Regulations on the protection of personal data of customers of LLP "Norvind"
1.Terms and definitions
1.1 Personal data - any information relating to a natural person (subject of personal data) defined or determined on the basis of such information, including his/her surname, name, patronymic, year, month, date and place of birth, address, e-mail address, telephone number, marital, social, property status, education, profession, income, other information.
1.2 Processing of personal data - actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, modification), use, distribution (including transfer), depersonalization, blocking.
1.3 Confidentiality of personal data is a mandatory requirement for the designated responsible person who has access to personal data not to allow their dissemination without the consent of the subject or other legal basis.
1.4 Dissemination of personal data - actions aimed at transferring personal data to a certain number of persons (transfer of personal data) or at familiarizing an unlimited number of persons with personal data, including disclosure of personal data in mass media, placement in information and telecommunication networks or providing access to personal data in any other way.
1.5 Use of personal data - actions (operations) with personal data performed in order to make decisions or perform other actions that give rise to legal consequences in respect of personal data subjects or otherwise affect their rights and freedoms or the rights and freedoms of others.
1.6 Blocking of personal data means temporary cessation of collection, systematization, accumulation, use, dissemination of personal data, including their transfer.
1.7 Destruction of personal data - actions as a result of which it is impossible to restore the content of personal data in the information system of personal data or as a result of which material carriers of personal data are destroyed.
1.8 Impersonalization of personal data - actions as a result of which it is impossible to determine the belonging of personal data to a particular subject without using additional information.
1.9. Publicly available personal data - personal data to which an unlimited number of persons have access with the subject's consent or to which, in accordance with the laws, the requirement of confidentiality does not apply.
1.10. Information - information (messages, data) regardless of the form of its presentation.
1.11. Client (subject of personal data) - a natural person, consumer of services of Norvind LLP, hereinafter referred to as "Operator".
1.12. Operator - a state authority, municipal authority, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of personal data processing, the composition of personal data subject to processing, actions (operations) performed with personal data. For the purposes of these Regulations, Norvind LLP is recognized as the Operator;
2. General Provisions.
2.1 These Regulations on Processing of Personal Data (hereinafter - the Regulations) are developed in accordance with the requirements of the Law of the Republic of Kazakhstan dated May 21, 2013 № 94-V "On Personal Data and their Protection" (hereinafter - the Law on Personal Data), the Law of the Republic of Kazakhstan dated November 24, 2015 № 418-V "On Informatization" (hereinafter - the Law on Informatization) and other regulatory legal acts of the Republic of Kazakhstan, and determines the procedure.
2.2 The purpose of the Regulations is to define the procedure for processing and protection of personal data of all Operator's Customers whose data are subject to processing, based on the Operator's authorization; to ensure protection of human and civil rights and freedoms when processing their personal data, including protection of the rights to privacy, personal and family secrecy, as well as to establish the responsibility of officials who have access to personal data for failure to comply with the requirements of the regulations governing the processing and protection of personal data.
2.3 Procedure for enacting and amending the Regulation.
2.3.1 This Regulation shall come into force from the moment of its approval by the General Director of the Operator and shall remain in force indefinitely until it is replaced by a new Regulation.
2.3.2 The Regulations shall be amended on the basis of Orders of the General Director of Norvind LLP.
3. Composition of personal data.
3.1 The composition of the Clients' personal data includes, inter alia:
3.1.1. Surname, first name, patronymic.
3.1.2 Year of birth.
3.1.3. Month of birth.
3.1.4. Date of birth.
3.1.5. E-mail address.
3.1.6. Telephone number (home, cell).
3.1.7. Address for order (goods/services) delivery.
3.2 The Operator may create, collect and store the following documents and information, including in electronic form, containing data on Customers:
3.2.1. Questionnaire (profile) of the Customer.
3.2.2. Application for registration - of an individual.
3.2.3. Contract (public offer).
3.2.4. Confirmation of adherence to the Agreement.
3.2.5. Copies of identity documents, as well as other documents provided by the Customer and containing personal data.
3.2.6. Data on payments for orders (goods/services) containing payment and other details of the Customer.
3.2.7. Data on delivery addresses of orders (goods/services).
3.2.8. Records of telephone conversations and electronic correspondence.
4. Purpose of personal data processing.
4.1 The purpose of personal data processing is to carry out a set of actions aimed at achieving the purpose, including:
4.1.1 To provide consulting and information services;
4.1.2 For registration/authorization of the Client on the website https://norvind.kz/eng (hereinafter - the Site);
4.1.3 To process the Customer's orders and fulfill its obligations to the Customer;
4.1.4. To carry out activities to promote goods and services;
To analyze the Customer's purchasing characteristics and provide personal recommendations;
4.1.5. To notify about the status of the order being fulfilled by means of sms informing;
4.1.6. For the Customer's participation in loyalty programs;
4.1.2 Other transactions not prohibited by law, as well as a set of actions with personal data necessary for the execution of the above transactions.
4.1.3. In order to fulfill the requirements of the legislation of the Republic of Kazakhstan.
4.2. The termination of personal data processing is the liquidation of the Operator, as well as the corresponding request of the Client.
5. Collection, processing and protection of personal data.
5.1 Procedure for obtaining (collecting) personal data:
5.1.1. All personal data of the Client should be obtained from him personally with his written consent, except for cases defined in clauses 5.1.4 and 5.1.6 of these Regulations and other cases stipulated by the laws of the Republic of Kazakhstan.
5.1.2 The Client's consent to the use of his/her personal data shall be kept by the Operator in paper and/or electronic form.
5.1.3 The consent of the subject to the processing of personal data is valid for the entire term of the contract, as well as for 5 years from the date of termination of the contractual relationship between the Client and the Operator. Upon expiry of the said term, the consent shall be deemed extended for each of the following five years, provided that there is no information about its revocation by the Client.
5.1.4 If the Client's personal data can be obtained only from a third party, the Client shall be notified thereof in advance and a written consent shall be obtained from the Client. The third party providing the Customer's personal data must have the subject's consent to transfer the personal data to the Operator . The Operator is obliged to obtain confirmation from the third party providing the Customer's personal data that the personal data is transferred with the Customer's consent. When interacting with third parties, the Operator is obliged to conclude an agreement with them on confidentiality of information related to the Customers' personal data.
5.1.5 The Operator is obliged to inform the Customer about the purposes, expected sources and methods of obtaining personal data, as well as about the nature of the personal data to be obtained and the consequences of the Customer's refusal to give his/her written consent to receive such data.
5.1.6. Processing of Customers' personal data without their consent is carried out in the following cases:
5.1.6.1. Personal data is publicly available.
5.1.6.2. At the request of authorized state bodies in cases stipulated by the law of the Republic of Kazakhstan.
5.1.6.3. Personal data processing is carried out on the basis of the law establishing its purpose, conditions for obtaining personal data and the range of subjects whose personal data are subject to processing, as well as determining the powers of the operator.
5.1.6.4. Processing of personal data is carried out for the purposes of conclusion and execution of an agreement, one of the parties to which is the subject of personal data - the Client.
5.1.6.5 Processing of personal data is carried out for statistical purposes on condition of obligatory depersonalization of personal data.
5.1.6.6. In other cases provided by law.
5.1.7. The Operator has no right to receive and process the Customer's personal data about the Customer's race, nationality, political views, religious or philosophical beliefs, state of health, intimate life.
5.2 Procedure of personal data processing:
5.2.1 The subject of personal data provides the Operator with reliable information about himself/herself.
5.2.2 Only the Operator's employees who are authorized to work with the Customer's personal data and who have signed the Agreement on non-disclosure of the Customer's personal data may have access to the processing of the Customer's personal data.
5.2.3 The Operator has the right of access to the Client's personal data:
- General Director of Norvind LLP;
- Employees responsible for operational work (Accounting Department, Financial Department).
- Employees of the Customer Relations Department.
- Employees of the Partners Support Department.
- Employees of the Marketing Department.
- Employees of the Personnel Service.
- Employees of the Legal Service.
- IT employees (Information Technology Department).
- Client as a subject of personal data.
5.2.3.1 The list of the Operator's employees having access to the Clients' personal data is defined by the Operator's General Director's order.
5.2.4. Processing of the Client's personal data may be carried out solely for the purposes set forth in the Regulations and in compliance with laws and other regulatory legal acts of Kazakhstan.
5.2.5 When determining the scope and content of processed personal data, the Operator is guided by the Constitution of the Republic of Kazakhstan, the law on personal data and their protection, the law on informatization, and other regulatory legal acts.
5.3 Protection of personal data:
5.3.1 Protection of the Client's personal data means a set of measures (organizational and administrative, technical, legal) aimed at preventing unlawful or accidental access to them, destruction, modification, blocking, copying, dissemination of personal data of subjects, as well as from other unlawful actions.
5.3.2 The protection of the Client's personal data is carried out at the expense of the Operator in accordance with the procedure established by the law of the Republic of Kazakhstan.
5.3.3 The Operator shall take all necessary organizational, administrative, legal and administrative measures to protect the personal data of the Clients.
organizational-administrative, legal and technical measures, including:
- Encryption (cryptographic) means.
- Antivirus protection.
- Security analysis.
- Intrusion detection and prevention.
- Access control.
- Registration and accounting.
- Integrity assurance.
- Operator of regulatory and methodological local acts regulating the protection of personal data.
5.3.4 The general organization of the Clients' personal data protection is carried out by Norvind LLP.
5.3.5. Access to the Customer's personal data is granted to the Operator's employees who need the personal data in connection with the performance of their labor duties.
5.3.6 All employees related to the receipt, processing and protection of the Clients' personal data are obliged to sign the Agreement on non-disclosure of the Clients' personal data.
5.3.7 The procedure of formalizing access to the Customer's personal data includes:
- Familiarization of the employee against signature with these Regulations. If there are other regulatory acts (orders, instructions, etc.) regulating the processing and protection of the Customer's personal data, such acts shall also be familiarized with them against signature.
- Requesting from the employee (except for the General Director) a written obligation to observe confidentiality of the Clients' personal data and compliance with the rules of their processing in accordance with the Operator's internal local acts regulating the issues of confidential information security.
5.3.8. the Operator's employee who has access to the Customers' personal data in connection with the performance of labor duties:
- Ensures storage of information containing the Customer's personal data, excluding access to them by third parties.
- In the absence of the employee, there shall be no documents containing the Customers' personal data at his/her workplace.
- When an employee goes on vacation, during a business trip and in other cases of prolonged absence from his/her workplace, he/she is obliged to hand over documents and other media containing personal data of Customers to a person who will be assigned to perform his/her labor duties by a local act of the Company (order, instruction).
- If no such person is appointed, the documents and other media containing the Customers' personal data shall be transferred to another employee who has access to the Customers' personal data as instructed by the Operator's General Director.
- In case of dismissal of the employee having access to the Customers' personal data, the documents and other media containing the Customers' personal data shall be transferred to another employee having access to the Customers' personal data as instructed by the General Director.
- Upon dismissal of an employee who has access to Customers' personal data, documents and other media containing Customers' personal data shall be transferred to another employee who has access to Customers' personal data upon the General Director's instruction.
- In order to fulfill the assigned task and on the basis of a memo with a positive resolution of the General Director, access to the Customer's personal data may be granted to another employee. Access to the Customer's personal data by other employees of the Operator who do not have duly authorized access is prohibited.
5.3.9 The Manager of the Personnel Service shall ensure:
- Familiarization of employees against signature with this Regulation.
- Requesting from the employees a written obligation to keep confidentiality of the Customer's personal data (Agreement on confidentiality of the Customer's personal data).
Client's personal data (Non-Disclosure Agreement) and compliance with the rules of their processing.
- General control over the employees' compliance with the measures for protection of the Client's personal data.
5.3.10. Protection of the Customers' personal data stored in the Operator's electronic databases against unauthorized access, distortion and destruction of information, as well as against other unlawful actions is provided by the System Administrator.
5.4 Storage of Personal Data:
5.4.1 The Customers' Personal Data in hard copy shall be stored in safes.
5.4.2. Customers' personal data in electronic form shall be stored in the Operator's local computer network, in electronic folders and files in personal computers of the General Director and employees authorized to process Customers' personal data.
5.4.3 Documents containing Clients' personal data shall be stored in lockable cabinets (safes) providing protection against unauthorized access. At the end of the working day all documents containing personal data of the Customers shall be placed in cabinets (safes) providing protection against unauthorized access.
5.4.4 Protection of access to electronic databases containing personal data of the Customers is provided by:
- Use of licensed anti-virus and anti-hacking software that does not allow unauthorized entry into the Operator's local network.
- Differentiation of access rights using an account.
- Two-stage password system: at the level of the local computer network and at the level of databases. Passwords are set by the Operator's System Administrator and communicated individually to the employees who have access to the Clients' personal data.
5.4.4.1 Unauthorized access to PCs containing Customers' personal data shall be blocked by a password, which shall be set by the System Administrator and shall not be disclosed.
5.4.4.2 All electronic folders and files containing Customers' personal data shall be protected by a password, which shall be set by the Operator's employee responsible for the PC and communicated to the System Administrator.
5.4.4.3 The System Administrator shall change passwords at least once every 3 months.
5.4.5 Copying and making extracts of the Customer's personal data is allowed only for business purposes with the written permission of the Operator's General Director.
5.4.6 Responses to written inquiries of other organizations and institutions about the Clients' personal data shall be given only with the written consent of the Client, unless otherwise stipulated by the legislation of Kazakhstan. Responses shall be made in writing, on the Operator's letterhead, and to the extent that the excessive amount of the Client's personal data is not disclosed.
6. Blocking, depersonalization, destruction of personal data
6.1 Procedure for blocking and unblocking of personal data:
6.1.1 Blocking of Clients' personal data is carried out with a written application of the Client.
6.1.2 Blocking of personal data implies:
6.1.2.1. Prohibition of editing personal data.
6.1.2.2 Prohibition to disseminate personal data by any means (e-mail, cellular communication, material media).
6.1.2.3 Prohibition to use personal data in mass mailings (sms, e-mail, mail).
6.1.2.4 Withdrawal of paper documents related to the Customer and containing his personal data from the Operator's internal document flow and prohibition of their use.
6.1.3. Blocking of the Client's personal data may be temporarily removed if it is required for compliance with the legislation of the Republic of Kazakhstan.
6.1.4 Unblocking of the Client's personal data is carried out with the Client's written consent (if consent is required) or the Client's application.
6.1.5 The repeated consent of the Client to the processing of his/her personal data (if there is a need to obtain it) entails unblocking of his/her personal data.
6.2 Procedure for depersonalization and destruction of personal data:
6.2.1 The Customer's personal data is depersonalized upon the Customer's written request, provided that all contractual relations have been completed and at least 5 years have passed from the date of termination of the last contract.
6.2.2 In case of depersonalization, personal data in information systems shall be replaced by a set of symbols, by which it is impossible to determine whether the personal data belong to a particular Customer.
6.2.3 Paper carriers of documents shall be destroyed when personal data is depersonalized.
6.2.4 The Operator is obliged to ensure confidentiality of personal data when it is necessary to test information systems on the territory of the developer and to depersonalize personal data in the information systems transferred to the developer.
6.2.5 Destruction of the Customer's personal data implies termination of any access to the Customer's personal data.
6.2.6 Upon destruction of the Client's personal data, the Operator's employees cannot access the subject's personal data in the information systems.
6.2.7 When destroying personal data, paper carriers of documents shall be destroyed, personal data in information systems shall be depersonalized. Personal data shall not be restored.
6.2.8 The operation of personal data destruction is irreversible.
6.2.9. The term after which the operation of destruction of the Customer's personal data is possible is determined by the end of the term specified in clause 7.3 of these Regulations.
7. Transfer and storage of personal data
7.1 Transmission of personal data:
7.1.1 Transmission of the subject's personal data means dissemination of information via communication channels and on material media.
7.1.2 When transferring personal data, the Operator's employees shall comply with the following requirements:
7.1.2.1 Not to communicate the Customer's personal data for commercial purposes.
7.1.2.2. Not to communicate the Client's personal data to a third party without the Client's written consent, except for cases stipulated by the law of the Republic of Kazakhstan.
7.1.2.3 To warn the persons receiving the Client's personal data that such data may be used only for the purposes for which they are reported, and to require from these persons to confirm that this rule is observed;
7.1.2.4. to allow access to the Clients' personal data only to specially authorized persons, and the said persons shall have the right to receive only those Clients' personal data that are necessary for performance of specific functions.
7.1.2.5. To transfer the Customer's personal data within the Operator in accordance with these Regulations, regulatory and technological documentation and job descriptions.
7.1.2.6. provide the Client with access to his/her personal data upon application or upon receipt of the Client's request. The Operator is obliged to inform the Client about the availability of personal data about him/her, as well as to provide an opportunity to familiarize with them within ten working days from the moment of the request.
7.1.2.7. transfer the Customer's personal data to the Customer's representatives in accordance with the procedure established by the legislation and normative-technological documentation and limit this information only to those personal data of the subject, which are necessary for the fulfillment by the said representatives of their function.
7.1.2.8. Ensure keeping of the register of issued personal data of the Customers, in which the information about the person to whom the personal data of the Customers were transferred, the date of transfer of personal data or the date of notification of refusal to provide personal data, as well as it is noted what information was transferred (according to the form of Appendix No. 1) is recorded.
7.2 Storage and use of personal data:
7.2.1 Storage of personal data means the existence of records in information systems and on tangible media.
7.2.2 The Clients' personal data shall be processed and stored in information systems, as well as on paper at the Operator. The Clients' personal data is also stored electronically: in the Operator's local computer network, in electronic folders and files in the PCs of the General Director and employees authorized to process the Clients' personal data.
7.2.3 Client's personal data may be stored for no longer than required by the purposes of processing, unless otherwise provided for by the laws of the Republic of Kazakhstan.
7.3 The terms of storage of personal data:
7.3.1. Storage terms of civil law contracts containing personal data of the Clients, as well as documents accompanying their conclusion, execution - 5 years from the moment of expiration of the contracts.
7.3.2 During the storage period, personal data may not be anonymized or destroyed.
7.3.3 Upon expiration of the retention period personal data may be anonymized in information systems and destroyed on paper in the manner prescribed in the Regulations and the applicable legislation of the Republic of Kazakhstan.
8. Rights of the personal data operator
The operator has the right:
8.1 Defend its interests in court.
8.2. Provide personal data of Clients to third parties, if it is provided by the current legislation (tax, law enforcement agencies, etc.) or agreement with the Client.
8.3. Refuse to provide personal data in cases stipulated by the legislation of the Republic of Kazakhstan.
8.4. Use personal data of the Client without his consent, in cases stipulated by the legislation of the Republic of Kazakhstan.
9. Rights of the Client
The Customer has the right:
9.1 To demand clarification of his/her personal data, blocking or destruction in case the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures provided by law to protect his/her rights;
9.2 Request a list of processed personal data held by the Operator and the source of their receipt.
9.3 Obtain information on the terms of personal data processing, including the terms of their storage.
9.4. Request notification of all persons who have been previously informed of incorrect or incomplete personal data about all exceptions, corrections or additions made to such data.
9.5. To appeal to the authorized body for the protection of the rights of personal data subjects or in court against unlawful acts or omissions in the processing of his/her personal data.
10. Responsibility for violation of norms regulating the processing and protection of personal data
10.1 The Operator's employees guilty of violating the norms regulating the receipt, processing and protection of personal data shall bear disciplinary, administrative, civil or criminal liability in accordance with the current legislation of the Republic of Kazakhstan and internal local acts of the Operator.
1.1 Personal data - any information relating to a natural person (subject of personal data) defined or determined on the basis of such information, including his/her surname, name, patronymic, year, month, date and place of birth, address, e-mail address, telephone number, marital, social, property status, education, profession, income, other information.
1.2 Processing of personal data - actions (operations) with personal data, including collection, systematization, accumulation, storage, clarification (updating, modification), use, distribution (including transfer), depersonalization, blocking.
1.3 Confidentiality of personal data is a mandatory requirement for the designated responsible person who has access to personal data not to allow their dissemination without the consent of the subject or other legal basis.
1.4 Dissemination of personal data - actions aimed at transferring personal data to a certain number of persons (transfer of personal data) or at familiarizing an unlimited number of persons with personal data, including disclosure of personal data in mass media, placement in information and telecommunication networks or providing access to personal data in any other way.
1.5 Use of personal data - actions (operations) with personal data performed in order to make decisions or perform other actions that give rise to legal consequences in respect of personal data subjects or otherwise affect their rights and freedoms or the rights and freedoms of others.
1.6 Blocking of personal data means temporary cessation of collection, systematization, accumulation, use, dissemination of personal data, including their transfer.
1.7 Destruction of personal data - actions as a result of which it is impossible to restore the content of personal data in the information system of personal data or as a result of which material carriers of personal data are destroyed.
1.8 Impersonalization of personal data - actions as a result of which it is impossible to determine the belonging of personal data to a particular subject without using additional information.
1.9. Publicly available personal data - personal data to which an unlimited number of persons have access with the subject's consent or to which, in accordance with the laws, the requirement of confidentiality does not apply.
1.10. Information - information (messages, data) regardless of the form of its presentation.
1.11. Client (subject of personal data) - a natural person, consumer of services of Norvind LLP, hereinafter referred to as "Operator".
1.12. Operator - a state authority, municipal authority, legal entity or individual, independently or jointly with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of personal data processing, the composition of personal data subject to processing, actions (operations) performed with personal data. For the purposes of these Regulations, Norvind LLP is recognized as the Operator;
2. General Provisions.
2.1 These Regulations on Processing of Personal Data (hereinafter - the Regulations) are developed in accordance with the requirements of the Law of the Republic of Kazakhstan dated May 21, 2013 № 94-V "On Personal Data and their Protection" (hereinafter - the Law on Personal Data), the Law of the Republic of Kazakhstan dated November 24, 2015 № 418-V "On Informatization" (hereinafter - the Law on Informatization) and other regulatory legal acts of the Republic of Kazakhstan, and determines the procedure.
2.2 The purpose of the Regulations is to define the procedure for processing and protection of personal data of all Operator's Customers whose data are subject to processing, based on the Operator's authorization; to ensure protection of human and civil rights and freedoms when processing their personal data, including protection of the rights to privacy, personal and family secrecy, as well as to establish the responsibility of officials who have access to personal data for failure to comply with the requirements of the regulations governing the processing and protection of personal data.
2.3 Procedure for enacting and amending the Regulation.
2.3.1 This Regulation shall come into force from the moment of its approval by the General Director of the Operator and shall remain in force indefinitely until it is replaced by a new Regulation.
2.3.2 The Regulations shall be amended on the basis of Orders of the General Director of Norvind LLP.
3. Composition of personal data.
3.1 The composition of the Clients' personal data includes, inter alia:
3.1.1. Surname, first name, patronymic.
3.1.2 Year of birth.
3.1.3. Month of birth.
3.1.4. Date of birth.
3.1.5. E-mail address.
3.1.6. Telephone number (home, cell).
3.1.7. Address for order (goods/services) delivery.
3.2 The Operator may create, collect and store the following documents and information, including in electronic form, containing data on Customers:
3.2.1. Questionnaire (profile) of the Customer.
3.2.2. Application for registration - of an individual.
3.2.3. Contract (public offer).
3.2.4. Confirmation of adherence to the Agreement.
3.2.5. Copies of identity documents, as well as other documents provided by the Customer and containing personal data.
3.2.6. Data on payments for orders (goods/services) containing payment and other details of the Customer.
3.2.7. Data on delivery addresses of orders (goods/services).
3.2.8. Records of telephone conversations and electronic correspondence.
4. Purpose of personal data processing.
4.1 The purpose of personal data processing is to carry out a set of actions aimed at achieving the purpose, including:
4.1.1 To provide consulting and information services;
4.1.2 For registration/authorization of the Client on the website https://norvind.kz/eng (hereinafter - the Site);
4.1.3 To process the Customer's orders and fulfill its obligations to the Customer;
4.1.4. To carry out activities to promote goods and services;
To analyze the Customer's purchasing characteristics and provide personal recommendations;
4.1.5. To notify about the status of the order being fulfilled by means of sms informing;
4.1.6. For the Customer's participation in loyalty programs;
4.1.2 Other transactions not prohibited by law, as well as a set of actions with personal data necessary for the execution of the above transactions.
4.1.3. In order to fulfill the requirements of the legislation of the Republic of Kazakhstan.
4.2. The termination of personal data processing is the liquidation of the Operator, as well as the corresponding request of the Client.
5. Collection, processing and protection of personal data.
5.1 Procedure for obtaining (collecting) personal data:
5.1.1. All personal data of the Client should be obtained from him personally with his written consent, except for cases defined in clauses 5.1.4 and 5.1.6 of these Regulations and other cases stipulated by the laws of the Republic of Kazakhstan.
5.1.2 The Client's consent to the use of his/her personal data shall be kept by the Operator in paper and/or electronic form.
5.1.3 The consent of the subject to the processing of personal data is valid for the entire term of the contract, as well as for 5 years from the date of termination of the contractual relationship between the Client and the Operator. Upon expiry of the said term, the consent shall be deemed extended for each of the following five years, provided that there is no information about its revocation by the Client.
5.1.4 If the Client's personal data can be obtained only from a third party, the Client shall be notified thereof in advance and a written consent shall be obtained from the Client. The third party providing the Customer's personal data must have the subject's consent to transfer the personal data to the Operator . The Operator is obliged to obtain confirmation from the third party providing the Customer's personal data that the personal data is transferred with the Customer's consent. When interacting with third parties, the Operator is obliged to conclude an agreement with them on confidentiality of information related to the Customers' personal data.
5.1.5 The Operator is obliged to inform the Customer about the purposes, expected sources and methods of obtaining personal data, as well as about the nature of the personal data to be obtained and the consequences of the Customer's refusal to give his/her written consent to receive such data.
5.1.6. Processing of Customers' personal data without their consent is carried out in the following cases:
5.1.6.1. Personal data is publicly available.
5.1.6.2. At the request of authorized state bodies in cases stipulated by the law of the Republic of Kazakhstan.
5.1.6.3. Personal data processing is carried out on the basis of the law establishing its purpose, conditions for obtaining personal data and the range of subjects whose personal data are subject to processing, as well as determining the powers of the operator.
5.1.6.4. Processing of personal data is carried out for the purposes of conclusion and execution of an agreement, one of the parties to which is the subject of personal data - the Client.
5.1.6.5 Processing of personal data is carried out for statistical purposes on condition of obligatory depersonalization of personal data.
5.1.6.6. In other cases provided by law.
5.1.7. The Operator has no right to receive and process the Customer's personal data about the Customer's race, nationality, political views, religious or philosophical beliefs, state of health, intimate life.
5.2 Procedure of personal data processing:
5.2.1 The subject of personal data provides the Operator with reliable information about himself/herself.
5.2.2 Only the Operator's employees who are authorized to work with the Customer's personal data and who have signed the Agreement on non-disclosure of the Customer's personal data may have access to the processing of the Customer's personal data.
5.2.3 The Operator has the right of access to the Client's personal data:
- General Director of Norvind LLP;
- Employees responsible for operational work (Accounting Department, Financial Department).
- Employees of the Customer Relations Department.
- Employees of the Partners Support Department.
- Employees of the Marketing Department.
- Employees of the Personnel Service.
- Employees of the Legal Service.
- IT employees (Information Technology Department).
- Client as a subject of personal data.
5.2.3.1 The list of the Operator's employees having access to the Clients' personal data is defined by the Operator's General Director's order.
5.2.4. Processing of the Client's personal data may be carried out solely for the purposes set forth in the Regulations and in compliance with laws and other regulatory legal acts of Kazakhstan.
5.2.5 When determining the scope and content of processed personal data, the Operator is guided by the Constitution of the Republic of Kazakhstan, the law on personal data and their protection, the law on informatization, and other regulatory legal acts.
5.3 Protection of personal data:
5.3.1 Protection of the Client's personal data means a set of measures (organizational and administrative, technical, legal) aimed at preventing unlawful or accidental access to them, destruction, modification, blocking, copying, dissemination of personal data of subjects, as well as from other unlawful actions.
5.3.2 The protection of the Client's personal data is carried out at the expense of the Operator in accordance with the procedure established by the law of the Republic of Kazakhstan.
5.3.3 The Operator shall take all necessary organizational, administrative, legal and administrative measures to protect the personal data of the Clients.
organizational-administrative, legal and technical measures, including:
- Encryption (cryptographic) means.
- Antivirus protection.
- Security analysis.
- Intrusion detection and prevention.
- Access control.
- Registration and accounting.
- Integrity assurance.
- Operator of regulatory and methodological local acts regulating the protection of personal data.
5.3.4 The general organization of the Clients' personal data protection is carried out by Norvind LLP.
5.3.5. Access to the Customer's personal data is granted to the Operator's employees who need the personal data in connection with the performance of their labor duties.
5.3.6 All employees related to the receipt, processing and protection of the Clients' personal data are obliged to sign the Agreement on non-disclosure of the Clients' personal data.
5.3.7 The procedure of formalizing access to the Customer's personal data includes:
- Familiarization of the employee against signature with these Regulations. If there are other regulatory acts (orders, instructions, etc.) regulating the processing and protection of the Customer's personal data, such acts shall also be familiarized with them against signature.
- Requesting from the employee (except for the General Director) a written obligation to observe confidentiality of the Clients' personal data and compliance with the rules of their processing in accordance with the Operator's internal local acts regulating the issues of confidential information security.
5.3.8. the Operator's employee who has access to the Customers' personal data in connection with the performance of labor duties:
- Ensures storage of information containing the Customer's personal data, excluding access to them by third parties.
- In the absence of the employee, there shall be no documents containing the Customers' personal data at his/her workplace.
- When an employee goes on vacation, during a business trip and in other cases of prolonged absence from his/her workplace, he/she is obliged to hand over documents and other media containing personal data of Customers to a person who will be assigned to perform his/her labor duties by a local act of the Company (order, instruction).
- If no such person is appointed, the documents and other media containing the Customers' personal data shall be transferred to another employee who has access to the Customers' personal data as instructed by the Operator's General Director.
- In case of dismissal of the employee having access to the Customers' personal data, the documents and other media containing the Customers' personal data shall be transferred to another employee having access to the Customers' personal data as instructed by the General Director.
- Upon dismissal of an employee who has access to Customers' personal data, documents and other media containing Customers' personal data shall be transferred to another employee who has access to Customers' personal data upon the General Director's instruction.
- In order to fulfill the assigned task and on the basis of a memo with a positive resolution of the General Director, access to the Customer's personal data may be granted to another employee. Access to the Customer's personal data by other employees of the Operator who do not have duly authorized access is prohibited.
5.3.9 The Manager of the Personnel Service shall ensure:
- Familiarization of employees against signature with this Regulation.
- Requesting from the employees a written obligation to keep confidentiality of the Customer's personal data (Agreement on confidentiality of the Customer's personal data).
Client's personal data (Non-Disclosure Agreement) and compliance with the rules of their processing.
- General control over the employees' compliance with the measures for protection of the Client's personal data.
5.3.10. Protection of the Customers' personal data stored in the Operator's electronic databases against unauthorized access, distortion and destruction of information, as well as against other unlawful actions is provided by the System Administrator.
5.4 Storage of Personal Data:
5.4.1 The Customers' Personal Data in hard copy shall be stored in safes.
5.4.2. Customers' personal data in electronic form shall be stored in the Operator's local computer network, in electronic folders and files in personal computers of the General Director and employees authorized to process Customers' personal data.
5.4.3 Documents containing Clients' personal data shall be stored in lockable cabinets (safes) providing protection against unauthorized access. At the end of the working day all documents containing personal data of the Customers shall be placed in cabinets (safes) providing protection against unauthorized access.
5.4.4 Protection of access to electronic databases containing personal data of the Customers is provided by:
- Use of licensed anti-virus and anti-hacking software that does not allow unauthorized entry into the Operator's local network.
- Differentiation of access rights using an account.
- Two-stage password system: at the level of the local computer network and at the level of databases. Passwords are set by the Operator's System Administrator and communicated individually to the employees who have access to the Clients' personal data.
5.4.4.1 Unauthorized access to PCs containing Customers' personal data shall be blocked by a password, which shall be set by the System Administrator and shall not be disclosed.
5.4.4.2 All electronic folders and files containing Customers' personal data shall be protected by a password, which shall be set by the Operator's employee responsible for the PC and communicated to the System Administrator.
5.4.4.3 The System Administrator shall change passwords at least once every 3 months.
5.4.5 Copying and making extracts of the Customer's personal data is allowed only for business purposes with the written permission of the Operator's General Director.
5.4.6 Responses to written inquiries of other organizations and institutions about the Clients' personal data shall be given only with the written consent of the Client, unless otherwise stipulated by the legislation of Kazakhstan. Responses shall be made in writing, on the Operator's letterhead, and to the extent that the excessive amount of the Client's personal data is not disclosed.
6. Blocking, depersonalization, destruction of personal data
6.1 Procedure for blocking and unblocking of personal data:
6.1.1 Blocking of Clients' personal data is carried out with a written application of the Client.
6.1.2 Blocking of personal data implies:
6.1.2.1. Prohibition of editing personal data.
6.1.2.2 Prohibition to disseminate personal data by any means (e-mail, cellular communication, material media).
6.1.2.3 Prohibition to use personal data in mass mailings (sms, e-mail, mail).
6.1.2.4 Withdrawal of paper documents related to the Customer and containing his personal data from the Operator's internal document flow and prohibition of their use.
6.1.3. Blocking of the Client's personal data may be temporarily removed if it is required for compliance with the legislation of the Republic of Kazakhstan.
6.1.4 Unblocking of the Client's personal data is carried out with the Client's written consent (if consent is required) or the Client's application.
6.1.5 The repeated consent of the Client to the processing of his/her personal data (if there is a need to obtain it) entails unblocking of his/her personal data.
6.2 Procedure for depersonalization and destruction of personal data:
6.2.1 The Customer's personal data is depersonalized upon the Customer's written request, provided that all contractual relations have been completed and at least 5 years have passed from the date of termination of the last contract.
6.2.2 In case of depersonalization, personal data in information systems shall be replaced by a set of symbols, by which it is impossible to determine whether the personal data belong to a particular Customer.
6.2.3 Paper carriers of documents shall be destroyed when personal data is depersonalized.
6.2.4 The Operator is obliged to ensure confidentiality of personal data when it is necessary to test information systems on the territory of the developer and to depersonalize personal data in the information systems transferred to the developer.
6.2.5 Destruction of the Customer's personal data implies termination of any access to the Customer's personal data.
6.2.6 Upon destruction of the Client's personal data, the Operator's employees cannot access the subject's personal data in the information systems.
6.2.7 When destroying personal data, paper carriers of documents shall be destroyed, personal data in information systems shall be depersonalized. Personal data shall not be restored.
6.2.8 The operation of personal data destruction is irreversible.
6.2.9. The term after which the operation of destruction of the Customer's personal data is possible is determined by the end of the term specified in clause 7.3 of these Regulations.
7. Transfer and storage of personal data
7.1 Transmission of personal data:
7.1.1 Transmission of the subject's personal data means dissemination of information via communication channels and on material media.
7.1.2 When transferring personal data, the Operator's employees shall comply with the following requirements:
7.1.2.1 Not to communicate the Customer's personal data for commercial purposes.
7.1.2.2. Not to communicate the Client's personal data to a third party without the Client's written consent, except for cases stipulated by the law of the Republic of Kazakhstan.
7.1.2.3 To warn the persons receiving the Client's personal data that such data may be used only for the purposes for which they are reported, and to require from these persons to confirm that this rule is observed;
7.1.2.4. to allow access to the Clients' personal data only to specially authorized persons, and the said persons shall have the right to receive only those Clients' personal data that are necessary for performance of specific functions.
7.1.2.5. To transfer the Customer's personal data within the Operator in accordance with these Regulations, regulatory and technological documentation and job descriptions.
7.1.2.6. provide the Client with access to his/her personal data upon application or upon receipt of the Client's request. The Operator is obliged to inform the Client about the availability of personal data about him/her, as well as to provide an opportunity to familiarize with them within ten working days from the moment of the request.
7.1.2.7. transfer the Customer's personal data to the Customer's representatives in accordance with the procedure established by the legislation and normative-technological documentation and limit this information only to those personal data of the subject, which are necessary for the fulfillment by the said representatives of their function.
7.1.2.8. Ensure keeping of the register of issued personal data of the Customers, in which the information about the person to whom the personal data of the Customers were transferred, the date of transfer of personal data or the date of notification of refusal to provide personal data, as well as it is noted what information was transferred (according to the form of Appendix No. 1) is recorded.
7.2 Storage and use of personal data:
7.2.1 Storage of personal data means the existence of records in information systems and on tangible media.
7.2.2 The Clients' personal data shall be processed and stored in information systems, as well as on paper at the Operator. The Clients' personal data is also stored electronically: in the Operator's local computer network, in electronic folders and files in the PCs of the General Director and employees authorized to process the Clients' personal data.
7.2.3 Client's personal data may be stored for no longer than required by the purposes of processing, unless otherwise provided for by the laws of the Republic of Kazakhstan.
7.3 The terms of storage of personal data:
7.3.1. Storage terms of civil law contracts containing personal data of the Clients, as well as documents accompanying their conclusion, execution - 5 years from the moment of expiration of the contracts.
7.3.2 During the storage period, personal data may not be anonymized or destroyed.
7.3.3 Upon expiration of the retention period personal data may be anonymized in information systems and destroyed on paper in the manner prescribed in the Regulations and the applicable legislation of the Republic of Kazakhstan.
8. Rights of the personal data operator
The operator has the right:
8.1 Defend its interests in court.
8.2. Provide personal data of Clients to third parties, if it is provided by the current legislation (tax, law enforcement agencies, etc.) or agreement with the Client.
8.3. Refuse to provide personal data in cases stipulated by the legislation of the Republic of Kazakhstan.
8.4. Use personal data of the Client without his consent, in cases stipulated by the legislation of the Republic of Kazakhstan.
9. Rights of the Client
The Customer has the right:
9.1 To demand clarification of his/her personal data, blocking or destruction in case the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, as well as to take measures provided by law to protect his/her rights;
9.2 Request a list of processed personal data held by the Operator and the source of their receipt.
9.3 Obtain information on the terms of personal data processing, including the terms of their storage.
9.4. Request notification of all persons who have been previously informed of incorrect or incomplete personal data about all exceptions, corrections or additions made to such data.
9.5. To appeal to the authorized body for the protection of the rights of personal data subjects or in court against unlawful acts or omissions in the processing of his/her personal data.
10. Responsibility for violation of norms regulating the processing and protection of personal data
10.1 The Operator's employees guilty of violating the norms regulating the receipt, processing and protection of personal data shall bear disciplinary, administrative, civil or criminal liability in accordance with the current legislation of the Republic of Kazakhstan and internal local acts of the Operator.
© Manufacturer of ventilation systems
LLP "Norvind" in Kazakhstan
LLP "Norvind" in Kazakhstan
Website development
Contacts
Additional information