Ed. of 12.01.2024.
Policy on personal data processing
1. basic concepts
1.1 Operator – Limited Liability Partnership “Intellectual Business Solutions”, BIN 090940004239, located at the address: 060000, Republic of Kazakhstan, 56A Smagulova str., office 2H.
1.2 The Policy is this document drawn up by the Operator in accordance with the requirements of cl. 1-1 ч. 2 of Article 25, paragraph 1-1 of Article 25 of the Republic of Kazakhstan dated May 21, 2013 No. 94-V “On Personal Data and their Protection” (hereinafter – “94-V”) in order to determine the procedure of Personal Data Processing and measures to ensure the security of Personal Data of Personal Data Subjects, including Users.
1.3 Personal Data – any information relating directly or indirectly to a specific or identifiable natural person.
1.4 Processing of Personal Data – any action (operation) or set of actions (operations) performed with or without the use of automation means with Personal Data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of Personal Data.
1.5. Provision of Personal Data – actions aimed at disclosure of Personal Data to a certain person or a certain circle of persons.
1.6 Dissemination of Personal Data – actions aimed at disclosure of Personal Data to an indefinite number of persons.
1.7. Personal Data Subject – a natural person who possesses, directly or indirectly, Personal Data identifying him/her.
1.8. User – a Subject of Personal Data who is a visitor of the Website.
1.9 Website – a set of graphic and informational materials, as well as computer programs and databases, ensuring their availability in the information and telecommunication network “Internet” at the address https://www.riseqr.kz/, intended for the Operator’s business activities.
1.10. Blocking of Personal Data – temporary termination of Processing of Personal Data (except for cases when Processing is necessary for clarification of Personal Data).
1.11. Personal Data de-identification – actions, as a result of which it is impossible to determine without using additional information whether Personal Data belong to a particular User or other Personal Data Subject.
1.12. Destruction of Personal Data – any actions, as a result of which Personal Data is irretrievably destroyed with the impossibility of further recovery of the Personal Data content.
1.13. Cross-border transfer of Personal Data – transfer of Personal Data to the territory of a foreign country to a foreign government authority, a foreign natural person or a foreign legal entity.
2. General provisions
2.1 The purpose of the Policy is to define the procedure of Personal Data Processing and measures to ensure the security of Personal Data of Personal Data Subjects, including Users.
2.2 The Operator sets as its most important goal and condition of its activity the observance of human and civil rights and freedoms in the course of Personal Data processing, including the protection of the rights to privacy, personal and family secrecy.
2.3 When organizing the Processing of Personal Data, the Operator shall be guided by the following principles:
2.3.1 Personal Data shall be processed on a lawful and fair basis.
2.3.2 The processing of Personal Data is limited to the achievement of specific, predetermined and legitimate purposes.
2.3.3 Only Personal Data that is relevant for the purposes of Processing shall be processed.
2.3.4 The content and scope of the Personal Data processed corresponds to the stated purposes of the Processing.
2.3.5 When Processing Personal Data, the accuracy, sufficiency and relevance of Personal Data in relation to the purposes of Personal Data Processing is ensured.
2.3.6 The Personal Data shall be stored in a form that allows to identify the Personal Data Subject, not longer than required for the purposes of Personal Data Processing, unless the period of storage of Personal Data is set by 94-V; an agreement to which the Personal Data Subject is a party, beneficiary or guarantor, the consent of the Personal Data Subject.
2.3.7. Processed Personal Data shall be subject to Destruction or De-identification when the purposes of Processing have been achieved or when it is no longer necessary to achieve these purposes.
2.4 The Operator shall ensure that the content and scope of the Personal Data processed corresponds to the stated purposes of Processing and, if necessary, shall take measures to eliminate their redundancy in relation to the stated purposes of Processing.
2.5 The Operator does not process special categories of Personal Data concerning racial, national origin, political views, religious or philosophical beliefs, intimate life.
3. Categories of Personal Data Subjects. Purposes of Personal Data Processing. Personal data processed by the Operator
3.1 The Operator shall process Personal Data of the following categories of Personal Data Subjects:
3.1.1 Candidates for vacant positions;
3.1.2. Employees of the Operator;
3.1.3 Operator’s counterparties;
3.1.4. Users of the Operator’s website https://www.riseqr.kz/ (hereinafter – “User”, “Site”), if the data provided by them are sufficient for direct or indirect identification of the Personal Data Subject.
3.2 For each category of Personal Data Subjects, the purposes of Processing of their Personal Data are defined:
3.2.1 The processing of Personal Data of candidates for vacant positions is performed for the purpose of selecting suitable candidates, conducting interviews, making a decision on the possibility of employment.
3.2.2 The Personal Data of candidates for vacant positions to be processed includes:
– Last Name;
– Name;
– Father’s name;
– Data on work experience (information on previous jobs, positions held, duties performed, period of employment);
– The data provided in the applicant’s resume;
– Date of Birth;
– Job Title;
– Phone Number;
– Email;
– Salary Expectations.
3.2.3 The Personal Data of the Operator’s employees shall be processed for the following purposes:
– Ensuring compliance with the requirements of labor, pension, insurance legislation and other requirements of the current legislation of the Republic of Kazakhstan in connection with the emergence, change and termination of labor relations, including control over the quality and quantity of work performed, accounting of working hours, ensuring the safety of property, compliance with the permit regime in the premises of the Operator;
– Maintain unified personnel records of the Operator’s employees, including payroll calculation and payroll;
– Maintaining the Operator’s accounting records, including execution of necessary primary documents (organization of business trips, internal events of the Operator);
– Ensuring compliance with the Operator’s internal policies and procedures;
– Participation in corporate events;
– Providing customer and technical support to Users.
3.2.3.1 The Personal Data of the Operator’s employees being processed includes:
– Last Name;
– Name;
– Father’s name;
– Address of Record;
– Citizenship;
– Military ID card details;
– Data of the identity document (series, No., by whom and when issued, division code);
– Date of termination of the employment contract (dismissal);
– Date of Birth;
– Taxpayer Identification Number (TIN);
– Information about additional education;
– Information on professional development (date of beginning and end of training, type of professional development, name of educational institution, series, No., date of issue of education document);
– Place of birth;
– Job Title;
– Period of employment;
– Paul;
– Information on education (names of educational institutions graduated, faculty, specialty, year of graduation);
– Information on professional retraining (date of the beginning and end of training, specialty (direction, profession), series, number, date of issue of the document);
– Marital Status;
– Average monthly salary;
– The amount of cash accrued.
3.2.4 Processing of Personal Data of the Operator’s counterparties is performed for the purpose of interaction with them on issues related to the fulfillment of the assumed obligations, direct fulfillment of the assumed obligations, sending letters on the existence of debt and other legally significant messages, making mailings by e-mail, for which the counterparty’s consent is obtained, exchange of information necessary for the fulfillment of obligations.
3.2.4.1 The Personal Data of counterparties-individuals processed includes:
– Last Name;
– Name;
– Father’s name;
– Date of Birth;
– Data of the identity document (series, No., by whom and when issued);
– Taxpayer Identification Number (TIN);
– Bank Account Number;
– Phone Number;
– Amount of accrued funds;
– Email;
– Messengers used, means of communication.
3.2.5 Processing of Users’ Personal Data is performed for the following purposes:
– Improvement of the Site, registration on the Site.
– Conclusion and execution of a license agreement in respect of computer programs owned by the Operator, including acceptance of the offer posted on the Website.
– Participation in improvement of computer programs owned by the Operator and services provided by the Operator.
– Establishing feedback with the Operator and receiving effective customer technical support, information about computer programs, the procedure and terms of their use, the Operator’s services using the feedback form on the Website, as well as by e-mail, telephone and messengers.
– Making payments in favor of the Operator and persons using computer programs owned by the Operator in their business activities (restaurants, cafes, other catering establishments, etc.)
– Informing about promotions, news and special offers of the Operator, participation in surveys and promotions of the Operator, providing targeted advertising.
– Use of the Site and computer programs owned by the Operator.
– Order placement and payment using the Operator’s service https://www.riseqr.kz.
3.2.5.1 The Personal Data of Users processed includes:
– The IP address of the device;
– Device data (type, model, name, ID);
– Operating system data (type, version);
– Browser data (name, version);
– User Location;
– Clicking on elements of the web pages of the site;
– Source of site entry;
– Information about viewed web pages, filling in input fields (except for information directly entered into these fields);
– Information about banner and video views;
– Data characterizing audience segments;
– Session parameters, visit time data;
– User identifiers stored in cookies using Internet statistics services (including Yandex.Metrica, Google Analytics, Facebook Pixel);
– Phone Number;
– Electronic mail (e-mail) address;
– Last name, first name, middle name;
– Delivery address specified when placing an order using the service https://www.riseqr.kz/;
– Basket (order) composition in the service https://www.riseqr.kz/ and comments to the order.
3.6 The Site collects and processes anonymized data about Users (including cookies) using Internet statistics services (including Yandex.Metrica, Google Analytics, Facebook Pixel).
4. Rights and obligations of the Personal Data Subject
4.1 The Personal Data Subject has the right:
– decide whether to provide their Personal Data and consent to their Processing freely, of their own free will and in their own interest;
– withdraw its consent to the Processing of Personal Data;
– obtain information from the Operator regarding the Processing of his/her Personal Data;
– demand from the Operator to clarify his/her Personal Data, block or destroy it if it is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purposes of Processing, as well as to take measures provided for by law to protect his/her rights;
– request to restrict the Processing of his/her Personal Data for the purposes of marketing activities;
– object to a decision made solely on the basis of automated Processing of Personal Data;
– to appeal the actions or inaction of the Operator to the authorized body for protection of the rights of Personal Data subjects or in court, if he/she believes that the Operator processes his/her Personal Data in violation of the requirements of 94-V or otherwise violates his/her rights and freedoms.
4.2 The Personal Data Subject shall:
– provide accurate information about himself/herself and submit documents containing Personal Data, the composition of which is established by the legislation of the Republic of Kazakhstan to the extent necessary for the purpose of Processing;
– notify the Operator about clarification (update, change) of his/her Personal Data.
4.3 The Operator shall:
– not to disclose to third parties and not to distribute Personal Data without the consent of the Personal Data Subject, unless otherwise provided for by the legislation of the Republic of Kazakhstan;
– to provide free of charge, in an accessible form, without the content of Personal Data of third parties, unless there are legitimate grounds for disclosure of such Personal Data, to the Personal Data Subject or his/her representative the opportunity to familiarize with the Personal Data, subject to the restrictions set forth in 94-V;
– immediately cease Processing of Personal Data at the request of the Personal Data Subject;
– explain to the Personal Data Subject the legal consequences of refusal to provide Personal Data, if the provision of Personal Data is mandatory under the laws of the Republic of Kazakhstan;
– explain to the Personal Data Subject the procedure for making a decision on the basis of solely automated Processing of his/her Personal Data and the possible legal consequences of such a decision, provide an opportunity to object to such a decision;
– if the Personal Data is not received from the Personal Data Subject, except as provided in 94-V, provide the following information to the Personal Data Subject prior to the commencement of Processing of such Personal Data:
– name and address of the Operator;
– the purpose of the Processing of Personal Data and its legal basis;
– intended users of Personal Data;
– the rights of the Personal Data Subject;
– the source of obtaining Personal Data;
– ensure recording, systematization, accumulation, storage, clarification (update, change), retrieval of Personal Data of citizens of the Republic of Kazakhstan using databases located in the territory of the Republic of Kazakhstan, except for cases specified in 94-V;
– To take measures to ensure that the duties under 94-V are fulfilled;
– take necessary legal, organizational and technical measures to protect Personal Data from unauthorized or accidental access to it, destruction, modification, blocking, copying, provision, dissemination of Personal Data, as well as from other unlawful actions in relation to Personal Data;
– to inform the authorized body for the protection of the rights of Personal Data subjects, upon request of this body, of the necessary information within thirty days from the date of receipt of such request;
– Process requests of Personal Data Subjects in accordance with the procedure set forth in clause 5.4 of the Policy;
– eliminate violations of the law committed during the Processing of Personal Data, to clarify, block and destroy Personal Data.
4.4 The Operator shall have the right to:
– in case the Personal Data Subject revokes his/her consent to Processing of Personal Data, to continue Processing of Personal Data without the consent of the Personal Data Subject in the presence of legal grounds established by the legislation of the Republic of Kazakhstan;
– to receive Personal Data from a person who is not the Subject of Personal Data, provided that he/she provides confirmation of the existence of legal grounds established by the legislation of the Republic of Kazakhstan.
5. Procedure and conditions of Personal Data Processing
Processing of Personal Data by the Operator is carried out both with and without the use of automation tools. The set of Processing operations includes collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), blocking, deletion, destruction of Personal Data.
5.1 Storage of Personal Data
5.1.1 Personal Data shall be stored on both electronic and paper carriers of Personal Data.
5.1.2 Storage of Personal Data in the Partnership’s structural subdivisions, whose employees have access to the Personal Data of the Personal Data subjects in connection with the performance of labor duties, is carried out in a manner that excludes access to them by third parties.
5.1.3 Third-party cloud solutions may be used to store Personal Data, subject to mandatory compliance with the conditions of confidentiality of Personal Data and security during their Processing set forth in the contract with the contractor.
5.1.4 When storing Personal Data, physical security measures are applied. Paper documents are stored in folders in securely locked safes/locked cabinets in the Partnership premises, electronic media are stored in specially designated rooms, access to which is granted to employees in accordance with their job duties. Access to Personal Data in the Personal Data information systems is protected by a built-in authentication system and role-based access model.
5.1.5 An employee or a person rendering services to the Operator under a civil law contract who has access to Personal Data of Personal Data subjects in connection with performance of labor duties/provision of services under the contract shall ensure storage of Personal Data excluding access to them by third parties.
6. Conditions for transfer of Personal Data
6.1 The Partnership shall have the right to transfer Personal Data without the consent of the Personal Data subjects to the Tax Service of the Ministry of Finance, the Unified Accumulative Pension Fund and the Social Medical Insurance Fund upon a reasoned request of these bodies and in other cases established by the legislation of the Republic of Kazakhstan.
6.2 The Partnership shall have the right to entrust the Processing of Personal Data subject to third parties with the consent of the Personal Data subject (when such consent is necessary in accordance with the requirements of the legislation of the Republic of Kazakhstan and on the basis of the agreement concluded with such persons).
6.3 Personal data of the employees shall be transferred to the following third parties in the Partnership:
– Bank(s) for the purpose of bank card processing, payroll;
– To contractors in order to organize corporate events;
– Insurance company in order to join the corporate voluntary medical insurance program;
– Training centers for the purpose of organizing training and professional development.
6.4 Persons processing Personal Data in accordance with the contract concluded with the Operator undertake to comply with the principles and rules of Personal Data processing and protection stipulated in 94-V.
6.5 In case of trans-border transfer of Personal Data to countries that do not ensure protection of the rights of Personal Data Subjects, except for cases provided for by the legislation of the Republic of Kazakhstan, trans-border transfer is carried out on the basis of a separate consent in writing.
7. Personal Data protection measures taken by the Operator
7.1 The Operator shall take necessary and sufficient organizational and technical measures to protect Personal Data of Personal Data Subjects from unlawful or accidental access to them, destruction, modification, blocking, copying, distribution, as well as from other unlawful actions.
7.2 Measures to ensure security of Personal Data applied by the Operator:
– appointment of a person responsible for organizing the Processing of Personal Data;
– appointment of a person responsible for ensuring the security of Personal Data in the Personal Data information system;
– determining the list of employees who have access to Personal Data;
– development and approval of organizational and administrative documents defining the procedure of Personal Data Processing;
– organizing the procedure for destruction of Personal Data upon expiry of the term of their Processing;
– conducting internal audits of compliance with the requirements for ensuring the security of Personal Data;
– raising the level of employees’ awareness of the requirements to ensure the security of Personal Data;
– providing anti-virus protection of information systems of Personal Data;
– software updates on a regular basis;
– network infrastructure protection (access differentiation, firewalling);
– providing fault tolerance and backup;
– determining the rules of access to Personal Data processed in the information systems of Personal Data.
8. Conditions of Personal Data Processing
8.1 The security of Personal Data processed by the Operator shall be ensured by implementing legal, organizational and technical measures, including those specified in Article 7 of the Policy, necessary to protect Personal Data from unauthorized, accidental or unlawful destruction, loss, alteration, unfair use, disclosure or access, as well as other unlawful forms of Processing in accordance with the requirements of the current legislation of the Republic of Kazakhstan in the field of Personal Data protection.
8.2 The Operator shall ensure safety of Personal Data and take all possible measures to exclude access to Personal Data by unauthorized persons. Access to Personal Data shall be granted only to those employees of the Operator who need it to fulfill their tasks. In order to protect and ensure data confidentiality, all employees must comply with internal rules and procedures regarding the Processing of Personal Data. They must also follow all technical and organizational security measures in place to protect Personal Data.
8.3 The Personal Data of the Personal Data Subject will never, under no circumstances, be transferred to third parties, except in cases related to the execution of the applicable laws of the Republic of Kazakhstan, as well as in the event that the Personal Data Subject has consented to the transfer of Personal Data to third parties.
8.4 If any inaccuracies are detected in the Personal Data, the User may update them independently by sending a notification to the Operator to the Operator’s e-mail address support@rise.rest with the note “Personal Data Update”.
8.5 Unless otherwise provided by the Policy, the period of Personal Data Processing is unlimited. The User may withdraw his/her consent to the Processing of Personal Data at any time by sending a notice to the Operator by e-mail to the Operator’s e-mail address support@rise.rest marked “Withdrawal of consent to the Processing of Personal Data”.
8.6 The Operator shall record, systematize, accumulate, store, clarify (update, change), retrieve, distribute Personal Data using databases located in the territory of the Republic of Kazakhstan.
9. Final provisions
9.1 All relations between the Personal Data Subject and the Operator concerning the Processing of Personal Data not reflected in the Policy shall be regulated in accordance with the laws of the Republic of Kazakhstan.
9.2 The Personal Data Subject may obtain any clarifications on the issues of interest regarding the Processing of his/her Personal Data by contacting the Operator via e-mail support@rise.rest with the note “Clarifications regarding the Processing of Personal Data” or by sending a letter to the address specified in clause 1.1. of the Policy. Policy.
9.3 The Operator has the right to unilaterally amend the Policy. The new version of the Policy comes into effect from the moment of its posting on the Website, unless otherwise provided by the new version of the Policy. The current version of the Policy is available on the Website at: https://www.riseqr.kz/docs/privacy-policy.pdf.