KZ RUS ENG

Policy on personal data processing

Document Approved: ТОО Ray Gmbh
Date of Approval: 24.05.2022, Order No. 201
Дата введения в действие: 25.05.2022

1. General Provisions

1.1 This Policy (hereinafter - the Policy) defines the general principles and procedure for processing personal data and measures to ensure their security at Ray Gmbh Limited Liability Partnership (hereinafter - the Partnership).

1.2 The purpose of the Policy is to ensure the protection of the rights and freedoms of individuals and citizens in the processing of their personal data, including the protection of the rights to privacy, personal and family secrecy, clear and strict compliance with the requirements of the legislation of the Republic of Kazakhstan and international treaties of the Republic of Kazakhstan in the field of personal data.

1.3 The Policy is developed in accordance with the provisions of the Law of the Republic of Kazakhstan dated May 21, 2013 № 94-V On personal data and their protection, other legislative and regulatory legal acts (hereinafter - legislation), which determine the procedure for working with personal data and requirements to ensure their security.

1.4 The following terms are used in the Policy:

  • automated processing of personal data - processing of personal data with the help of computer facilities;
  • personal data base - an organized array of personal data, independent of the type of material carrier of information and the means used for its processing (archives, file cabinets, electronic databases);
  • biometric personal data - information that characterizes physiological and biological features of a person, on the basis of which it is possible to establish his/her identity and which is used by the operator to establish the identity of the personal data subject;
  • blocking of personal data - temporary cessation of personal data processing (except for cases when processing is necessary to clarify personal data);
  • data center - a specialized organization providing services for server and network equipment placement, leasing of servers (including virtual servers), as well as Internet connection services;
  • access to personal data - familiarization of certain persons (including employees) with the personal data of subjects processed by the Company, provided that the confidentiality of this information is maintained;
  • counterparty - a party to a contract with the Company who is not an employee of the Company;
  • confidentiality of personal data - the obligation of persons who have access to personal data not to disclose them to third parties and not to disseminate personal data without the consent of the subject of personal data, unless otherwise provided for by law;
  • processing of personal data - any action (operation) or set of actions (operations) performed with or without the use of automation means with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (dissemination, provision, access), depersonalization, blocking, deletion, destruction of personal data;
  • publicly available personal data - personal data to which an unlimited number of persons have access on the basis of legislation by the subject of personal data or at his/her request, as well as data that are subject to mandatory disclosure or publication;
  • operator - a state authority, municipal authority, legal entity or individual, independently or jointly with other persons, organizing and (or) carrying out processing of personal data, as well as determining the purposes of personal data processing, composition of personal data subject to processing, actions (operations) performed with personal data; in the Policy the operator shall mean the Company, unless otherwise specifically stated;
  • personal data - any information relating to a directly or indirectly defined or identifiable natural person (subject of personal data);
  • provision of personal data - actions aimed at disclosure of personal data to a certain person or a certain circle of persons;
  • dissemination of personal data - actions aimed at disclosure of personal data to an indefinite number of persons;
  • special categories of personal data - information relating to racial, national origin, political opinions, religious or philosophical beliefs, state of health;
  • subject of personal data - a natural person to whom the personal data relate;
  • cross-border transfer of personal data - transfer of personal data to the territory of a foreign country to a foreign government authority, a foreign natural person or a foreign legal entity;
  • destruction of personal data - actions as a result of which it becomes impossible to restore the content of personal data in the personal data information system and (or) as a result of which material carriers of personal data are destroyed;

2. Status of the Partnership and categories of subjects whose personal data are processed by the Partnership

2.1 The Partnership is the operator of personal data of the following categories of individuals:

  • the Partnership's employees with whom the Partnership has concluded or has concluded labor contracts, including former employees with whom labor contracts have been terminated (terminated) (hereinafter referred to as Employees));
  • close relatives, spouses of the Partnership's employees and dependents of the employees (hereinafter referred to as Family Members of Employees);
  • Employees of Ray Gmbh LLP and other SVK Group companies (hereinafter referred to as Employees of the Group of Companies));
  • applicants for vacant positions of the Partnership (candidates for employment by the Partnership) who have submitted their CVs or questionnaires containing personal data in person or through specialized recruitment organizations (recruitment agencies), including through specialized websites on the Internet (hereinafter referred to as Applicants);
  • counterparties - individuals, representatives of counterparties - legal entities and individual entrepreneurs, including employees, owners, including beneficial owners, representatives acting on the basis of a power of attorney and other representatives of counterparties with whom the Partnership has contractual relations, with whom the Partnership intends to enter into contractual relations or who intend to enter into contractual relations with the Partnership (hereinafter - Representatives of Counterparties);
  • Representatives of personal data subjects who are not employees of the Partnership and who contact the Partnership on behalf of and on behalf of personal data subjects (hereinafter - Representatives of personal data subjects);
  • buyers, including those who are registered users of the Partnership's websites and online store (hereinafter referred to as Buyers);
  • visitors to the Company's secured premises who do not have the right to permanently enter such premises (hereinafter referred to as Visitors);
  • unregistered visitors of the Partnership's websites on the Internet (hereinafter referred to as Website Users).

2.2 The Partnership is a person who processes personal data on behalf of other operators, which include (without limitation):

  • authorities and state extra-budgetary funds to which the Employees' funds are transferred or funds to be credited to the Employees' accounts;
  • statistical authorities, subdivisions of municipal governments and other competent authorities, telecommunication operators to whom this information should be provided in accordance with the legislation of the RK.

2.3 To the authorities and state extra-budgetary funds, communication operators and other bodies specified in clause 2.2, personal data shall be provided (transferred) to the extent specified by the legislation, relevant authorities and state extra-budgetary funds within the limits of their authority. Consent of subjects for such transfer of personal data is not required.

3. Principles of personal data processing

The Company processes personal data in accordance with the following principles:

3.1 Legality and fair basis of personal data processing. The Partnership takes all necessary measures to fulfill the requirements of the legislation, does not process personal data in cases when it is not allowed by the legislation and is not required to achieve the goals defined by the Partnership, does not use personal data to the detriment of the subjects of such data.

3.2 Limiting the processing of personal data to the achievement of specific, predetermined and legitimate purposes. The purposes of personal data processing by the Partnership are:

  • in respect of Employees - execution of concluded labor contracts, including assistance in training and promotion, ensuring personal safety of Employees, control over quantity and quality of work performed, ensuring safety of property; calculation and payment of wages, other remunerations, calculation and transfer of taxes and insurance contributions; provision of additional services to Employees at the Employer's expense (transfer of income to Employees' payment cards, insurance at the Employer's expense, non-state pension o
  • in respect of Family Members of employees - provision to the Employees of benefits and guarantees provided by the legislation for persons who have (adopted) children, persons with family responsibilities; fulfillment of the requirements of the Labor Code of the Republic of Kazakhstan on informing relatives about accidents; insurance of Family Members of employees partially or fully at the expense of the Partnership, provision of educational services, consultation on tax issues; fulfillment of the requirements of regulatory legal acts of state statistical bodies;
  • in respect of the Employees of the Group of Companies - keeping personnel records, issuing payment cards for income accrual, insurance of the Employees of the Group of Companies, control over compliance with the legislation and internal procedures of SVK Group of Companies;
  • in respect of the Applicants - making a decision on the possibility of filling vacant positions with the applicants who best meet the requirements of the Partnership;
  • in relation to the Representatives of counterparties - fulfillment of norms of the Civil Code of the Republic of Kazakhstan regulating contractual work, conclusion and execution of contracts with counterparties;
  • in relation to the Representatives of personal data subjects - performance of actions by the Partnership on behalf of the Representatives of personal data subjects;
  • in relation to the Buyers - conducting marketing and sociological research and analysis; providing information about products (goods, services) through the brands' websites; compiling statistical reports; enabling Buyers to place orders on the website or through customer service (hot line), and/or through other retail channels; compliance with the requirements of the laws of the Republic of Kazakhstan regulating the sale of products (goods, services);
  • in respect of Buyers - conducting marketing and sociological research and analysis; providing information about products (goods, services) through the brands' websites; compiling statistical reports; enabling Buyers to place orders on the website or through customer service hotline), and/or through other retail channels; complying with the requirements of the laws of the Republic of Kazakhstan regulating retail and distance selling;
  • in respect of Visitors - ensuring the possibility of access to the Company's guarded premises for persons who do not have permanent passes, control of their departure from the guarded premises, provision of parking facilities on the Company's territory;
  • with regard to Website Users - informing Website Users about the activities of the Partnership and products (goods, services) produced by SVK Group of Companies.

3.3 Processing of only those personal data that meet the declared purposes of their processing; compliance of the content and scope of processed personal data with the declared purposes of processing; prevention of processing of personal data incompatible with the purposes of personal data collection, as well as redundant in relation to the declared purposes of personal data processing. The Partnership does not collect and does not process personal data not required to achieve the purposes specified in paragraph 3.2 of the Policy, does not use the personal data of subjects for any purposes other than those specified.

3.4 Preventing the merger of databases containing personal data processed for purposes that are incompatible with each other.

3.5 Ensuring the accuracy, sufficiency and relevance of personal data in relation to the purposes of personal data processing. The Partnership shall take all reasonable measures to maintain the relevance of processed personal data, including (without limitation) the realization of the right of each subject to receive for review his/her personal data and to demand from the Partnership their clarification, blocking or destruction in case the personal data are incomplete, outdated, inaccurate, illegally obtained or are not necessary for the above stated purposes of processing without explaining the reasons for such request.

3.6 Personal data shall be stored in a form that allows identification of the personal data subject for no longer than required by the purposes of personal data processing, unless the period of personal data storage is not established by law, the contract to which the personal data subject is a party, as well as the consent of the personal data subject to data processing.

3.7 Destruction of personal data upon achievement of the stated purposes of their processing or in the event of loss of the need to achieve these purposes, in the event of the Partnership's inability to eliminate violations of the procedure for processing personal data established by law, withdrawal of consent to processing by the subject of personal data, expiration of the period of personal data processing established by local acts of the Partnership, consent to the processing of personal data, unless otherwise provided by law or agreements with the subjects of personal data, unless otherwise provided by law or agreements with the subjects of personal data.

4. Conditions of personal data processing

4.1 Processing of personal data by the Company is allowed in the following cases:

  • If the subject of personal data consents to the processing of his/her personal data. The procedure for obtaining the consent of the subject of personal data by the Partnership is defined in Section 7 of the Policy.
  • The processing of personal data is necessary for the exercise and fulfillment of the functions, powers and duties assigned to the Partnership by law.
  • To conclude an agreement at the initiative of the personal data subject and to execute an agreement to which the personal data subject is a party. Such agreements are, without limitation, labor contracts with Employees, civil law contracts, user agreements on the Partnership's websites on the Internet.

Until the conclusion of the said agreements, the Partnership processes personal data at the pre-contractual stage of personnel recruitment, when the subject's consent to processing is confirmed by a handwritten completed questionnaire of the Applicant or an application form (CV) submitted by the Applicant to the Partnership or to a specialized recruitment organization, or posted by the Applicant on specialized websites on the Internet, or sent by the Applicant to the Partnership by e-mail.

  • Processing of personal data by the Partnership is necessary to exercise the rights and legitimate interests of the Partnership and/or third parties or to achieve socially important purposes, provided that the rights and freedoms of personal data subjects are not violated.
  • Processing of personal data is carried out for statistical or other research purposes on condition of obligatory depersonalization of personal data.
  • Processing of personal data to which access by an unlimited number of persons has been granted by the personal data subject or at his/her request.
  • Personal data is subject to publication or mandatory disclosure in accordance with the law.

4.2 The Partnership does not disclose to third parties or disseminate personal data without the consent of the subject of personal data, unless otherwise provided by law, the contract with the subject of personal data, it is specified in the consent to the processing of personal data received from him or personal data is not made publicly available by the subject himself.

4.3 The Partnership does not process personal data belonging to special categories and relating to racial and national origin, political views, religious or philosophical beliefs, intimate life, membership of personal data subjects in public associations or their trade union activities, except for information about the state of health, relating to the question of the Employee's ability to perform the labor function and necessary for the purposes defined by the pension legislation, legislation on social insurance.

4.4 The Partnership may process personal data on criminal record only in cases and in the manner prescribed by law.

4.5 The Partnership does not process biometric personal data.

4.6 When collecting personal data, the Partnership provides recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data using databases located on the territory of the Partnership and in data centers in the Russian Federation, the Republic of Kazakhstan, Germany.

4.7 In accordance with the corporate rules of SVK Group of Companies (hereinafter referred to as SVK), the Partnership performs cross-border transfer of personal data of Employees, representatives, members of the Partnership's governing bodies, family members of Employees, Applicants, Representatives of counterparties and Consumers recorded in databases in the territory of the Republic of Kazakhstan to the territory of Germany and the Russian Federation - states that are parties to the Council of Europe Convention ETS-108 “On the Protection of Individuals with regard to Automatic Processing of Personal Data”.

4.8 The Partnership does not make decisions giving rise to legal consequences in respect of personal data subjects or otherwise affecting their rights and legitimate interests, based solely on automated processing of personal data. Data having legal consequences or affecting the rights and legitimate interests of the Employee, such as the amount of accrued income, taxes and other deductions, are subject to verification by an authorized employee of the Partnership before their use.

5. Methods of processing personal data

5.1 The Partnership processes personal data using means of automation, as well as without the use of such means.

5.2 The Policy applies in full to the processing of personal data with the use of means of automation, and when processing personal data without the use of means of automation - to those cases where such processing corresponds to the nature of actions (operations) performed with personal data with the use of means of automation, that is, it allows to carry out in accordance with a given algorithm search of personal data recorded on a tangible medium and contained in card indexes or other systematized data.

6. Confidentiality of personal data

6.1 Employees of the Partnership who have access to personal data must ensure the confidentiality of such data.

6.2 Confidentiality is not required for publicly available personal data and data that have undergone an anonymization procedure.

6.3 The Partnership has the right, with the subject's consent, to entrust the processing of personal data to another person, unless otherwise provided for by the law, on the basis of a contract concluded with this person, providing as an essential condition for the obligation of the person processing personal data on behalf of the Partnership to comply with the principles and rules of personal data processing provided for by the law. The amount of personal data transferred to another person for processing, the actions performed with personal data by this person must be minimally necessary for him to fulfill his obligations to the Partnership.

6.4 The Partnership's assignment must specify the list of actions (operations) with personal data to be performed by the person processing personal data and the purposes of processing, must establish the obligation of such person to maintain the confidentiality of personal data and ensure the security of personal data during their processing, as well as specify the requirements for the protection of processed personal data in accordance with the Law of the Republic of Kazakhstan dated May 21, 2013 № 94-V On personal data and their protection.

6.5 When executing the Partnership's order to process personal data, the person to whom such processing is entrusted has the right to use its information systems for processing personal data that meet the security requirements established by law, which is reflected by the Partnership in the agreement concluded on the order to process personal data.

6.6 If the Partnership entrusts the processing of personal data to another person, the Partnership shall be liable to the subject of personal data for the actions of the said person. The person who processes personal data on behalf of the Partnership shall be liable to the Partnership.

6.6 The Partnership has the right to place its personal data information systems in a data center (cloud computing infrastructure). In this case, the contract with the data center (cloud service provider) shall include as an essential condition the requirement to prohibit access of the data center personnel to the information systems of personal data of the Partnership placed in the data center (cloud infrastructure), and this placement is not considered by the Partnership as an assignment of personal data processing to the data center (cloud service provider) and does not require the consent of personal data subjects to such placement.

7. Consent of the personal data subject to the processing of his/her personal data

7.1 The subject of personal data decides to provide his/her personal data to the Partnership and consents to their processing freely, of his/her own free will and in his/her own interest. Consent to the processing of personal data must be specific, informed and conscious and may be provided by the subject in any form that allows to confirm the fact of its receipt, unless otherwise provided by law.

7.2 In case the Partnership receives personal data from a counterparty on the basis of and for the purpose of conclusion and/or execution of a contract concluded with the counterparty, including - from other SVK Group companies, the responsibility for legality and reliability of personal data, as well as for obtaining the consent of representatives of counterparties and Employees of the group of companies to transfer their personal data to the Partnership shall be borne by the counterparty transferring the personal data, which is set forth in the text of the contract with the counterparty.

7.3 The Partnership, which has received personal data from a contractor, does not assume the obligation to inform the subjects (their representatives), whose personal data have been transferred to it, about the commencement of personal data processing, since the obligation to carry out the corresponding informing when concluding a contract with the subject of personal data and/or when obtaining consent to such transfer is borne by the contractor who transferred the personal data. This obligation of the counterparty is included in the contract concluded with him by the Partnership.

7.4 The Employee's express consent to the processing of his/her personal data is not required, as the processing is necessary for the performance of the employment contract to which the Employee - the subject of personal data is a party, except in cases where it is necessary to obtain the Employee's consent in writing for specific cases of personal data processing. The cases requiring the Employee's consent in writing include (without limitation):

7.4.1 Obtaining Employees' personal data from third parties, including for the purpose of verification of such personal data, as well as in cases when such data cannot be obtained from the Employee.

7.4.2 Transfer of the Employee's personal data to any third party, including transfer of the Employee's personal data during business trips, training and professional development, hotel and ticket booking, etc.

7.4.3 Transfer of the Employee's personal data to third parties for commercial purposes, including banks that open and service payment cards for the calculation of wages and other income of the Employee, insurance companies and/or medical organizations when concluding and executing insurance contracts for Employees at the expense of the Partnership as an employer, printing companies engaged in the production of business cards (business cards) of Employees at the expense of the employer, organizers of business exhibitions and conferences, organizations engaged in the production of business cards (business cards) for Employees at the expense of the employer, organizations engaged in the production of business cards (business cards) for Employees at the expense of the Partnership as an employer.

7.4.4 Transfer of the Employee's personal data to organizations providing consulting services and comprehensive support of the Partnership's activities in the field of accounting, tax and personnel accounting, occupational safety, logistics and other support of the Partnership's activities.

7.4.5 Transfer of the Employee's personal data to audit organizations for the purpose of performing audit procedures.

7.4.6 Transfer of the Employee's personal data to notaries for notarized powers of attorney on behalf of the Partnership and other notarial acts.

7.4.7 Transfer of the Employee's personal data to notaries for notarized powers of attorney on behalf of the Partnership and other notarial acts.

7.4.8 Transfer of Employee's personal data to charitable foundations for the purpose of transferring voluntary donations from Employees.

7.4.9 Transfer of the Employee's personal data to contractors providing accommodation for employees.

7.4.10 Transfer of the Employee's personal data to tax counterparties for the purpose of tax advice.

7.4.11 Transfer of the Employee's personal data to counterparties providing educational services.

7.4.12 Transfer of the Employee's personal data to outsourcing companies that provide foreign visas when sending the Partnership's Employees on foreign business trips, visa support, obtaining work permits and migration registration of employees who are not citizens of the Republic of Kazakhstan.

7.4.13 Transfer of personal data to the landlord for the purpose of ensuring the passage of Employees to the secured leased premises.

7.5 Specially expressed consent of the Family Members of the Partnership's employees is not required if the processing of their personal data is carried out on the basis of legislation (for alimony calculation, registration of social payments, provision of benefits and guarantees, etc.), is carried out by the Partnership as an employer in accordance with the requirements of the Labor Code of the Republic of Kazakhstan and state statistical accounting bodies, as well as in cases when the Family Members of employees are beneficiaries, including insured persons under the contracts concluded by the Partnership In all other cases it is necessary to obtain provable (confirmed) consent of the Family Members of employees to the processing of their personal data by the Partnership.

7.6 Specifically expressed consent of the Applicants to the processing of their personal data is not required, as such processing is necessary for the purposes of concluding labor contracts at the initiative of the Applicants - subjects of personal data, except for cases when it is necessary to obtain the Applicant's consent in writing for specific cases of personal data processing. Personal data of the Applicant contained in his/her application form, CV, e-mails sent to the Partnership by the Applicant or specialized recruitment organizations, and other documents are destroyed within 30 days from the date of the decision to hire or refuse to hire the Applicant.

7.7 The consent of the Buyers is given in the form of conclusory actions by providing their personal data in the documents submitted to the Partnership and filling in the registration forms on the Partnership's websites and accepting the terms and conditions of the relevant events, contests, user agreements.

7.8 Personal data of persons who have signed agreements with the Partnership and contained in the unified state registers of legal entities and individual entrepreneurs are open and publicly available, except for information on the number, date of issue and the issuing authority of the identity document of a physical person. Protection of their confidentiality and consent of personal data subjects to the processing of such data is not required.

In all other cases, it is necessary to obtain the consent of personal data subjects who are Representatives of counterparties, except for persons who have signed contracts with the Partnership, granted powers of attorney to act on behalf of and on behalf of the Partnership's counterparties, and thereby have performed explicit actions confirming their consent to the processing of personal data specified in the text of the contract (power of attorney). The counterparty's Representative's consent to the transfer of his/her personal data to the Partnership and the processing of such data by the Partnership may be obtained by the counterparty in the manner described in clause 7.2 of the Policy. In this case, the Partnership does not need to obtain the subject's consent to the processing of his/her personal data.

7.9 The consent of Representatives of personal data subjects to the processing of their personal data shall be expressed in the form of conclusory actions by providing a power of attorney with the right to act on behalf of and on behalf of personal data subjects and an identity document of the Representative of the personal data subject.

7.10 The Visitor's consent to the processing of his/her personal data is given in the form of a conclusive action, namely providing an identity document and providing the information requested from him/her when visiting the Partnership.

7.11 The consent of the Users of the websites to the processing of their personal data received by the Partnership when the Visitors browse the pages of the Partnership's websites on the Internet is given by accepting the terms of the Cookie Rules and checking the appropriate box (tick) in the banners on the Partnership's websites.

7.12 If it is necessary to obtain the subject's consent to the processing of personal data in writing, such consent may be obtained in the form of an electronic document signed with an electronic signature in accordance with the requirements established by law.

7.13 Consent of subjects to provide their personal data is not required when the Partnership, within the established powers, receives motivated requests from prosecutor's offices, law enforcement agencies, investigation and inquiry agencies, security agencies, from state labor inspectors in their state supervision and control over compliance with labor legislation, and other bodies authorized to request information in accordance with the competence provided for by law.

A motivated request must include an indication of the purpose of the request, a reference to the legal grounds for the request, including evidence of the authority of the body submitting the request, and a list of the information requested.

7.14 In the event of requests from organizations that do not have the relevant authority, the Partnership shall be obliged to obtain the subject's consent to the provision of his/her personal data and warn the persons receiving the personal data that such data may be used only for the purposes for which they are reported, as well as to require these persons to confirm that the said rule will (has) been complied with. The procedure for obtaining Employees' consent to the transfer of their personal data to other persons is described in clause 7.4 of the Policy.

7.15 In all cases, the obligation to provide proof of obtaining the consent of the subject of personal data to the processing of his/her personal data or proof of the existence of the grounds specified in the Law of the Republic of Kazakhstan dated May 21, 2013 No. 94-V “On Personal Data and their Protection” is imposed on the Partnership.

8. Rights of personal data subjects

8.1 Personal data subjects have the right to receive information regarding the processing of their personal data, including information containing:

  • confirmation of the fact of processing of his/her personal data by the Partnership;
  • legal grounds and purposes of personal data processing;
  • information on the methods of personal data processing used by the Partnership;
  • name and location of the Partnership, information about persons (except for employees of the Partnership) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Partnership or on the basis of legislation;
  • processed personal data related to the respective personal data subject, the source of their obtaining;
  • terms of personal data processing, including the terms of their storage;
  • procedure for exercising by the subject of personal data of the rights provided by the Law of the Republic of Kazakhstan dated May 21, 2013 № 94-V On personal data and their protection;
  • information on realized or suspected cross-border data transfers;
  • the name or surname, first name, patronymic and address of the person who processes personal data on behalf of the operator, if the processing is or will be entrusted to such a person;
  • other information stipulated by the legislation.

Information about the availability of personal data must be provided to the subject of personal data by an authorized employee of the Partnership in an accessible form, and it must not contain personal data relating to other subjects of personal data.

8.2 If the subject of personal data believes that the Partnership processes his/her personal data in violation of legal requirements or otherwise violates his/her rights and freedoms, the subject of personal data has the right to appeal the actions or omissions of the Partnership to the authorized body for the protection of the rights of personal data subjects or in court.

8.3 The subject of personal data has the right to protection of his rights and legitimate interests, including compensation for losses and (or) compensation for moral damage in court.

9. Information on implemented requirements to the protection of personal data

9.1 The security of personal data processed by the Partnership is ensured by the implementation of legal, organizational and technical measures necessary and sufficient to ensure the requirements of the legislation on personal data.

9.2 Legal measures taken by the Partnership include:

  • development of local acts of the Partnership implementing the requirements of the legislation, including the Policy and Regulations on the procedure for processing and ensuring security of personal data in the Partnership;
  • refusal from any methods of personal data processing that do not meet the purposes and legal requirements defined in the Policy.

9.3 Organizational measures taken by the Partnership include:

  • appointment of a person responsible for the organization of personal data processing;
  • appointment of a person responsible for ensuring personal data security in personal data information systems;
  • limiting the number of the Partnership's employees who have access to personal data and organizing a permissive system of access to them;
  • familiarization of the Partnership's employees, who directly process personal data, with the provisions of the legislation on personal data, including the requirements for personal data protection, with the Policy, other local acts of the Partnership on the issues of personal data processing;
  • training of all categories of the Partnership's employees directly involved in the processing of personal data on the rules of working with personal data and ensuring the security of the processed data;
  • defining in the job descriptions of the Partnership's employees the obligations to ensure the security of personal data processing and responsibility for violation of the established procedure;
  • regulation of personal data processing processes;
  • organization of accounting of material carriers of personal data and their storage, ensuring prevention of theft, substitution, unauthorized copying and destruction;
  • determining the type of personal data security threats relevant for personal data information systems, taking into account the assessment of possible harm to personal data subjects that may be caused in case of violation of security requirements, determining the level of personal data protection and requirements for personal data protection during their processing in information systems, the fulfillment of which ensures the established levels of personal data protection;
  • determination of threats to personal data security during their processing in information systems, formation on their basis of a private model(s) of actual threats;
  • placement of technical means of personal data processing within the protected area;
  • restriction of access of unauthorized persons to the premises of the Partnership, prevention of their presence in the premises where personal data are handled and technical means of their processing are placed, without control by the employees of the Partnership.

9.4 Technical measures taken by the Company include:

  • development on the basis of private model of actual threats of personal data protection system for the levels of protection of personal data at their processing in information systems established by the Government of the Republic of Kazakhstan;
  • use of information protection tools that have undergone the conformity assessment procedure to neutralize current threats;
  • assessment of the effectiveness of the measures taken to ensure the security of personal data;
  • implementation of a permissive system of employees' access to personal data processed in information systems and to hardware and software means of information protection;
  • registration and recording of actions with personal data of users of information systems where personal data are processed;
  • limitation of the software environment;
  • detection of malicious software (application of anti-virus programs) on all nodes of the Partnership's information network that provide the corresponding technical capability;
  • secure inter-network communication (use of firewalling);
  • user identification and authentication when logging into the information system by password;
  • control of software integrity, including software of information protection means;
  • detection of intrusions into the Partnership's information system that violate or create preconditions for violation of the established requirements for personal data security;
  • защиту среды виртуализации;
  • protection of network devices and communication channels through which personal data are transmitted;
  • recovery of personal data modified or destroyed due to unauthorized access to them (creation of a system of backup and recovery of personal data);
  • control over the implementation of these requirements (independently or with the involvement on a contractual basis of legal entities and individual entrepreneurs licensed to carry out activities on technical protection of confidential information) at least once every 3 years.

10. Зconcluding remarks

10.1 Other obligations and rights of the Partnership as a personal data operator and a person organizing their processing on behalf of other operators are determined by the legislation in the field of personal data.

10.2 Officials and Employees of the Partnership guilty of violating the norms governing the processing and protection of personal data shall bear material, disciplinary, administrative, civil and criminal liability in accordance with the law.

10.3 The Policy is revised as necessary. Mandatory revision of the Policy is carried out in case of significant changes in the international or legislation in the field of personal data.

When making changes to the Policy, the following shall be taken into account:

  • changes in the information infrastructure and (or) information technologies used by the Partnership;;
  • the existing practice of law enforcement in the Republic of Kazakhstan in the field of personal data;
  • changing the conditions and peculiarities of personal data processing by the Partnership due to the introduction of new information systems, processes and technologies in its activities.