The present internal regulations on the procedure for processing and storing personal data (hereinafter referred to as the “Regulations”) of Isatay Operating Company Limited Liability Partnership (hereinafter referred to as the “Partnership”) have been developed in accordance with the Constitution of the Republic of Kazakhstan Labour Code of RK dated November 23, 2015 No. 114-V LRK, the Law of RK dated May 21, 2013 No. 94-V “On personal data and their protection”, the internal labour regulations of the Partnership and in accordance with other internal documents of the Partnership.
The protection of personal data of an employee is regulated by the Law of the Republic of Kazakhstan “On personal data and their protection”, as well as the Labour Code of the Republic of Kazakhstan:
- Subparagraph 24 of paragraph 1 of Article 22 of the Labour Code of the Republic of Kazakhstan: “an employee has the right to demand protection of personal data stored by an employer”
- Subparagraph 24 of paragraph 2 of Article 23 of the Labour Code of the Republic of Kazakhstan: “an employer shall collect, process and protect personal data”.
The purpose of this document:
• Ensure privacy, inviolability of personal and family secrets as guaranteed by Article 18 of the Constitution of the Republic of Kazakhstan
• Ensure safe storage of all personal data of the Partnership’s employees
• Determine the procedure for transferring (distributing) personal data of the Partnership’s employees to third parties.
These Regulations establish the rights and obligations of the Partnership, the Partnership’s employees, as well as the procedure for transfer (distribution), storage and protection of personal data.
The document is intended for use by employees of the Partnership responsible for collecting, processing and storing personal data in the Partnership’s subdivisions.
Senior management |
General Director and Deputy General Director of the Partnership, or persons authorized by them. |
Employees of the Partnership |
Individuals who entered into employer-employee relationship with the Partnership pursuant to the terms and conditions of the labour agreement, including persons seconded to the Partnership based on the secondment agreements concluded between the Partnership and Contracting Organizations. |
Line manager |
Immediate supervisor according to the approved structure of the Partnership. |
Head of structural unit |
Head of a department, a subdivision included in the Partnership’s organizational structure with the established functions, tasks and responsibilities in accordance with internal documents. |
Human Resources Department |
A relevant subdivision responsible for personnel issues, and in its absence, HR Manager. |
Officials of the Partnership |
Members of the Board, General Meeting of Participants and Operating Committee of the Partnership. |
Interested persons |
Individuals and legal entities entering into legal relations with the Partnership. |
LC |
Labour Code. |
LA |
Labour Agreement. |
Personal data |
Information relating to an identified or identifiable subject of personal data, recorded on electronic, paper and (or) other tangible type of media. |
Publicly available personal data |
Personal data with free access upon the subject’s consent, or upon which the confidentiality requirements do not apply in accordance with the legislation of the Republic of Kazakhstan. |
Subject of personal data |
Within the framework of this document, the subject is the employee (the individual to whom the personal data belong). |
Transborder transfer of personal data |
Transfer of personal data to the territory of foreign countries. |
Collection of personal data |
Actions aimed at obtaining personal data. |
Processing of personal data |
Actions aimed at the accumulation, storage, modification, addition, use, distribution, depersonalization, blocking and destruction of personal data. |
Storage of personal data |
Actions to ensure the integrity, confidentiality and availability of personal data. |
Upon beginning work and within the period of work activity, each employee of the Partnership provides the Human Resources Department with a significant amount of documents containing an information about themselves and about their family members, as well as about their financial situation and social status. The Partnership’s officials receiving this information are not entitled to disclose it without the Partnership’s employee’s consent to any third parties, except for the cases stipulated by legislative acts.
The data provided by the Partnership’s employee at the conclusion of labour agreement, or collected by the employer in the course of the employee’s work, including information about terminating the labour agreement, medical records, are considered personal data of the employee and their family members, and their protection against loss and unauthorized transfer to third parties shall be ensured by the Partnership through its authorized officials.
Collection and processing of personal data belonging to employees are performed by the Partnership upon the occurrence, continuation and termination of labour relations.
The personal data based on their availability shall be divided into generally available and limited access. The assignment of information contained in the personal data list either to generally available or limited access is performed by the Partnership in accordance with the Legislation of the Republic of Kazakhstan.
The list of personal data is determined only for the purposes directly related to the implementation of functions, powers, duties and tasks of the Partnership, unless otherwise provided by the Law of the Republic of Kazakhstan “On personal data and their protection”.
In determining the list of personal data that is necessary and sufficient to perform the tasks, the Partnership is guided by the following principles for the collection, processing and protection of personal data:
· Compliance with the constitutional rights and freedoms of man and citizen
· Legality
· Confidentiality of personal data of limited access
· Equal rights of subjects, owners and operators
· Ensuring the safety of the individual, society and the state.
The list of personal data of an employee, determined and approved by the Board of the Partnership, is presented in Appendix 1 “Consent to the collection and processing of personal data” with justification of their necessity or on the basis of relevant documents confirming their accuracy.
Amendments and additions made to the list of personal data are valid from the moment they are put into effect and do not apply to relationships that arose before they have been put into effect.
Personal data included by the Partnership in the list of personal data are used only for the previously stated purposes of their collection.
The collection and processing of personal data are performed by the Partnership upon the consent of the employee or their legal representative, unless otherwise provided by the Law of the Republic of Kazakhstan “On personal data and their protection”.
The employee or their legal representative grants (withdraws) their consent to the collection, processing of personal data in writing. The Human Resources Department of the Partnership collects and stores the consents to the collection and processing of personal data in personal files of employees.
The Partnership’s employee or their legal representative cannot withdraw consent to the collection and processing of personal data in cases contrary to the laws of the Republic of Kazakhstan or in the presence of an unfulfilled obligation.
If an employee provides misleading documents or information when concluding a LA or transferring to another job, and if authentic documents or information could be grounds for refusing to conclude a LA or transfer to another job, the labour agreement may be terminated on the initiative of the employer (subparagraph 17 of paragraph of Article 52 of the Labour Code of the Republic of Kazakhstan).
Personal data are mainly collected by Human Resources Department of the Partnership, and their processing and storage are performed by both – the Human Resources Department and other structural units of the Partnership. Relevant officials of the Partnership are personally liable in accordance with the legislation of the Republic of Kazakhstan for failure to ensure security of the employees’ personal data, as well as for their unauthorized use.
The collection and processing of personal data are performed only on condition of ensuring their protection.
Protection of personal data is performed by applying a set of measures such as legal, organizational and technical measures, with the aim to:
· Exercise the rights to privacy, personal and family secrets
· Ensure their integrity and security
· Ensure their confidentiality
· Exercise the right to access them
· Prevent their unlawful collection and processing.
The Partnership takes the necessary measures to protect personal data by ensuring:
Prevention of unauthorized access to personal data.
Timely detection of an unauthorized access to personal data unless such unauthorized access has been prevented.
Minimization of adverse effects of unauthorized access to personal data.
The Partnership’s obligations to protect personal data arise from the moment of collecting the personal data and are valid until their destruction or depersonalization.
In accordance with the Law of the Republic of Kazakhstan “On personal data and their protection”, the Partnership acting as the owner and (or) operator, has the right to collect and process personal data in the manner prescribed by the Law and other regulatory legal acts of the Republic of Kazakhstan.
According to the labour legislation of the Republic of Kazakhstan, the employer (Partnership) shall:
- Require the documents necessary for the conclusion of a labour agreement, in accordance with Article 32 of the Labour Code of the Republic of Kazakhstan, upon entry into employment.
- Ensure the maintenance of registers or other documents determined by the employer, which indicate the surname, name, patronymic (if it is indicated in the identity document) and date of birth of employees.
- Perform collection, processing and protection of personal data of an employee in accordance with the legislation of the Republic of Kazakhstan “On personal data and their protection”.
Performing its obligation to collect and process personal data of employees in the manner prescribed by the legislation of the Republic of Kazakhstan “On personal data and their protection”, the Partnership also shall:
· Approve the list of personal data, necessary and sufficient to perform the tasks being implemented, unless otherwise provided by the laws of the Republic of Kazakhstan.
· Take and comply with the necessary measures including legal, organizational and technical measures, to protect personal data in accordance with the laws of the Republic of Kazakhstan.
· Comply with the legislation of the Republic of Kazakhstan “On personal data and their protection”.
· Take measures to destroy personal data in case of achieving the goal of their collection and processing, as well as in other cases established by the Law of the Republic of Kazakhstan “On personal data and their protection” and other regulatory legal acts of the Republic of Kazakhstan.
· Provide evidence of the employee’s consent to the collection and processing of their personal data in cases provided for by the legislation of the Republic of Kazakhstan.
· Provide information relating to an employee within three working days from the date of receiving permission of the employee or their legal representative, unless different time limits are stipulated by the laws of the Republic of Kazakhstan.
· In case of refusal to provide information to the employee or their legal representative submit a reasoned response within a period not exceeding three working days from the date of receiving the request, unless other time limits are established.
Within one working day:
· Modify and (or) supplement personal data on the basis of relevant documents confirming their accuracy, or destroy personal data if it is impossible to change and (or) supplement them.
· Block personal data related to an employee in case there is evidence of violating the conditions for their collection, processing.
· Destroy personal data in case there is evidence of their collection and processing in violation of the law of the Republic of Kazakhstan and in other cases established by the Law of the Republic of Kazakhstan “On personal data and their protection” and other regulatory legal acts of the Republic of Kazakhstan.
· Remove the blocking of personal data in case the fact of violating the conditions for their collection and processing has not been confirmed.
Employee’s rights to protect their personal data
According to the labour legislation of the Republic of Kazakhstan, an employee has the right to demand the protection of personal data held by the employer (Partnership), as well as other rights in accordance with the law of the Republic of Kazakhstan “On personal data and their protection”:
Be aware that the employer and a third party hold their personal data, and to receive information which includes: proof of the collection and processing of personal data; list of personal data; time limits for processing personal data; including periods of their storage.
Require the employer to modify and supplement their personal data if there are grounds confirmed by relevant documents.
Require the employer as well as a third party, to block their personal data in the event there is evidence of violating the conditions for collecting and processing personal data.
Require the employer as well as a third party to destroy their personal data in case there is evidence of their collection and processing in violation of the law of the Republic of Kazakhstan and in other cases established by the Law of the Republic of Kazakhstan “On personal data and their protection” and other regulatory legal acts of the Republic of Kazakhstan.
Withdraw consent to the collection and processing of personal data, except as required by the Law of the Republic of Kazakhstan “On personal data and their protection” and these Regulations.
Give their consent (refuse) to the employer to distribute their personal data in publicly available sources of personal data.
Protect their rights and legitimate interests, including compensation for moral and material harm;
Exercise other rights stipulated by the Law of the Republic of Kazakhstan “On personal data and their protection” and other laws of the Republic of Kazakhstan.
Obligations of the Partnership’s employee
To provide their personal data, as well as to give their consent to their collection and processing in cases established by the laws of the Republic of Kazakhstan.
In case of amendments in personal data, report this to the Human Resources Department of the Partnership within 10 calendar days.
Throughout the validity term of the labour agreement, familiarize themselves with all the changes made to these Regulations.
The procedure for storage of an employee’s personal data in the Partnership is established in compliance with the requirements defined by the legislation of the Republic of Kazakhstan.
When concluding a labour agreement, an authorized employee of the Partnership’s Human Resources Department familiarizes an employee, against their acknowledgement, with these Regulations which establishes the procedure for storing an employee’s personal data.
Personal data are stored both on paper and in electronic form in the Isatay Operating One Drive database which is accessible to the staff of the Human Resources Department and the Partnership’s Management.
The period for retaining personal data is determined by the date of achieving the goals of their collection and processing, unless otherwise provided by law.
A request (application) of an employee or their legal representative to grant access to their personal data is submitted to the Partnership’s Human Resources Department in writing or otherwise with the use of protective actions that do not contradict the legislation of the Republic of Kazakhstan.
The Partnership as well as third parties, who gain access to personal data of limited access, ensure their confidentiality by complying with the requirements preventing their distribution without the consent of an employee or their legal representative or the existence of a legal basis.
The persons who become aware of personal data of limited access due to professional or business need as well as labour relations, shall ensure their confidentiality.
The following persons have the right to access to an employee’s personal data:
· Management of the Partnership represented by the General Director and Deputy General Director including directors and structural unit supervisors (access to personal data of employees of their structural units and to the extent necessary to fulfil their official duties only).
· Employees of the Human Resources Department who are directly involved in the processing, storage and transmission of personal data.
· Employees of the Department for Finance and Control.
Access to personal data is limited and, specifically, is provided only to the data and to the extent necessary for the performance of official duties.
Upon an employee’s consent, their personal data may be transferred to third parties including the transborder transfer of personal data.
According to the Law of the Republic of Kazakhstan “On personal data and their protection”, there are cases when the collection and processing of personal data of a subject are performed without their consent. Therefore, in the event of such situations, the Partnership may provide access to an employee’s personal data to the following third parties:
· Law enforcement agencies and courts, enforcement proceedings authorities.
· State bodies for statistical purposes subject to their depersonalization.
· State bodies which regulate, control and supervise the financial market and financial organizations in accordance with the legislation of the Republic of Kazakhstan.
· Other persons and agencies in the cases established by the Law of the Republic of Kazakhstan “On personal data and their protection” and other laws of the Republic of Kazakhstan.
Persons guilty of violating the rules governing the collection, processing, storage and transfer of personal data are subject to disciplinary, administrative and criminal liability in accordance with the current legislation of the Republic of Kazakhstan and other regulatory legal acts.