This Regulation on the Protection of Personal Data (hereinafter referred to as the Regulation) of the Joint Stock Company "Freedom Finance Insurance Company" (hereinafter referred to as the Company/Operator) developed in order to comply with the legislation of the Republic of Kazakhstan and establishes the procedure for collecting, processing and protecting personal data of the Company's clients.
The processing of personal data in the Company may be carried out only for the purpose of ensuring compliance with laws or other legal acts of the authorized body (hereinafter – the National Bank of the Republic of Kazakhstan).
The Regulation defines the rights and obligations of clients and the Company regarding the submission (withdrawal) of consent to the collection, processing of personal data, as well as the procedure for interaction between the client and the Company regarding the collection, documentation, storage, protection and destruction of personal data of clients.
The main terms and definitions used in this Regulation are:
biometric data – personal data that characterize the physiological and biological characteristics of the client's personal data, on the basis of which it is possible to establish his identity;
personal data – information related to a specific or determined on their basis client personal data recorded on electronic, paper and (or) other material media;
blocking of personal data – actions to temporarily stop the collection, accumulation, modification, addition, use, dissemination, depersonalization and destruction of personal data;
accumulation of personal data – actions to systematize personal data by entering them into a database containing personal data;
collection of personal data – actions aimed at obtaining personal data;
destruction of personal data – actions as a result of which it is impossible to restore personal data;
depersonalization of personal data – actions, as a result of which it is impossible to determine the identity of personal data to the client;
a database containing personal data is a set of ordered personal data;
the owner of a database containing personal data is a state body, an individual and (or) a legal entity exercising, in accordance with the laws of the Republic of Kazakhstan, the right of ownership of a database containing personal data;
the operator of the database containing personal data is a state body, an individual and (or) a legal entity that collects, processes and protects personal data;
personal data protection is a set of measures, including legal, organizational and technical, carried out for the purposes established by this Regulation;
processing of personal data – actions aimed at accumulation, storage, modification, addition, use, distribution, depersonalization, blocking and destruction of personal data;
use of personal data – actions with personal data aimed at the realization of the objectives of the Company and a third party;
personal data storage – actions to ensure the integrity, confidentiality and availability of personal data;
dissemination of personal data – actions that result in the transfer of personal data, including through the media or the provision of access to personal data in any other way;
the subject of personal data is the Client of the Company to which the personal data relate;
third party – a person who is not a subject, owner and (or) operator, but is connected with them (him) by circumstances or legal relations for the collection, processing and protection of personal data.
2. The composition of the Client's personal data
The Client's personal data consists of:
information about the facts, events and circumstances of the Client's private life, allowing to identify him, with the exception of information subject to dissemination in the mass media in cases established by the laws of the Republic of Kazakhstan;
Documents containing personal data are:
identity card or other identity document, IIN;
other documents that, in accordance with the legislative acts of the Republic of Kazakhstan, contain information intended for use for the purposes provided for by this Regulation.
3. Collection, processing and storage of personal data of Clients
The collection of the Client's personal data is carried out by obtaining documents containing the Client's personal data and forming a database containing the Company's Client's personal data. The collection and processing of the Client's personal data is carried out by the Company with the consent of the subject or his legal representative. The Company is allowed to collect personal data of Clients by:
obtaining complete information about the Client's personal data and processing this data (including automated), as well as information about the means of communication with the client (telephone numbers, email addresses, etc.);
copying of original identity documents;
entering information into the Client's dossier on paper and electronic media;
obtaining the originals of the necessary documents, which are provided for by the legislative acts of the Republic of Kazakhstan, containing information intended for use by the Company in connection with the implementation of activities provided for by the Charter of the Company;
obtaining personal data for updating or correcting incorrect, outdated, unreliable, incomplete personal data, as well as data processed in violation of the legislation of the Republic of Kazakhstan.
The processing of Clients' personal data includes the receipt, storage, combination, transfer or any other use of personal data to the extent and to the extent provided for in the Client's consent.
When processing the Client's personal data in order to protect them and ensure human and civil rights and freedoms, as well as when determining the scope and content of the Client's personal data being processed, the provisions of the Constitution of the Republic of Kazakhstan and legislative acts of the Republic of Kazakhstan must be strictly taken into account.
The processing of personal data of the Company's Client is carried out solely for the purposes of:
compliance by the Company with the legislation of the Republic of Kazakhstan;
confidentiality of personal data, restricted access;
equality of rights of Clients and Society;
ensuring the security of the individual, society and the state.
The client of the Company and (or) his legal representative has the right to get acquainted with the Company's documents establishing the procedure for processing personal data.
Storage of personal data:
the data of each Client of the Company is contained on paper and (or) electronic media;
access to personal data of Clients is limited to the circle of persons defined in paragraph 13 of this Regulation.
4. Access to personal data of Clients
The Company's officials, employees of the Company who directly use them for official purposes, shareholders of the Company, the audit company that performs the audit of the Company have internal access to the personal data of Clients.
External access to third-party organizations and (or) third parties: the communication of information about personal data of Clients to third-party organizations and (or) third parties is permitted if there is a written consent of the Client and a written request signed by the head of the third-party organization or a third person who requested such information, on which there is a visa of the first head of the Company.
The Company has the right to provide access to the authorized state bodies to the personal data of Clients in accordance with the procedure and in accordance with the requirements of the current legislation of the Republic of Kazakhstan.
5. Protection of personal data of Clients
When transferring personal data of Clients in compliance with the conditions provided for in Section 4 of this Regulation, the Company is obliged to warn users of personal data of Clients about responsibility for violation of the legislation of the Republic of Kazakhstan on personal data and their protection.
Protection of personal data of Clients in the Company is provided as follows:
personal data of Clients are stored in metal cabinets, in accordance with the requirements of the current legislation of the Republic of Kazakhstan;
restricted access of employees and third parties to personal data of Customers;
compliance with the requirements of the legislation on personal data and their protection in the Company.
Protection of Clients' personal data from their misuse or loss is provided at the expense of the Company's funds in accordance with the procedure established by the legislation of the Republic of Kazakhstan.
The responsible division of the Company ensures that the Company's Clients sign their written consent to the collection, processing and storage of personal data in the form provided in Annex 1 to this Regulation.
6. Responsibility for disclosure of confidential information related to personal data of Clients
In case of violation by the Company or other persons having access to personal data of Clients of the norms governing the receipt, processing, storage, transfer and protection of personal data of Clients, they bear disciplinary, administrative, civil or criminal liability in accordance with the current legislation of the Republic of Kazakhstan.
7. Final provisions
Issues not regulated by this Regulation are regulated in accordance with the current legislation of the Republic of Kazakhstan, all amendments or additions to this Regulation are approved by the Management Board of the Company.
If, when changing the legislation of the Republic of Kazakhstan, certain provisions of this Regulation come into conflict with the current legislation of the Republic of Kazakhstan, these provisions of the Regulation become invalid and until changes are made to this Regulation, it is necessary to be guided by the current legislation of the Republic of Kazakhstan.
In everything else that is not provided for by the Regulations, officials and other employees of the Company's structural divisions are guided by the norms of the legislation of the Republic of Kazakhstan and other internal documents of the Company.
The processing of personal data in the Company may be carried out only for the purpose of ensuring compliance with laws or other legal acts of the authorized body (hereinafter – the National Bank of the Republic of Kazakhstan).
The Regulation defines the rights and obligations of clients and the Company regarding the submission (withdrawal) of consent to the collection, processing of personal data, as well as the procedure for interaction between the client and the Company regarding the collection, documentation, storage, protection and destruction of personal data of clients.
The main terms and definitions used in this Regulation are:
biometric data – personal data that characterize the physiological and biological characteristics of the client's personal data, on the basis of which it is possible to establish his identity;
personal data – information related to a specific or determined on their basis client personal data recorded on electronic, paper and (or) other material media;
blocking of personal data – actions to temporarily stop the collection, accumulation, modification, addition, use, dissemination, depersonalization and destruction of personal data;
accumulation of personal data – actions to systematize personal data by entering them into a database containing personal data;
collection of personal data – actions aimed at obtaining personal data;
destruction of personal data – actions as a result of which it is impossible to restore personal data;
depersonalization of personal data – actions, as a result of which it is impossible to determine the identity of personal data to the client;
a database containing personal data is a set of ordered personal data;
the owner of a database containing personal data is a state body, an individual and (or) a legal entity exercising, in accordance with the laws of the Republic of Kazakhstan, the right of ownership of a database containing personal data;
the operator of the database containing personal data is a state body, an individual and (or) a legal entity that collects, processes and protects personal data;
personal data protection is a set of measures, including legal, organizational and technical, carried out for the purposes established by this Regulation;
processing of personal data – actions aimed at accumulation, storage, modification, addition, use, distribution, depersonalization, blocking and destruction of personal data;
use of personal data – actions with personal data aimed at the realization of the objectives of the Company and a third party;
personal data storage – actions to ensure the integrity, confidentiality and availability of personal data;
dissemination of personal data – actions that result in the transfer of personal data, including through the media or the provision of access to personal data in any other way;
the subject of personal data is the Client of the Company to which the personal data relate;
third party – a person who is not a subject, owner and (or) operator, but is connected with them (him) by circumstances or legal relations for the collection, processing and protection of personal data.
2. The composition of the Client's personal data
The Client's personal data consists of:
information about the facts, events and circumstances of the Client's private life, allowing to identify him, with the exception of information subject to dissemination in the mass media in cases established by the laws of the Republic of Kazakhstan;
Documents containing personal data are:
identity card or other identity document, IIN;
other documents that, in accordance with the legislative acts of the Republic of Kazakhstan, contain information intended for use for the purposes provided for by this Regulation.
3. Collection, processing and storage of personal data of Clients
The collection of the Client's personal data is carried out by obtaining documents containing the Client's personal data and forming a database containing the Company's Client's personal data. The collection and processing of the Client's personal data is carried out by the Company with the consent of the subject or his legal representative. The Company is allowed to collect personal data of Clients by:
obtaining complete information about the Client's personal data and processing this data (including automated), as well as information about the means of communication with the client (telephone numbers, email addresses, etc.);
copying of original identity documents;
entering information into the Client's dossier on paper and electronic media;
obtaining the originals of the necessary documents, which are provided for by the legislative acts of the Republic of Kazakhstan, containing information intended for use by the Company in connection with the implementation of activities provided for by the Charter of the Company;
obtaining personal data for updating or correcting incorrect, outdated, unreliable, incomplete personal data, as well as data processed in violation of the legislation of the Republic of Kazakhstan.
The processing of Clients' personal data includes the receipt, storage, combination, transfer or any other use of personal data to the extent and to the extent provided for in the Client's consent.
When processing the Client's personal data in order to protect them and ensure human and civil rights and freedoms, as well as when determining the scope and content of the Client's personal data being processed, the provisions of the Constitution of the Republic of Kazakhstan and legislative acts of the Republic of Kazakhstan must be strictly taken into account.
The processing of personal data of the Company's Client is carried out solely for the purposes of:
compliance by the Company with the legislation of the Republic of Kazakhstan;
confidentiality of personal data, restricted access;
equality of rights of Clients and Society;
ensuring the security of the individual, society and the state.
The client of the Company and (or) his legal representative has the right to get acquainted with the Company's documents establishing the procedure for processing personal data.
Storage of personal data:
the data of each Client of the Company is contained on paper and (or) electronic media;
access to personal data of Clients is limited to the circle of persons defined in paragraph 13 of this Regulation.
4. Access to personal data of Clients
The Company's officials, employees of the Company who directly use them for official purposes, shareholders of the Company, the audit company that performs the audit of the Company have internal access to the personal data of Clients.
External access to third-party organizations and (or) third parties: the communication of information about personal data of Clients to third-party organizations and (or) third parties is permitted if there is a written consent of the Client and a written request signed by the head of the third-party organization or a third person who requested such information, on which there is a visa of the first head of the Company.
The Company has the right to provide access to the authorized state bodies to the personal data of Clients in accordance with the procedure and in accordance with the requirements of the current legislation of the Republic of Kazakhstan.
5. Protection of personal data of Clients
When transferring personal data of Clients in compliance with the conditions provided for in Section 4 of this Regulation, the Company is obliged to warn users of personal data of Clients about responsibility for violation of the legislation of the Republic of Kazakhstan on personal data and their protection.
Protection of personal data of Clients in the Company is provided as follows:
personal data of Clients are stored in metal cabinets, in accordance with the requirements of the current legislation of the Republic of Kazakhstan;
restricted access of employees and third parties to personal data of Customers;
compliance with the requirements of the legislation on personal data and their protection in the Company.
Protection of Clients' personal data from their misuse or loss is provided at the expense of the Company's funds in accordance with the procedure established by the legislation of the Republic of Kazakhstan.
The responsible division of the Company ensures that the Company's Clients sign their written consent to the collection, processing and storage of personal data in the form provided in Annex 1 to this Regulation.
6. Responsibility for disclosure of confidential information related to personal data of Clients
In case of violation by the Company or other persons having access to personal data of Clients of the norms governing the receipt, processing, storage, transfer and protection of personal data of Clients, they bear disciplinary, administrative, civil or criminal liability in accordance with the current legislation of the Republic of Kazakhstan.
7. Final provisions
Issues not regulated by this Regulation are regulated in accordance with the current legislation of the Republic of Kazakhstan, all amendments or additions to this Regulation are approved by the Management Board of the Company.
If, when changing the legislation of the Republic of Kazakhstan, certain provisions of this Regulation come into conflict with the current legislation of the Republic of Kazakhstan, these provisions of the Regulation become invalid and until changes are made to this Regulation, it is necessary to be guided by the current legislation of the Republic of Kazakhstan.
In everything else that is not provided for by the Regulations, officials and other employees of the Company's structural divisions are guided by the norms of the legislation of the Republic of Kazakhstan and other internal documents of the Company.
