Policy for the Collection and Processing of Personal Data
APPROVED by the Director's Order - 20.04.2024
1. General Provisions
This Personal Data Processing Policy (hereinafter referred to as the "Policy") is developed in accordance with the requirements of the Law of the Republic of Kazakhstan No. 94-V dated May 21, 2013, "On Personal Data and Their Protection" (hereinafter referred to as the "Personal Data Law"), the Law of the Republic of Kazakhstan No. 418-V dated November 24, 2015, "On Informatization" (hereinafter referred to as the "Informatization Law"), and other regulatory legal acts of the Republic of Kazakhstan. This Policy outlines the procedure for the collection and processing of personal data and measures for ensuring their security.
The terms used in Article 1 of the Personal Data Law are applied in this Policy with the same meaning.
This Policy is a public document of the Partnership and must be posted on the official website of the Partnership at: celetaris.org (hereinafter referred to as the "Website").
2. Subjects of Personal Data and List of Personal Data
The Partnership collects and processes the personal data of the following categories of subjects:
2.1. Personal data of managers and employees of legal entities and individual entrepreneurs who interact with the Partnership within the framework of potential cooperation, contract negotiations, and the conclusion and execution of civil contracts.
List of personal data:
  • Full name (surname, first name, patronymic);
  • Email address;
  • Mobile phone number.
2.2. List of personal data: any information related to an individual as indicated in the employment contract, employee card, documents confirming employment (including labor books), military ID, and other documents provided at the conclusion and during the term of the employment contract, including:
  • Full name (surname, first name, patronymic);
  • Gender;
  • Date and place of birth;
  • Citizenship;
  • Signature;
  • Data of documents confirming legal residence in the Republic of Kazakhstan;
  • Bank account details (account number, bank name, and BIC code);
  • Any questionnaire data;
  • Data from the personal file and employee card (form T-2);
  • Identity documents (name, number, and issue date);
  • Individual identification number;
  • Permanent residence address and registration data;
  • Actual residence address;
  • Postal addresses and email addresses;
  • Phone numbers;
  • Portrait image (photograph);
  • Education, qualifications, special skills or professional training;
  • Marital status and family composition;
  • Previous positions and work experience (labor book copy);
  • Military service information;
  • Disability status, group, and degree of work limitations;
  • Competency information (medical certificate form No. 086, original valid for 1 year, criminal record certificate, psychiatric and narcological dispensary certificates).
2.3. Personal data of job candidates, including data received (with their consent) from the Unified Labor Agreement Registration System and employment records.
List of personal data:
  • Full name (surname, first name, patronymic);
  • Date and place of birth;
  • Citizenship;
  • Gender;
  • Military service information;
  • Education;
  • Employment history;
  • Other information voluntarily provided in resumes.
2.4. Personal data of individuals interacting with the Partnership in contract negotiations, conclusion, and execution of civil contracts.
List of personal data:
  • Full name (surname, first name, patronymic);
  • Date and place of birth;
  • Identity documents;
  • Individual identification number;
  • Permanent residence address and registration data;
  • Actual residence address;
  • Postal addresses and email addresses;
  • Phone numbers;
  • Bank details (account number, bank name, and BIC code).
2.5. Other information not related to personal data but collected from Website visitors:
  • Data on visitors' technical devices (e.g., operating system type, device type, browser type, geographic location);
  • Anonymous visitor data (including cookies) collected via web analytics tools like Yandex.Metrica, Google Analytics, etc.
3. Purposes of Personal Data Processing
3.1. The Partnership processes personal data of managers and employees of legal entities and individual entrepreneurs for the following purposes:
  • Fulfilling obligations to contractors, providing feedback, sending notifications, requests, and information for the provision of services, and for processing contractor inquiries and applications;
  • Providing technical support for the Partnership's products and services;
  • Evaluating and improving the quality of services, developing new services, and promoting services;
  • Conducting statistical and marketing research regarding the Partnership's operations;
  • Conducting marketing campaigns and sending promotional messages and offers to contractors.
3.2. The Partnership processes personal data of employees for the following purposes:
  • Organizing personnel records and administration;
  • Assisting employees with employment, training, and career development;
  • Calculating and paying salaries, compensations, and other payments, as well as providing benefits in accordance with labor laws;
  • Calculating and withholding individual income tax and submitting tax reports;
  • Providing information to the authorized employment agency;
  • Withholding and paying pension and social insurance contributions;
  • Fulfilling other legal obligations;
  • Organizing business trips;
  • Issuing powers of attorney (including for representing the Partnership's interests);
  • Ensuring employee safety;
  • Monitoring work performance, including conducting certifications;
  • Ensuring the security of the Partnership’s property;
  • Enforcing access control in the Partnership’s premises;
  • Tracking working hours;
  • Entering into agreements benefiting employees.
3.3. The Partnership processes job candidates' personal data to assess the possibility of concluding employment contracts.
3.4. The Partnership processes personal data of individuals involved in contract negotiations and execution to manage negotiations, conclude, and execute contracts.
3.5. The Partnership processes non-personal information of Website visitors for:
  • Evaluating and improving the quality of services;
  • Conducting statistical and marketing research;
  • Conducting marketing campaigns and sending promotional messages and offers for participation in special events.
4. Duration of Personal Data Processing
4.1. Personal data processing continues until the purposes of processing are achieved or the term specified in the consent form expires.
4.2. Personal data, after processing ends or the relationship with the subject terminates, must be destroyed unless otherwise required by law. Storage of personal data after processing is allowed only if anonymized.

5. Principles of Collection, Processing, and Storage of Personal Data
5.1. The collection and processing of personal data are carried out with the consent of the data subjects.
5.2. Personal data is collected in the following ways:
  • Personal data is provided by the subject when filling out web forms on the Website, as well as on websites with the domain celetaris.org.
  • Automatic collection of personal data on the Website using technologies and services such as web protocols, cookies, web beacons, which are activated only when the user enters their data.
  • Provision of personal data in written form, including through communication means.
  • 5.3. The content and scope of processed personal data correspond to the previously declared purposes specified in Section 3 "Purposes of Personal Data Processing" of this Policy.
  • 5.4. The confidentiality of personal data is maintained, except in cases where such data is publicly available.
  • 5.5. For the purposes of conducting marketing research, the Company collects and processes anonymized personal data.
  • 5.6. The storage of personal data by the Company is carried out in a database located in the territory of the Republic of Kazakhstan.
  • 5.7. Personal data may be transferred to third parties solely for the purposes specified in Section 3 "Purposes of Personal Data Processing" of this Policy. The transfer of data to third parties is only carried out under the condition that such third parties undertake obligations to ensure confidentiality and comply with other requirements stipulated by the Personal Data Law.
  • 5.8. Personal data may be transferred to authorized state bodies of the Republic of Kazakhstan only on the grounds and in the manner established by the legislation of the Republic of Kazakhstan.
6. Rights and Responsibilities of the Data Subject
6.1. The data subject has the right to:
6.1.1. Know about the existence of their personal data held by the Company, as well as receive information containing:
  • Confirmation of the fact, purposes, sources, methods of collection, and processing of personal data;
  • A list of processed personal data;
  • The duration of personal data processing, including the duration of their storage.
  • 6.1.2. Demand that the Company amend and supplement their personal data if there are grounds confirmed by relevant documents.
  • 6.1.3. Demand that the Company block their personal data if there is information about violations of the conditions for the collection and processing of personal data.
  • 6.1.4. Demand that the Company destroy their personal data if the collection and processing were carried out in violation of the legislation of the Republic of Kazakhstan, as well as in other cases stipulated by the Personal Data Law and other regulatory legal acts of the Republic of Kazakhstan.
  • 6.1.5. Withdraw consent to the collection and processing of personal data, except in cases provided for in paragraph 2 of Article 8 of the Personal Data Law.
  • 6.1.6. Give consent (or refuse) to the Company to disseminate their personal data in publicly available sources of personal data.
  • 6.1.7. Protect their rights and legitimate interests, including demanding compensation for moral and material harm.
  • 6.1.8. Exercise other rights provided for by the Personal Data Law and other laws of the Republic of Kazakhstan.
  • 6.2. The data subject may exercise the rights specified in paragraph 6.1 by sending a letter containing an electronic message to support@celetaris.org.
7. Rights and Responsibilities of the Company
7.1. The Company is obliged to: 7.1.1. Approve the list of personal data necessary and sufficient for the performance of the tasks carried out by the Company unless otherwise provided by the laws of the Republic of Kazakhstan.
7.1.2. Take and comply with the necessary measures, including legal, organizational, and technical measures, to protect personal data in accordance with the legislation of the Republic of Kazakhstan.
7.1.3. Comply with the legislation of the Republic of Kazakhstan on personal data and their protection.
7.1.4. Take measures to destroy personal data upon achieving the purpose of their collection and processing, as well as in other cases stipulated by the Personal Data Law and other regulatory legal acts of the Republic of Kazakhstan.
7.1.5. Provide evidence of obtaining the consent of the subject for the collection and processing of their personal data in cases provided for by the legislation of the Republic of Kazakhstan.
7.1.6. Provide information relating to the subject within three working days from the date of receipt of the request from the subject or their legal representative unless otherwise stipulated by the laws of the Republic of Kazakhstan.
7.1.7. In case of refusal to provide information to the subject or their legal representative within a period not exceeding three working days from the date of receipt of the request, provide a reasoned response unless otherwise stipulated by the laws of the Republic of Kazakhstan.
7.1.8. Within one working day:
  • Modify and/or supplement personal data based on relevant documents confirming their accuracy or destroy personal data if it is impossible to modify and/or supplement it;
  • Block personal data related to the subject if there is information about violations of the conditions for their collection and processing;
  • Destroy personal data in case of confirmation of the fact of their collection and processing in violation of the legislation of the Republic of Kazakhstan, as well as in other cases established by this Law and other regulatory legal acts of the Republic of Kazakhstan;
  • Unblock personal data in case of non-confirmation of the fact of violation of the conditions for the collection and processing of personal data.
  • 7.1.9. Provide the subject or their legal representative with the opportunity to familiarize themselves with the personal data relating to the subject free of charge.
  • 7.1.10. Appoint a person responsible for organizing the processing of personal data.
  • 7.2. The employee of the Company responsible for organizing the processing of personal data is obliged to:
  • Exercise internal control over compliance by the Company and its employees with the legislation of the Republic of Kazakhstan on personal data and their protection, including requirements for the protection of personal data;
  • Inform the employees of the Company about the provisions of the legislation of the Republic of Kazakhstan on personal data and their protection regarding the processing of personal data and the requirements for the protection of personal data;
  • Monitor the receipt and processing of requests from subjects or their legal representatives.
8. Protection of Personal Data
8.1. Legal measures for the protection of personal data:
  • Conclusion of confidentiality agreements regarding personal data with third parties who have access to such personal data;
  • Adoption of the Company’s documents, including this Policy, defining the policy for the collection and processing of personal data, threats to security and protection of personal data, procedures aimed at preventing and detecting violations of the legislation of the Republic of Kazakhstan on personal data and their protection, eliminating the consequences of such violations, and other provisions aimed at protecting personal data.
  • 8.2. Organizational measures for the protection of personal data:
  • Organizing security measures for premises where personal data carriers are located to exclude the possibility of uncontrolled entry or stay of persons without access rights in these premises;
  • Separation of personal data from other information by fixing them on separate carriers of personal data;
  • Division of personal data into publicly available and limited access;
  • Determining the places of storage of personal data carriers while ensuring conditions that ensure the safety of personal data;
  • Determining the list of persons carrying out the collection and processing of personal data or having access to them within the performance of their job responsibilities;
  • Appointing a responsible person for organizing the collection and processing of personal data, formalized by a relevant document from the Company;
  • Conducting internal audits of the activities related to the processing of personal data;
  • Familiarizing employees with this Policy and other documents aimed at protecting personal data adopted by the Company.
  • 8.3. Technical measures for the protection of personal data:
  • Using specialized technical and software tools that block unauthorized access to personal data;
  • Using specialized programs that anonymize personal data.
9. Cross-Border Transfer of Personal Data
9.1. The cross-border transfer of personal data to foreign countries may only be carried out if those countries ensure the protection of personal data. The personal data of the subject may be transferred to third parties solely for the purposes specified in Section 3 "Purposes of Personal Data Processing" of this Policy, provided that such parties undertake obligations to ensure confidentiality and protect the received personal data.
9.2. The cross-border transfer of personal data to foreign countries that do not ensure the protection of personal data may only be carried out in cases provided for by the Personal Data Law.

10. Final Provisions
10.1. This Policy is subject to change and amendment in the following cases at the decision of the Company’s authorities and officials in accordance with their competence:
  • When there are changes in the legislation of the Republic of Kazakhstan on personal data and their protection;
  • When the purposes of processing personal data change;
  • When new technologies for collecting, processing, and protecting personal data (including transfer and storage) are applied;
  • In other cases.
  • 10.2. The Company has the right to unilaterally change the Policy (in whole or in part) at any time without prior agreement with the data subject. All changes take effect from the moment the new version of the Policy is posted on the Website.
  • 10.3. The data subject undertakes to independently monitor changes to the Policy by familiarizing themselves with its current version.
  • 10.4. Control over compliance with the requirements of the Policy is carried out by persons responsible for organizing the processing of personal data by the Company.

All questions can be emailed to support@celetaris.org