personal data processing policy

1. General Provisions

1.1. This in a relation to the personal data processing Policy (hereinafter the Policy) is prepared in accordance to the Law of the Republic of Kazakhstan dated May 21, 2013 No. 94-VZRK “About Personal Data and Their Protection” and applies to all personal data that are limited liability company “ECSA .ME Electronic service center of the applicant” (hereinafter the Operator) can receive from the subjects of personal data.

1.2. The policy applies to personal data obtained both before and after the approval of this Policy.


2. PURPOSE AND PRINCIPLES OF PERSONAL DATA PROCESSING

2.1. Any information is understood as personal data, which related directly or indirectly to a specific or designated physical person.

2.2. The purpose of collecting, processing, storing and other actions with personal data of employees, contractors, performers, customers or third parties (hereinafter referred to as personal data subjects) is the fulfillment of obligations by the Operator under an agreement with them.

2.3. When processing the personal data of the subjects, the following principles are implemented:

• observance of the legality of receiving, processing, storing, as well as other actions with personal data;

• personal data processing solely for the purpose of fulfilling obligations under a Contract, as well as for the purpose of fulfilling the duties of the Operator as an Electronic Service Center For Applicants;

• collecting only those personal data that are minimally necessary to achieve the stated processing goals;

• implementation of measures to ensure the security of personal data during their processing and storage;

• respect for the rights of the personal data subject to access his personal data.  


3. CONTENT AND METHODS OF PERSONAL DATA PROCESSING

3.1. The main purpose of processing information containing personal data is the implementation by the Operator of his core activity in accordance with the Charter.

3.2. The following list of personal data processing is defined:

3.2.1. The Operator processes the following categories of personal data due to its realization as an Electronic Center for Serving Students:

• Full name;

• Education;

• Information on labor and general experience;

• Passport details;

• Information on military registration;

• Tax status (resident/non-resident);

• Specialty;

• Position held;

• Residence address;

• Phone;

• Cases containing materials for professional development and retraining of employees, its certification.

• E-mail address;

• other information specified by the applicant.

3.2.2. For the purposes of implementing the statutory (commercial) activity, the Operator processes the following categories of personal data of customers, contractors, performers, counterparties, foreign citizens and stateless persons:

• Full name;

• Education;

• Passport details;

• TIN;

• Tax status (resident/non-resident);

• Citizenship;

• Document details on vocational education, vocational retraining, advanced training, probation, document details confirming special knowledge;

• Information about the assignment of graduate degree, academic title, lists of scientific works and inventions;

• Foreign language skills;

• Income information;

• Place of work;

• Specialty;

• Position;

• Information on labor and general experience;

• Residence address;

• Phone;

• E-mail address;

• other information specified by the applicant.


4. PURPOSE OF THE ACQUISITION AND PROCESSING OF PERSONAL DATA

4.1. The Operator processes personal data for the following purposes:


• carrying out activities stipulated by the Charter of the Operator and current legislation of the Republic of Kazakhstan;


• provision of services to citizens, foreign citizens and stateless persons in admission to  educational organization of the Republic of Kazakhstan, the Russian Federation, and the near and far abroad countries;


• conclusion, execution and termination of civil contracts with the physical and legal persons, individual entrepreneurs and other persons, in cases stipulated by the current legislation and the Charter of the Operator;


• organization of client accounting for the Operator, ensuring compliance with laws and other regulatory legal acts, concluding and fulfilling obligations under civil law contracts, training, in particular an accounting in system “About Personal Data”, as well as the Charter and local acts of the Operator.


4.2. Operator can use the personal data of counterparties, citizens, foreign citizens and stateless persons from the consent of personal data subject for the following purposes:


• to communicate with clients and counterparties, if it is necessary, including sending the notifications, information and requests related to the provision of services, as well as processing applications,  requests and applications from customers and counterparties;


• exchanging (receiving, transmitting, processing) information in facilitation of citizens, foreign citizens and stateless persons in entering educational organizations of the Republic of Kazakhstan, the Russian Federation, and the near and far abroad countries, including:


• Ministry of Education and Science of the Republic of Kazakhstan; Educational Organizations, which were chosen by the Candidate when making an application for the provision of services by the Operator;


• Government bodies by their requirements, including to migration authorities, ministries (consulates) of foreign affairs of the Republic of Kazakhstan, the Russian Federation, and the near and far abroad countries (in order to issue a visa invitation for the applicant to receive a student visa);


• If the Candidate orders an accompanying service for a policy, an insurance company chosen by Candidate, who prepares a medical policy for voluntary medical insurance;


• to improve the quality of services provided by the Operator;


• to promote services on the market through direct contacts with clients and counterparties;


• for statistical and other studies based on anonymous personal data.

 

5. PERSONAL DATA TRANSFER

5.1. The operator does not provide or discloses information containing personal data of employees, contractors, performers, counterparties, foreign citizens and stateless persons to third parties without the written consent of the subject of personal data, except when necessary to prevent threats to life and health, and also in cases established by the laws of the Republic of Kazakhstan.


5.2. Upon a motivated request, solely for the fulfillment of the functions and powers entrusted by the legislation, personal data of the personal data subject can be transferred without his consent:


• to the judiciary in connection with the administration of justice;


• to state security agencies;


• to prosecution authorities;


• to police;


• to the investigating authorities;


• to other bodies and organizations in cases established by regulatory legal acts,
mandatory for the Operator.


5.3. Operator's employees who process personal data do not answer the questions related to the transfer of personal data over the phone.


6. RIGHTS AND OBLIGATIONS


6.1. Rights and obligations of the Operator


6.1.1. The company, as an Operator of personal data, is entitled to:


• protect own interests in court;


• provide personal data of subjects to third parties, if required by current legislation (tax, law enforcement, etc.);


• refuse to provide personal data in cases stipulated by the legislation of the Republic of Kazakhstan;


• use the personal data of the subject without his consent, in cases stipulated by the legislation of the Republic of Kazakhstan.


6.1.2. The Operator of personal data is obliged to take necessary and sufficient measures to ensure the fulfillment of the obligations stipulated by the Law of the Republic of Kazakhstan dated May 21, 2013 No. 94-VZRK “About Personal Data and Their Protection” and the regulatory legal acts adopted in accordance with it.


6.2. Rights of the Personal Data Subject


6.2.1. The Personal Data Subject has the right to:


• require clarification of own personal data, its blocking or destruction if personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated goals of processing, as well as take measures provided by law to protect their rights;


• require a list of own personal data processed by the Operator and the source of their receipt;


• receive information on the processing time of own personal data, including the storage period;


• demand notification of all persons who were previously reported incorrect or incomplete of his personal data and about all exceptions made to them, corrections or additions;


• appeal to the authorized body for the protection of the rights of personal data subjects or  to a court on wrongful actions or omissions in the processing of his personal data;


• protect his rights and legitimate interests, including compensation for damages and (or) compensation for moral damage in court.



7. MEASURES TO ENSURE THE PROTECTION OF PERSONAL DATA

7.1. The Operator is not entitled to process the personal details of the personal data subject without his written consent, with the exception of the cases specified in Art. 9 of the Law of the Republic of Kazakhstan dated May 21, 2013 No. 94-VZRK “About Personal Data and Their Protection”.  Written consent may be compiled separately or be embedded in the structure of another document signed by the personal data subject.


7.2. The Operator implements the necessary organizational and technical measures to protect personal data. The measures taken are based on the requirements of Art. 21., Article 22 of the Law of the Republic of Kazakhstan dated May 21, 2013 No. 94-VZRK “About Personal Data and Their Protection”, and other regulatory acts in the field of personal data, including:


1) persons responsible for organizing the processing and ensuring the security of personal data are appointed;

2) the control of compliance with the requirements of this Policy is carried out by the person responsible for organizing the processing and ensuring the security of the personal data of the Operator;

3) the responsibility of Operator’s officials with access to personal data for failure to comply with the requirements of the rules regulating the processing and protection of personal data is determined in accordance with the legislation of the Republic of Kazakhstan and the internal documents of the Operator;

4) persons conducting the personal data processing are instructed and acknowledged with the regulatory legal acts regulating the  operating procedures and protection of personal data;

5) delimited the rights of access to the processing personal data;

6) separate storage of personal data (material carriers) is ensured, which is processed for various purposes;

7) in order to exercise internal control over the compliance of the personal data processing with the established requirements, the periodic checks of processing environment of personal data are conducted;

8) in addition to the above measures, technical measures are being taken to:

•  prevention of unauthorized access to systems in which personal data is stored;

• backup and recovery of personal data, operability of hardware and software, information security tools in personal data information systems modified or destroyed due to unauthorized access to them;

• other necessary security measures.


8. REVISING THE POLICY PROVISIONS

8.1. This Policy is an internal document of the Operator, publicly available and subject to posting on the Operator's official website www.ecsa.me.


8.2. This Policy is subject to change and addition in the case of the adoption of new legislation and special regulations on the processing and protection of personal data.


8.3. Supervising the implementation of the requirements of this Policy is carried out by the person responsible for organizing the personal data processing of the Operator.