subjects of personal data;
      • Consent of personal data subjects to the processing of their personal data.
  4. AMOUNT AND CATEGORIES OF PROCESSED PERSONAL DATA, CATEGORIES OF PERSONAL DATA SUBJECTS

    1. The collection and processing of personal data by the Operator is allowed in the amount determined by the List of personal data, necessary and sufficient to perform the tasks being performed (hereinafter referred to as the List of personal data).
    2. The list of personal data is determined and approved in accordance with the Rules for determining by the owner and (or) operator of the list of personal data necessary and sufficient to perform the tasks they perform, approved by the Decree of the Government of the Republic of Kazakhstan dated November 12, 2013 No. 1214.
    3. Before the collection and processing of personal data, the operator analyzes the tasks they carry out for the purpose of using personal data. When carrying out current activities, the Operator annually re-analyzes the tasks they carry out for the purpose of using personal data, on the basis of which changes are made to the List of personal data necessary and sufficient to perform the tasks they carry out.
    4. Based on the analysis carried out, the Operator determines the List of personal data necessary and sufficient to perform the tasks they carry out, indicating the purposes of their collection and processing within the framework of the tasks. The goals are unambiguous, legitimate and correspond to the tasks carried out by the Operator.
    5. Personal data, the content and amount of which are excessive in relation to the tasks performed by the Operator, are not included in the List of personal data necessary and sufficient to perform the tasks they perform.
    6. The list of personal data necessary and sufficient for the performance of their tasks is approved by the Operator.
    7. The processing by the Operator of biometric personal data (information that characterizes the physiological and biological characteristics of a person, on the basis of which it is possible to establish his/her identity) is carried out in accordance with the legislation of the Republic of Kazakhstan.
    8. The Operator does not process special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health status, intimate life, except as provided by the legislation of the Republic of Kazakhstan.
  5. PROCEDURE AND CONDITIONS FOR COLLECTING AND PROCESSING PERSONAL DATA

    1. To collect personal data, the Operator asks the subject for consent to the collection and processing of personal data related to him/her.
    2. The subject or his/her legal representative gives (withdraws) consent to the collection, processing of personal data in writing, in the form of an electronic document or by registering on the Operator’s website or in any other way that does not contradict the legislation of the Republic of Kazakhstan
    3. When requesting from the personal data subject, it is necessary to ensure matching of their names, the purposes of collection and processing with the names, the purposes of collection and processing specified in the List of personal data.
    4. The processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Republic of Kazakhstan.
    5. The processing of personal data is carried out with the consent of the personal data subjects to the processing of their personal data, as well as without it in cases provided for by the legislation of the Republic of Kazakhstan.
    6. The operator carries out both automated and non-automated processing of personal data.
    7. Employees of the Operator whose duties include the processing of personal data are allowed to process personal data.
    8. The processing of personal data is carried out by:
      • obtaining personal data in oral and written form directly from the personal data subjects;
      • obtaining personal data from publicly available sources;
      • entering personal data into logs, registers and information systems of the Operator;
      • use of other methods of personal data processing.
    9. It is not allowed to disclose to third parties and distribute personal data without the consent of the subject of personal data, unless otherwise provided by the Law of the Republic of Kazakhstan.
    10. The transfer of personal data to the bodies of inquiry and investigation, tax authorities, the Unified Accumulative Pension Fund of the Republic of Kazakhstan, or in the information systems of state bodies, through the web portal of “electronic government” subject to the consent of the subject, and other authorized executive bodies and organizations is carried out in accordance with the requirements of the legislation of the Republic of Kazakhstan.
    11. The operator takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, distribution and other unauthorized actions, including:
      • determines threats to the security of personal data during their processing;
      • adopts local regulatory acts and other documents regulating relations in the field of processing and protection of personal data;
      • appoints persons responsible for ensuring the security of personal data in the structural divisions and information systems of the Operator;
      • creates the necessary conditions for working with personal data;
      • organizes accounting of documents containing personal data;
      • organizes work with information systems in which personal data is processed;
      • stores personal data under conditions that ensure their safety and exclude unauthorized access to them;
      • organizes training for the Operator’s employees who process personal data.
    12. The operator stores personal data in a form that allows to determine the personal data subject, no longer than required by the purposes of processing personal data, if the period of storage of personal data is not established by the Law, the Contract.
    13. When collecting personal data, including through the information and telecommunication network Internet, the Operator ensures recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Republic of Kazakhstan using databases located on the territory of the Republic of Kazakhstan, except as otherwise provided by law.
  6. UPDATING, CORRECTION, DELETION AND DESTRUCTION OF PERSONAL DATA, RESPONSES TO REQUESTS OF SUBJECTS FOR ACCESS TO PERSONAL DATA

    1. Confirmation of the fact of processing personal data by the Operator, the legal grounds and purposes of processing personal data, as well as other information, are provided by the Operator to the personal data subject or his/her representative when applying or upon receiving a request from the personal data subject or his/her representative.

      The information provided does not include personal data relating to other subjects of personal data, unless there are legal grounds for disclosing such personal data.

      The request must contain:

      • number of the main identity document of the personal data subject or his/her representative, information on the date of issue of the specified document and the authority that issued it;
      • information confirming the participation of the personal data subject in relations with the Operator (contract number, date of the contract conclusion, conditional verbal designation and (or) other information), or information otherwise confirming the fact of processing personal data by the Operator;
      • signature of the personal data subject or his/her representative.

      The request can be sent in the form of an electronic document and signed with an electronic signature in accordance with the legislation of the Republic of Kazakhstan.

      If in the request (application) of the personal data subject, in accordance with the requirements of the Law, all the necessary information is not reflected or the subject does not have the right to access the requested information, then a reasoned refusal is sent to him/her.

      The right of the personal data subject to access his/her personal data may be limited in accordance with Article 10 of the Law, including if the access of the personal data subject to his/her personal data violates the rights and legitimate interests of third parties.

    2. In the event that inaccurate personal data is detected when the personal data subject or his/her representative applies, or at their request or at the request of the authorized state body, the Operator blocks personal data related to this personal data subject from the moment of such appeal or receipt of the specified request for the verification period, if blocking personal data does not violate the rights and legitimate interests of the personal data subject or third parties.

      If the fact of inaccuracy of personal data is confirmed, the Operator, on the basis of information provided by the personal data subject or his/her representative or an authorized state body, or other necessary documents, clarifies personal data within seven working days from the date of submission of such information and removes the blocking of personal data.

    3. If unlawful processing of personal data is detected when a personal data subject or his/her representative or an authorized body in the field of personal data protection applies (requests), the Operator blocks the unlawfully processed personal data relating to this personal data subject from the moment of such an appeal or receipt of a request.
    4. Upon reaching the goals of processing personal data, as well as in the event that the personal data subject withdraws consent to their processing, personal data shall be destroyed if:
      • otherwise is not provided by the Contract, the party to which, the beneficiary or the guarantor of which is the personal data subject;
      • the operator is not entitled to process without the consent of the personal data subject on the grounds provided for by the Law;
      • otherwise is not provided by another agreement between the Operator and the personal data subject.
    5. The Operator reserves the right to make changes to this policy unilaterally. Any changes to this policy are published on the Operator’s website. The subject is responsible for monitoring changes to this policy on its own. In case of disagreement with the changes made and approved by the Operator, the Subject has the right to write a written review of his/her personal data.