REGULATION ON THE COLLECTION, PROCESSING AND PROTECTION OF THE
PERSONAL DATA
This “Regulation on the Collection, Processing and Protection of the Personal Data” is the document, which regulates the collection, processing and protection of the personal data of the company Ziylan Kz Limited Liability Partnership (BIN 151040011304, Republic of Kazakhstan, Almaty city, Bayzakov Avenue, No: 280, Office No: 15d) (hereafter “Company”).
“Regulation on the Collection, Processing and Protection of the Personal Data” may be amended by the Company without requiring any special notification; new version of “Regulation on the Collection, Processing and Protection of the Personal Data” becomes effective 10 (ten) calendar days after the publication in the website https://www.flo.com.kz, unless otherwise specified in the new version of “Regulation on the Collection, Processing and Protection of the Personal Data”.
The fact that you continue using the website https://www.flo.com.kz, after you are informed about this “Regulation on the Collection, Processing and Protection of the Personal Data” or the amendments and/or additions on this “Regulation on the Collection, Processing and Protection of the Personal Data” made by the Company, means that the Buyer has agreed and acknowledged the “Regulation on the Collection, Processing and Protection of the Personal Data” or the amendments and/or additions made.
One of the main conditions of the activities of the Company (hereafter “Company” and/or “Operator”) is to ensure the information security at the required and sufficient level, including the personal data.
1. Terms and Definitions:
– Operator: governmental agencies, real and/or legal entities, which collect, process and protect the personal data;
– Personal Data Information System: Information technologies and technical tools, which are in the personal databases and ensure the processing of the personal data;
– Personal Data: Information related to the personal data owner, which are recorded in electronic, paper and/or other portable environments and are identified or identifiable;
– Processing of Personal Data: Actions regarding the collection, storage, amendment, completion, use, disclosure, anonymization, blocking and disposal of the personal data;
– Disclosure of Personal Data: Actions, which are intended to transfer the personal data to the persons in uncertain number;
– Automatic Processing of Personal Data: Processing of personal data through information processing devices;
– Procurement of Personal Data: Actions, which are intended to disclose the personal data to any specific person or any specific group of persons;
– Collection of Personal Data: Actions regarding the systematization of personal data by means of entering into the database containing the personal data;
– Blocking of Personal Data: Actions regarding the cessation of the collection, accumulation, amendment, completion, use, disclosure, anonymization and disposal of the personal data;
– Disposal of Personal Data: Actions, which make the retrieval of personal data impossible;
– Anonymization of Personal Data: Actions, which make impossible to determine whether the personal data belong to the relevant person.
2. Regulation on the Collection, Processing and Protection of the Personal Data means any kinds of actions (procedure) or groups of actions (procedures) regarding the collection, recording, systematization, storage, clarification (updating, amendment), removal, use, transfer (distribution, procurement, access), anonymization, blocking, erasure and disposal of the personal data and the information regarding the requirements applied for the protection of personal data.
3. “Regulation on the Collection, Processing and Protection of the Personal Data” complies with the applicable legislation of the Republic of Kazakhstan and is issued based on the following regulatory legal arrangements: Constitution of the Republic of Kazakhstan; Labor Law of the Republic of Kazakhstan; Law “On Informatization” of the Republic of Kazakhstan dated 24th November 2015 and numbered 418-V; Law “Regarding the Personal Data and the Protection Thereof” of the Republic of Kazakhstan dated 21st May 2013 and numbered 94-V; Decree “Regarding the Approval of the Rules on the Collection and Processing of Personal Data” of the Ministry of Digital Development, Innovation and Aviation and Space Industry of the Republic of Kazakhstan dated 21st October 2020 and numbered 395/NK; other regulatory legal arrangements of the Republic of Kazakhstan.
4. Company does not process the biometric personal data. Company is entitled to transfer the processing of the personal data of the personal data owner according to the 7th article the Law Regarding the Personal Data and the Protection Thereof.
5. Purposes of the processing of the personal data by the company: Compliance of the processing of the personal data with the laws; to fulfill and perform the functions, authorities and obligations imposed by the legislations of the Republic of Kazakhstan on the Operator; to exercise the rights and legitimate interests of the Company under the activities provided in the Articles of Association and other legal arrangements; other legal purposes.
6. All the personal data processed by the company are the information, which are protected with confidentiality and care in accordance with the legislations of the Republic of Kazakhstan.
7. Personal data, which are subject to the process, are as follows, depending on the purposes, durations and requirement of the process: name, surname; gender; date and place of birth; passport details; Identity Number; questionnaire and biographic data; education details; work experience and general experience details; family situation details; area of specialty; duty; criminal record; address of the place of registry; residence address; home (mobile) telephone number; e-mail address; places, where family members and relatives work or take education.
8. Confidentiality and Protection of Personal Data in the Application:
Company processes the personal data of the clients collected via the website https://www.flo.com.kz/
8.2 Personal data, which are collected via the website https://www.flo.com.kz/, are as follows: name, surname; date of birth; identity number; residence address; order delivery address; mobile phone number; e-mail address; other information provided in the communication with the company personnel and in other resources.
8.3 Complete erasure of the personal data of the clients is carried out upon the application of the Company.
8.4 Company is not responsible for the performance of the illegal actions in the application on behalf of the client and the disclosure of the required personal data for the use of the application by the client or with the fault of the client.
8.5 Company saves cookies to the device used by the client to meet his/her needs via the website. Cookies are the small data files, which are sent by the web server and are stored in the electronic device of the client. Such cookies are used to collect analysis data in order to facilitate the client experience for the use of the application and to enhance the service quality of the Company. Cookies do not contain confidential information. The person, who downloads the application, or the client allows the collection, analysis and use of the cookies, including by the third parties, in order to create statistics and to optimize the advertising messages.
8.6 Company is entitled to record the telephone conversations with the Client. Also, Company undertakes to prevent the attempt of the unauthorized access to the information obtained during the telephone conversations and/or the transfer of the same to the third parties, who are not directly involved in the performance of the order.
9. Company processes the personal data of the following personal data owners in order to duly perform its duties as Operator and to perform the obligations arising from the agreement:
9.1 Current and potential clients, current and potential representatives – processing of the personal data is carried out upon the express consent of the personal data owners in the period and scope required to ensure interaction with the personal data owners.
9.2 Other real entities, which have contractual obligation with the company - processing of the personal data is carried out upon the express consent of the personal data owners in the period and scope required to ensure interaction with the personal data owners.
9.3 Counter parties of the company and representatives of the counter parties - processing of the personal data is carried out upon the express consent of the personal data owners in the period and scope required to ensure interaction with the personal data owners.
9.4 Persons, who earn income but do not have employment or any other relationship with the company – to perform and execute the functions, authorities and obligations imposed by the by the legislations of the Republic of Kazakhstan in the period and scope required to achieve the purposes determined by the legislations of the Republic of Kazakhstan.
10. Personal data are processed with automatic and non-automatic methods.
10.1 Processing of the personal data, which is carried out without using the automation tools, is carried out in a way to make possible to determine the place of storage of the personal data (material carrier) for each personal data category. List of the persons, who processes or accesses to the personal data, is created by the Operator. It is ensured that the personal data (material carrier), which are processed for different purposes, are stored separately. Operator ensures the security of the personal data and takes measures to prevent the unauthorized access to the personal data.
10.2 Processing of the personal data, which is carried out by using the automation tools, is carried out on condition of fulfilling the following conditions: Company takes technical measures to prevent the unauthorized access to the personal data and/or the transfer of the data to the persons, who do not have the right to access to such data; protection devices are configured in order to detect the unauthorized access to the personal data on time; technical devices of the personal data, which are subject to the automatic process, are isolated in order to protect against the effects, which may cause the damage of the functions; Company backs up the data in order to immediately retrieve the personal data, which are changed or disposed as a result of the unauthorized access to the personal data; protection level is regularly checked in order to ensure the security of the personal data continuously.
11. Storage of the personal data:
11.1 Personal data on the paper are stored in the cabinets and/or safe deposit boxes with special equipment or other locked and sealed places. Keys are kept by the responsible personnel, who are authorized with any proper instruction.
11.2 Personal data in the electronic environment are stored in the databases of the personal data information systems and archive (backup) copies of such personal data information systems.
11.3 During the storage of the personal data, organizational and technical measures are taken, including but not limited to those below, in order to ensure the security of the data and to prevent the unauthorized access: to authorize any personnel in charge of the processing of the personal data; to restrict the physical access to the place of the processing of the personal data, including installing the locked devices, restricting the persons having access, etc.; removable electronic environments, where the backup copies of the personal data related to the personal data owner shall be stored (if necessary, they are marked and recorded; external storage devices are recorded in the recording and tracking book in order to store the backup copies); to record all the information systems, electronic and paper environments and archive copies; to use the certified information security devices and cryptographic protection devices.
12. In line with the purposes of the processing of the personal data, Company may transfer the personal data in the following ways: the processes, which shall be made by the person processing the personal data, and the purposes of the processing must be stated to the Company employees and the third parties, who undertake to ensure the confidentiality and security of the personal data on behalf of the Company; such person must be responsible for protecting of the confidentiality of the personal data and ensuring the security of the personal data during the processing and the requirements regarding the protection of the processed personal data must be specified, upon the requests of the investigation and prosecution organizations regarding the investigation or jurisdiction process or upon the requests of the penal system organization for the purposes of executing the punishment and controlling the actions of the conditional prisoner, the prisoner, whose punishment is suspended, and the probationers. In other cases, transfer of the personal data to the third parties is only possible with the express consent of the personal data owner and the fulfillment of the obligations towards the personal data owner.
13. Personal data are amended upon the application of the personal data owner, based on the official documents containing the personal data regarding the personal data owner and in the cases complying with the law.
14. Storage of the personal data must not exceed the period required by the purpose of processing and must be disposed, when the purpose of processing is achieved or the need for achievement is removed. Data carriers containing the information of the personal data owner and the disposal of the media must comply with the following rules: it must at the maximum level in terms of the reliability and confidentiality and it must contain the preventive measures against the subsequent retrieval; it must be arranged with a proper document; it must be carried out by the personal data disposal commission; the disposal must contain the data, which must be disposed because of the achievement of the purposes of the processing of the personal data or the removal of the need for the achievement of the same, and the accidental or intentional disposal of the updated data carriers must be prevented.
15. The personal data owner has the following rights:
– The personal data owner has the right to know his/her existence before the owner and/or operator of the personal data and to receive information, including the confirmation of the existence of the personal data, purposes of collection and processing, resources, methods of collection and processing of the personal data, inventory of the processed personal data, duration of storage and processing;
– If there are reasons confirmed with the relevant documents, he/she has the right to request the data owner and/or operator to amend and complete the personal data;
– In case there is any information regarding the violation of the requirements related to the collection and processing of the personal data, he/she has the right to request the data owner and/or operator as well as third parties to block the personal data;
– In case of the violation of the laws of the Republic of Kazakhstan or in the cases determined by the legislation of the Republic of Kazakhstan and other legal arrangements, he/she has the right to request the owner and/or operator as well as third parties to dispose of the personal data;
– Data owner is entitled to defend his/her rights and legitimate interests, including the compensation of the pecuniary and non-pecuniary damages;
– Data owner is entitled to withdraw the express consent related to the collection and processing of the personal data, except for the cases provided in the legislation of the Republic of Kazakhstan;
– He/she has the right to give approval (rejection) to the data owner and/or operator for the disclosure of the personal data in the public resources of personal data;
– He/she has the right to exercise other rights provided in the legislation of the Republic of Kazakhstan.
Data Owner may obtain the desired information by making written request to the Company. The reply, which contains the desired information or justified rejection, shall be sent to the address specified in the application within thirty (30) calendar days.
16. Obligations of the personal data owner:
– To provide his/her own personal data in the cases determined by the laws of the Republic of Kazakhstan;
– To provide the updated data, in case of any amendment in the personal data (telephone number, e-mail address, etc.).
17. Company terminates the processing of the personal data in the following cases: If the conditions related to the termination of the processed personal data are realized or the determined periods expire; if the purposes of the processed personal data are achieved or such purposes become unnecessary; if, upon the request of the personal data owner, the personal data processed by the company are incomplete, are not updated, are inaccurate, are obtained illegally or are not necessary for the purpose; if it is determined that the personal data are processed against the law and it is not ensured that the personal data are processed legally; if the approval, which is given by the personal data owner for the processing of the personal data, is withdrawn or such approval expires (if the personal data are processed by the Company only based on the approval of the personal data owner); in case of the liquidation of the Company.
18. Measures, which are taken by the Company in order to ensure the compliance with the obligation under the legislation of the Republic of Kazakhstan regarding the personal data and the protection thereof: The person in charge of the processing of the personal data has been appointed by the Company;
Local regulations with the purposes of processing the personal data and ensuring the security of the same and local regulations regarding the processing and security in accordance with the regulation of the Republic of Kazakhstan and local regulations containing the procedures for the prevention and determination of the violations have been published; Measures have been taken for the elimination of the results of the violations;
Legal, organizational and technical measures are applied to ensure the security of the personal data; Internal control is applied to ensure the compliance of the processing of the personal data with the requirements of the legislation of the Republic of Kazakhstan regarding the protection of the personal data, among others, there are “Regulation on the Collection, Processing and Protection of the Personal Data” and the local regulation of the Company; Company employees, who directly process the personal data, have been informed with respect to the provisions of the legal arrangements on the processing and the protection of the personal data, relevant regulations, “Regulation on the Collection, Processing and Protection of the Personal Data” and local regulations regarding the processing of the personal data.
19. If it is determined that the provisions, article or any part of “Regulation on the Collection, Processing and Protection of the Personal Data” are against the legislation of the Republic of Kazakhstan or are invalid, this case does not affect the remaining provisions of Regulation on the Collection, Processing and Protection of the Personal Data” in any way, protects its validity and any invalid provision or any provision, which may not be applied by the Parties without making any other action, shall be deemed to be amended and corrected to the extent required validity and any to ensure the validity and enforceability.