Personal data protection policy

1. General provisions

This personal data processing policy shall be drawn up in accordance with the requirements of the Law of the Republic of Kazakhstan dated May 21, 2013 No. 94-V “On Personal Data and Their Protection” (hereinafter referred to as the Law on Personal Data) and determine the procedure for processing personal data and measures to ensure the security of personal data undertaken by Lapp Kazakhstan LLP (hereinafter referred to as the Operator).

In all other matters that is not provided for in the Policy, the Operator shall be guided by the legislation of the Republic of Kazakhstan, including, but not limited to the Law on Personal Data.

1.1. The operator sets as its most important goal and condition for carrying out its activities the observance of the rights and freedoms of a person and citizen when processing his/her personal data, including the protection of the rights to privacy, personal and family secrets.

1.2. This Operator’s policy regarding the processing of personal data (hereinafter referred to as the Policy) shall apply to all information that the Operator can obtain about the website visitors https://lappkazakhstan.lappgroup.com/.

2. Basic concepts used in the Policy

2.1. Automated processing of personal data – processing of personal data using computer devices.

2.2. Blocking of personal data – actions to temporarily stop the collection, accumulation, modification, addition, use, distribution, depersonalization and destruction of personal data.

2.3. Website is a series of graphic and information materials, as well as computer programs and databases ensuring their availability on the Internet at the network address https://lappkazakhstan.lappgroup.com/.

2.4. Personal data information system is a set of personal data contained in databases and information technologies and technical means that ensure their processing.

2.5. Depersonalization of personal data – actions as a result of which it is impossible to determine the ownership of personal data by the personal data subject.

2.6. Processing of personal data – actions aimed at accumulating, storing, changing, supplementing, using, depersonalizing, blocking and destroying personal data.

2.7. Personal data – information relating to a specific subject of personal data or determined on their basis (User of the website flexicore.kz/), recorded on electronic, paper and (or) other material media.

2.8. Personal data authorized by the personal data subject for distribution – personal data, access to an unlimited number of persons to which it is provided by the subject of personal data by giving consent to the processing of personal data authorized by the personal data subject for distribution in the manner prescribed by the Law on Personal Data (hereinafter – personal data, authorized for distribution).

2.9. User – any visitor to the website lappkazakhstan.lappgroup.com.

2.10. Providing personal data – actions aimed at disclosing personal data to a certain person or a certain number of persons.

2.11. Distribution of personal data – actions that result in the transfer of personal data, including through the media or providing access to personal data in any other way.

2.12. Cross-border transfer of personal data is the transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual or a foreign legal entity.

2.13. Destruction of personal data – actions as a result of which it is impossible to restore personal data.

3. Basic rights and obligations of the Operator

3.1. The Operator shall have the right:

— to receive from the personal data subject reliable information and/or documents containing personal data;

— in the event that the personal data subject withdraws consent to the processing of personal data, as well as sends a request to stop processing personal data, the Operator has the right to continue processing personal data without the consent of the personal data subject if there are grounds specified in the Law on Personal Data;

— to independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of the obligations provided for by the Law on Personal Data and regulations adopted in accordance with it, unless otherwise provided by the Law on Personal Data or other federal laws.

3.2. The Operator shall be obliged:

• to approve a list of personal data necessary and sufficient to perform the tasks it performs;
• to provide the subject of personal data, at his request, with information regarding the processing of his personal data;
• to organize the processing of personal data in the manner established by the current legislation of the Republic of Kazakhstan;
• to respond to requests and inquiries from of the personal data subjects and their legal representatives in accordance with the requirements of the Law on Personal Data, in case of refusal to provide information to the subject or his/her legal representative, submit a reasoned refusal within the time limits provided for by the legislation of the Republic of Kazakhstan;
• to report to the authorized body for the protection of the rights of personal data subjects, at the request of this body, the necessary information within 10 days from the date of receipt of such a request, unless a different period is provided for by the legislation of the Republic of Kazakhstan;
• to publish or otherwise provide unrestricted access to this Policy regarding the processing of personal data;
• to take legal, organizational and technical measures to protect personal data from unauthorized, unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions in relation to personal data;
• to stop transfer (distribution, provision, access) of personal data, to stop processing and destroy personal data in the manner and in cases provided for by the Law on Personal Data;
• to ensure the adoption of measures aimed at timely detection of facts of unauthorized access to personal data, if such unauthorized access could not be prevented;
• to ensure that measures are taken to minimize the adverse consequences of unauthorized access to personal data;
• to ensure the provision of access to the state technical service to information objects that use, store, process and distribute restricted personal data contained in electronic information resources, to carry out a survey of ensuring the security of the processes of storage, processing and distribution of restricted personal data contained in electronic information resources in the manner determined by the authorized body;
• to ensure registration and recording of actions provided for in subparagraphs 3), 4), 5) and 6) of paragraph 4 of Article 8 of the Law on Personal Data;
• to perform other obligations provided for by the Personal Data Law.

4. Basic rights and obligations of personal data subjects

4.1. Personal data subjects shall have the right:

— to know that the Operator has his/her personal data, as well as receive information regarding the processing of his/her personal data (including confirmation of the fact, purpose, sources, methods of collection and processing of personal data, their list, processing and storage periods), except for cases provided for federal laws. The information is provided to the personal data subject by the Operator in an accessible form, and it should not contain personal data relating to other personal data subjects, except in cases where there are legal grounds for the disclosure of such personal data. The list of information and the procedure for obtaining it shall be established by the Law on Personal Data;

— to require the Operator to change and supplement your personal data if there are grounds supported by relevant documents;

— to put forward the condition of prior consent when processing personal data in order to promote goods, works and services on the market;

— to withdraw consent to the processing of personal data, as well as to send a request to stop processing personal data or destroy it;

— to appeal to the authorized body for the protection of the rights of personal data subjects or in court the unlawful actions or inaction of the Operator when processing his/her personal data;

— to exercise other rights provided for by the legislation of the Republic of Kazakhstan.

4.2. Personal data subjects shall be obliged to:

— to provide the Operator with reliable information about yourself;

— to inform the Operator about clarification (updating, changing) of your personal data.

4.3. Persons who provided the Operator with false information about themselves or information about another personal data subject without the latter’s consent shall be liable in accordance with the legislation of the Republic of Kazakhstan.

5. Principles for processing personal data

5.1. The processing of personal data shall be carried out on a legal and fair basis.

5.2. The processing of personal data shall be limited to the achievement of specific, pre-defined and legitimate purposes. Processing of personal data that is incompatible with the purposes of collecting personal data shall not be permitted.

5.3. It is not allowed to combine databases containing personal data, the processing of which is carried out for purposes that are incompatible with each other.

5.4. Only personal data that meets the purposes of their processing shall be subject to processing.

5.5. The content and amount of personal data processed shall correspond to the stated purposes of processing. Redundancy of the processed personal data in relation to the stated purposes of their processing shall not be allowed.

5.6. When processing personal data, the accuracy of personal data, their sufficiency, and, where necessary, relevance in relation to the purposes of processing personal data shall be ensured. The operator shall take the necessary measures and/or ensure that they are taken to delete or clarify incomplete or inaccurate data.

5.7. The storage of personal data shall be carried out in a form that makes it possible to identify the personal data subject, no longer than required by the purposes of processing personal data, unless the period for storing personal data is established by federal law or an agreement to which the subject of personal data is a party, beneficiary or guarantor. The processed personal data shall be destroyed or anonymized upon achievement of the processing goals or in the event of the loss of the need to achieve these goals, unless otherwise provided by federal law.

5.8. The collection, processing and protection of personal data shall be carried out on the basis of the principles of compliance with the constitutional rights and freedoms of people and citizens, confidentiality of personal data of limited access, equality of rights of subjects, owners and operators, ensuring the safety of individuals, society and the state.

6. Purposes of processing personal data

7. Personal data processing conditions

7.1. The processing of personal data shall be carried out with the consent of the personal data subject to the processing of his/her personal data or on legal basis.

7.2. The processing of personal data shall be necessary to achieve the goals provided for by an international treaty of the Republic of Kazakhstan or the law, to implement the functions, powers and responsibilities assigned by the legislation of the Republic of Kazakhstan to the Operator.

7.3. The processing of personal data is necessary for the administration of justice, the execution of a judicial act, an act of another body or official, subject to execution in accordance with the legislation of the Republic of Kazakhstan on enforcement proceedings.

7.4. The processing of personal data shall be necessary for the execution of an agreement to which the subject of personal data is a party or beneficiary or guarantor, as well as for concluding an agreement on the initiative of the personal data subject or an agreement under which the personal data subject will be a beneficiary or guarantor.

7.5. The processing of personal data shall be necessary to exercise the rights and legitimate interests of the Operator or third parties or to achieve socially significant goals, provided that the rights and freedoms of the personal data subject are not violated.

7.6. The processing of personal data shall be carried out, access to an unlimited number of persons shall be provided by the personal data subject or at his/her request (hereinafter referred to as publicly available personal data).

7.7. The processing of personal data subject to publication or mandatory disclosure in accordance with the legislation of the Republic of Kazakhstan shall be carried out.

8. Procedure for collecting, storing, transferring and other types of processing of personal data

The security of personal data processed by the Operator shall be ensured by implementing legal, organizational and technical measures necessary to fully comply with the requirements of current legislation in the field of personal data protection.

8.1. The operator shall ensure the safety of personal data and take all possible measures to prevent access to personal data by unauthorized persons.

8.2. The User’s personal data will never, under any circumstances, be transferred to third parties, except in cases related to the implementation of current legislation or in the event that the personal data subject gives consent to the Operator to transfer data to a third party to fulfill obligations under a civil law contract.

8.3. In case of revealing inaccuracies in the personal data, the User can update them on his/her own by sending a notification to the Operator to email address Natalia.Chilikina@lapp.com with the note “Updating personal data”.

8.4. The period for processing personal data shall be determined by the achievement of the purposes for which the personal data were collected, unless a different period is provided for by the contract or current legislation.

The User may at any time withdraw his/her consent to the processing of personal data by sending a notification to the Operator via email to the Operator’s email address Natalia.Chilikina@lapp.com with the note “Withdrawal of consent to the processing of personal data”.

8.5. All information that is collected by third-party services, including payment systems, means of communication and other service providers, shall be stored and processed by these persons (operators) in accordance with their user agreement and privacy policy. Subject of personal data and/or with specified documents. The operator is not responsible for the actions of third parties, including the service providers specified in this paragraph.

8.6. Prohibitions established by the personal data subject on the transfer (except for providing access), as well as on processing or conditions for processing (except for gaining access) of personal data permitted for distribution, shall not apply in cases of processing personal data in state, public and other public interests determined by law Republic of Kazakhstan.

8.7. When processing personal data, the operator shall ensure the confidentiality of personal data.

8.8. The operator shall store personal data in a form that makes it possible to identify the personal data subject for no longer than required by the purposes of processing personal data, unless the period for storing personal data is established by federal law, an agreement to which the personal data subject is a party, beneficiary or guarantor.

8.9. The condition for terminating the processing of personal data may be the achievement of the purposes of processing personal data, the expiration of the consent of the personal data subject, the withdrawal of consent by the personal data subject or a requirement to cease the processing of personal data, as well as the identification of unlawful processing of personal data.

8.10. When the User uses the Website, cookie data may be stored on the User’s device – small text files that allow further identification of the User or device, remember the work session, analyze the User’s activity, save the User’s settings and preferences (the purposes of processing cookies by the Operator).

The User is informed about the Operator’s use of the following Cookies.

List of cookies

A cookie is a small piece of data (text file) that a website sends to your browser when you visit to be stored on your device, allowing it to remember information about you, such as your language or account login information. These cookies are set by us and are called first-party cookies. We also use third-party cookies, which are set on the domain of a website different than the website you are visiting, to support our advertising and marketing activities. Specifically, we use cookies and other tracking technologies for the following purposes:

 “Strictly Necessary” cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually activated in response to your actions similar to a request for services, such as setting your privacy preferences, logging in, or filling in forms. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the website may not function.

The User's acceptance of the terms of the Agreement means that the User agrees to the processing of these cookies in accordance with the terms and purposes provided for in this paragraph of the Policy.

8.11. Google Tag Manager
We use Google Tag Manager (Google Tag Manager) on our website. Google Tag Manager is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (Google). With Google Tag Manager, we can integrate various codes and services into our website in an orderly and simplified way. Google Tag Manager implements tags or "runs" embedded tags. When the tag is triggered, Google may collect information (including personal data) and process it. It is possible that Google will also transfer the information to a server in a third country.

In particular, Google Tag Manager processes the following personal data:

online identifiers (including cookie identifiers)
IP address
The legal basis for using Google Tag Manager is art. 6 (1) (a) GDPR, provided that you have consented to its use using the cookie consent tool or cookie settings. More information about Google Tag Manager can be found on the websites www.google.de/tagmanager/use-policy.html and in the section www.google.com/intl/de/policies/privacy/index.html the section "Data that we receive as a result of your use of our services". In addition, we have entered into an agreement with Google to process orders for the use of Google Tag Manager in accordance with Article 28 of the General Data Protection Regulation. Google processes the data on our behalf in order to activate the saved tags and display the services on our website. Google may share this information with third parties if required by law or if third parties process this data on behalf of Google. By integrating Google Tag Manager, we aim to simplify and understand the integration of various services. In addition, the integration of Google Tag Manager optimizes the loading time of various services.

Information about the transfer to a third country can be found below in section 10. Cross-border transfer of personal data.

9. List of actions performed by the Operator with the received personal data

9.1. The Operator collects, records, systematizes, accumulates, stores, clarifies (updates, changes), extracts, uses, transfers (provides, access), depersonalizes, blocks, deletes and destroys personal data.

9.2. The Operator performs automated processing of personal data with or without receiving and/or transmitting the received information via information and telecommunication networks.

10. Cross-border transfer of personal data

10.1. Prior to the start of cross-border transfer of personal data, the Operator is obliged to notify the authorized body for the protection of the rights of personal data subjects of its intention to carry out cross-border transfer of personal data (such notification is sent separately from the notification of the intention to process personal data).

10.2. Before submitting the above notification, the Operator is obliged to receive relevant information from the authorities of a foreign state, foreign individuals, and foreign legal entities to whom the cross-border transfer of personal data is planned.

10.3. Processing of personal data in the form of cross-border transfer of personal data, except for the cases provided for in Article 16 of the Law on Personal Data, dissemination of personal data in publicly available sources, as well as their transfer to third parties, is subject to the consent of the personal data subject.

10.4. Cross-border transfer of personal data to the territory of foreign states is carried out only if these states ensure the protection of personal data.

11. Confidentiality of personal data

The operator and other persons who have gained access to personal data are obliged not to disclose or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by federal law.

12. Final provisions

12.1. The Operator appoints the following person responsible for organizing the processing of personal data:

Natalia Chilikina

Natalia.Chilikina@lapp.com

12.2.The User can receive any clarifications on issues of interest related to the processing of his personal data by contacting To the operator for the help of the Natalia email.Chilikina@lapp.com.

12.3. This document will reflect any changes to the Operator's personal data processing policy. The policy is valid indefinitely until it is replaced by a new version.

12.4. The current version of the Policy is freely available on the Internet at lappkazakhstan.lappgroup.com/politika-po-zashchite-personalnykh-dannykh.html