Personally Identifiable Information Protection Policy

1. General Provisions

1.1. This personal identifiable information protection policy (hereinafter the “Policy”) of WE Partners LLP (hereinafter the “Company”) has been developed in accordance with Law No. 94-V of the Republic of Kazakhstan “Regarding Personally Identifiable Information and Protection Thereof” dated 21 May 2013 (hereinafter the “Law”) to comply with applicable Kazakhstan legislation and shall establish the procedure of collection, processing and protection by the Company of personally identifiable information.

1.2. The Company may process personally identifiable information only in order to comply with Kazakhstan regulations.

1.3. This Policy shall determine the rights and obligations of subjects of personally identifiable information and the Company regarding consenting (consent revocation) to collection and processing of personally identifiable information as well as the procedure of interaction of the subject of personally identifiable information and the Company regarding collection, recording, storage, protection and destruction of personally identifiable information.

1.4 In this Policy below listed main terms shall be defined as follows:

1.4.1. “biometric data” shall mean personally identifiable information reflecting physiological and biological peculiarities of the subject of personally identifiable information permitting identification thereof;

1.4.2. “personally identifiable information” shall mean the data related to defined or definable subject of personally identifiable information recorded on electronic, paper and (or) other physical media;

1.4.3. “blocking personally identifiable information” shall mean temporary termination of collection, accumulation, change, addition, use, distribution, anonymization and destruction of personally identifiable information;

1.4.4. “accumulation of personally identifiable information” shall mean the actions aimed at systematization of personally identifiable information by entrance thereof into the data base containing personal identifiable information;

1.4.5. “collection of personally identifiable information” shall mean activities aimed at obtaining personally identifiable information;

1.4.6. “destruction of personally identifiable information” shall mean activities resulting in impossibility to recover personally identifiable information;

1.4.7. “anonymization of personally identifiable information” shall mean the actions resulting in impossibility to identify the subject of personally identifiable information;

1.4.8. “data base containing personally identifiable information” shall mean personally identifiable information arranged in a certain way;

1.4.9. “owner of the data base containing personally identifiable information” shall mean a state body, an individual and(or) a legal entity having title to the data base containing personally identifiable information in compliance with Kazakhstan legislation;

1.4.10. “operator of the data base containing personally identifiable information” shall mean a state body, an individual and(or) legal entity collecting, processing and protecting personally identifiable information;

1.4.11. “protection of personally identifiable information” shall mean a complex of measures, including legal, organizational and technical, taken in order to achieve the goals set out herein;

1.4.12. “protection of personally identifiable information” shall mean actions targeted at accumulation, storage, change, addition, use, distribution, anonymization, blocking and destruction of personally identifiable information;

1.4.13. “use of personally identifiable information” shall mean any actions with personally identifiable information targeted at the achievement of the Company’s and a third party’s goals;

1.4.14. “storage of personally identifiable information” shall mean actions ensuring integrity, confidentiality and accessibility of personally identifiable information;

1.4.15. “distribution of personally identifiable information” shall mean the actions resulting in transfer of personally identifiable information including using mass media or otherwise giving access thereto;

1.4.16. “subject of personally identifiable information” shall mean an individual owning personally identifiable information being:

  • the Company’s employee, a seeker of a job in the Company, Company’s former employee;
  • user of the Company’s services;
  • a worker or a job seeker in a legal entity (individual entrepreneur) consuming the Company’s services (an employee or a prospective employee of the Company’s counterparty);
  • an employee of a legal entity (an individual entrepreneur) consuming the Company’s services (an employee of the Company’s counterparty) under the relevant request;
  • any individual, whose personally identifiable information became available to the Company as the result of provision of any social benefits, guarantees and compensations by the Company;

1.4.17. “third party” shall mean a person not being a subject, owner and(or) operator of personally identifiable information but related to any such person(s) by any circumstances or legal relations involving collection, processing and protection of personally identifiable information.

2. Composition of Personally Identifiable Information

2.1. The following data shall be deemed personally identifiable information:

2.1.1. data necessary for due identification (surname, name, patronymic), citizenship; details of the identifying document (ID or passport); individual identification number; date and information regarding birth; sex, signature; portrait image, biometric data, etc.);

2.1.2. information necessary to maintain communication (place of registration, actual residence or stay), place of employment and title; telephone number (business, mobile), e-mail);

2.1.3. information regarding education, qualification and special knowledge or training; academic degree; scientific degree; knowledge of foreign languages; information regarding advanced training and retraining, etc.;

2.1.4. information regarding professional experience (including place of employment, titles, employment duties, accomplishments);

2.1.5. data related to marital status: marriage; children and their age; surnames, names, patronymics and dates of birth of family members, dependent persons;

2.1.6. information related to the Company’s services under an agreement with the subject of the personally identifiable information, i.e., texts of the agreements (contracts), supplemental agreements thereto, statements and consents, communications, constitutive documents, etc.;

2.1.7. information regarding the goal and the nature of business relations;

2.1.8. information on income, property status, record of conviction (if any), bringing to criminal and(or) administrative liability, etc., information on membership in organizations and other communities, information regarding awards, patents, publications and any other personal information;

2.1.9. information regarding changes and(or) supplements to the data described above.

2.2. The following documents shall be deemed containing personally identifiable information:

2.2.1. ID, passport or any other identifying document containing individual identification number;

2.2.2. other documents containing information intended to be used for the purposes specified in this Policy under Kazakhstan legislation.

3. Collection, Processing and Storage of Personally Identifiable Information (“PII”)

3.1. Collection of personally identifiable information of a subject shall be effected by way of obtaining the documents containing personally identifiable information and data base generation containing personally identifiable information. The Company shall collect and process personally identifiable information upon consent of the subject of personally identifiable information or legal representative thereof. The Company may collect personally identifiable information as follows:

3.1.1. receipt of comprehensive personally identifiable information of the subject and processing thereof (automated processing inclusive) as well as the information regarding means of communication (telephone numbers, e-mail addresses, etc.);

3.1.2. copying original identity documents;

3.1.3. entrance of information into the paper and electronic profile of the subject of personally identifiable information;

3.1.4. receipt of necessary originals under Kazakhstan legislation containing information to be used by the Company in connection with the Company’s operations under its Charter;

3.1.5. receipt of personally identifiable information to update and amend incorrect, outdated, untrue, incomplete personally identifiable information as well as the data processed in breach of Kazakhstan legislation.

3.2. Processing of personally identifiable information shall include obtaining, storage, combining, transfer or any other use of personally identifiable information in the scope provided for in the consent of the subject thereof.

3.3. When processing personally identifiable information for the purpose of protection thereof and securing human and civil rights and freedoms and when determining the scope and contents of processed personally identifiable information the Company shall comply with Kazakhstan Constitution and regulations.

3.4. The Company shall process personally identifiable information only for the following purposes:

3.4.1. compliance by the Company with Kazakhstan legislation;

3.4.2. confidentiality of personally identifiable information, limited access;

3.4.3. equality of rights of the subject of personally identifiable information and the Company;

3.4.4. ensuring safety of persons, society and state.

3.5. The subject of personally identifiable information and(or) his/her legal representative shall be entitled to review the Company’s documents establishing the procedure of processing personally identifiable information.

3.6. Storage of personally identifiable information:

3.6.1. personally identifiable information shall be stored in paper and(or) electronic form;

3.6.2. access to personally identifiable information shall be restricted to persons specified in Clause 4.1 hereof.

4. Access to Personally Identifiable Information

4.1. Company’s officers and employees using personally identifiable information for work-related purposes and Company’s shareholders and audit firm shall have internal access to personally identifiable information.

4.2. External access of third party organizations and(or) individuals. Any personally identifiable information shall be disclosed to any third party organizations and(or) third parties upon a written consent of the subject of personally identifiable information and a written request signed by the CEO of the third party organization or a third party individual who requested such information provided that the Company’s CEO signed such a request to approved of the data provision.

4.3. The Company shall be entitled to give access to personally identifiable information to the authorized state bodies in accordance with the procedure and in compliance with applicable Kazakhstan legislation.

5. Protection of Personally Identifiable Information

5.1. When transferring personally identifiable information under Section 4 hereof the Company shall notify the users of personally identifiable information regarding liability for breach of Kazakhstan legislation related to protection of personally identifiable information.

5.2. The Company shall protect personally identifiable information as follows:

5.2.1. Personally identifiable information of clients shall be stored in metallic cabinets in compliance with applicable Kazakhstan legislation;

5.2.2. Access of employees and third parties to personally identifiable information shall be restricted;

5.2.3. The Company shall comply with the legislation regarding protection of personally identifiable information.

5.3. The Company shall protect personally identifiable information against unlawful use or loss thereof at the Company’s cost and expense in accordance with the procedure established in Kazakhstan legislation.

5.4. The Company’s responsible function shall organize and ensure signing by the subject of personally identifiable information of a written consent to collection, processing and storage of personally identifiable information in the form of Annex 1 hereto if the subject of personally identifiable information personally addresses the Company or in electronic form of Annex 2 hereto if the subject of personally identifiable information uses the Company’s site (www.wepartners.kz).

6. Liability for Disclosure of Confidential Information Related to Personally Identifiable Information

6.1. If the Company or any other persons having access to personally identifiable information breach the provisions governing obtaining, processing, storage, transfer or protection of personally identifiable information, it(they) shall bear disciplinary, administrative, civil or criminal liability under applicable Kazakhstan legislation.

7. Rights and Obligations of the Subject of Personally Identifiable Information

7.1. Subject of personally identifiable information shall be entitled to:

7.1.1. know that the Company and any third party has his/her personally identifiable information as well as to obtain the data containing

  • a confirmation of the fact, purposes, sources, collection methods and processing of personally identifiable information;
  • list of personally identifiable information;
  • terms of the personally identifiable information processing including storage thereof;

7.1.2. demand that the Company changes and supplements his/her personally identifiable information confirmed by relevant documents;

7.1.3. demand that the Company and a third party blocks his/her personally identifiable information if he/she learns about the breach of the requirements related to collection and processing of personally identifiable information;

7.1.4. demand that the Company and a third party destroys his/her personally identifiable information collected and processed in breach of Kazakhstan legislation as well as in other cases established in Kazakhstan regulations;

7.1.5. consent to (refuse) distribution by the Company of his/her personally identifiable information in public sources of personally identifiable information;

7.1.6. revoke his/her consent to collect, process personally identifiable information except for the cases described in Clause 7.3 hereof;

7.1.7. protect his/her rights and lawful interests including compensation of pecuniary and non-pecuniary damages;

7.1.8. exercise other rights provided in the Law and other Kazakhstan regulations.

7.2. Subject of personally identifiable information shall be obliged to provide its personally identifiable information in cases established in Kazakhstan regulations.

7.3. Subject of personally identifiable information may not revoke its consent to collection and processing of personally identifiable information if it breaches Kazakhstan legislation or in case of an outstanding obligation.

8. Company’s Rights and Obligations

8.1. The Company shall be entitled to collect and process personally identifiable information in the procedure established in Kazakhstan regulations.

8.2. The Company shall be obliged to:

8.2.1. approve of the list of personally identifiable information necessary and sufficient to complete its objectives unless otherwise established in Kazakhstan legislation;

8.2.2. take and comply with necessary measures including legal, organizational and technical to protect personally identifiable information in compliance with Kazakhstan legislation;

8.2.3. comply with Kazakhstan legislation regarding protection of personally identifiable information;

8.2.4. take measures to destroy personally identifiable information upon the achievement of the goal of collection and processing thereof and in other cases established in Kazakhstan regulations;

8.2.5. provide the evidence of the receipt of the consent of the subject of personally identifiable information to collection and processing his/her personally identifiable information in cases specified in Kazakhstan legislation;

8.2.6. disclose information related to the subject to personally identifiable information within three business days following the receipt of request from client unless other deadline is established in Kazakhstan regulations;

8.2.7. provide a grounded refusal within three business days following the receipt of the relevant request unless Kazakhstan regulations set out any other term if the Company refuses to provide the data on the subject of personally identifiable information;

8.2.8. within one business day:

  • change and(or) amend personally identifiable information on the basis of relevant documents confirming accuracy thereof or destroy personally identifiable information if it is impossible to change and(or) supplement thereof;
  • block personally identifiable information related to the subject of personally identifiable information if it learns about the breach of the terms and conditions of collection and processing thereof;
  • destroy personally identifiable information upon confirmation of the fact of collection and processing thereof in breach of Kazakhstan legislation as well as in any other circumstances established in the Law and other Kazakhstan regulations;
  • cancel the block of personally identifiable information upon confirmation of the fact of breach of the terms and conditions of collection and processing of personally identifiable information.

9. Final Provisions

The matters not provided for in this Policy shall be governed by applicable legislation of the Republic of Kazakhstan. The Company’s Director shall approve of any amendments and supplements to this Policy.

If any provisions of this Policy become to conflict with applicable Kazakhstan legislation upon amendments thereto, then such provisions of this Policy shall become nil and void and applicable Kazakhstan legislation shall govern the matters regulated by such invalid provisions until revision thereof.

Company’s officers and other employees of the Company’s divisions shall apply Kazakhstan legislation and other Company’s internal regulations to any matters not provided for herein.

This Policy shall be revised and updated as and when needed

All Annexes hereto shall constitute integral parts of this Policy and shall be mandatory and used in the course of the Company’s operations.