“Asiainfo” LLC Personal Data Protection and Processing Policy (Confidentiality Policy)
1. General Provisions
1.1. This Policy is carried out by “Asiainfo” LLC (hereinafter referred to as the “Company”) in relation to the processing and protection of personal information of individuals (personal data subjects) on the ground of Articles 29 and 33 of the Constitution of the Kyrgyz Republic and the Law No. 58 On Personal Data.
1.2. The policy applies to all personal data that can be obtained by the Company during its activities, including the Company clients. The processing of personal data of the Company is carried out in accordance with the following regulatory legal acts:
· CODE of the Kyrgyz Republic dd. 4 August 2004 No.106 “Labor Code of the Kyrgyz Republic”
· Law of 14 April 2008 No. 58 On Personal Data;
· Law of 14 July 2014 No.136 About biometric registration of citizens of the Kyrgyz Republic;
· Resolution of the Government of the Kyrgyz Republic dd. 21 November 2017 No. 759 “The procedure for obtaining the consent of the personal data subject to the collection and processing of his personal data, the procedure and form of notifying personal data subjects about the transfer of their personal data to a third party”;
· other regulatory legal acts of the Kyrgyz Republic and regulatory documents of the state executive bodies.
1.3. The purpose of the Policy is to inform the persons who provide their personal data with the necessary information to assess what personal data and for what purposes are processed by the Company, what methods of ensuring their security are implemented, as well as establishing the basic principles and approaches to processing and ensuring the security of personal data in the Company.
1.4. The policy ensures the protection of the rights and freedoms of individuals when processing their personal data using automation tools or without using such means, and also establishes the responsibility of persons who have access to personal data for failure to comply with the requirements governing the processing and protection of personal data.
1.5. Users, using the Company services posted on
the website of the Company at: https://www.cctld.kg/ and http://domain.kg/,
informing the Company their personal data, including through the mediation of
third parties, acknowledge their consent to the processing of personal data in
accordance with this Policy. In case of disagreement with this Policy as a
whole, as well as in case of disagreement with any clause of this Policy, the
User must refrain from using the Services.
1.6. Consent to the processing of personal data can be revoked by the personal data subject. If the personal data subject withdraws consent to the processing of personal data, the operator has the right to continue processing personal data without the consent of the personal data subject if there are grounds specified by the current legislation.
1.7. This Policy may be changed by the Company. The Company has the right at any time, at its sole discretion, to make changes to this Policy without prior notification of the User about it. When making changes in the current edition, the date of the last update is indicated. The new version of the Policy comes into force from the moment it is posted on the web server, unless otherwise provided by the new edition of the Policy.
1.8. This Policy applies only to information about the User obtained while using the Company Services. The Company does not control and is not responsible for the processing of information about the User by third-party websites, to which the User can click on the links available on the official web server of the Company.
1.9. Definitions used in this Policy:
Personal information (personal data) - information recorded on a material medium about a specific person, identified with a specific person or which can be identified with a specific person, allowing this person to be identified directly or indirectly, through reference to one or more factors specific to his biological, economic, cultural, civic or social identity.
Personal data includes biographical and identification data, personal characteristics, information about marital status, financial condition, health status, and more.
List of personal information - a list of categories of data about this subject.
Personal data array is any structured collection of personal information of a certain number of subjects, regardless of the type of information carrier and the means used for their processing (archives, file cabinets, electronic databases, etc.).
Publicly available personal data arrays - arrays of personal data, access to which is not limited by law, and intended for general use (directories, phone books, address books, etc.).
Confidentiality mode for personal information - normatively established rules that determine restrictions on access, transfer, provision and storage conditions for personal data.
The personal data subject (subject) is an individual to whom the relevant personal data relates.
The holder (possessor) of personal data array - state authorities, local governments and legal entities that are entrusted with the authority to determine the purposes, categories of personal information and control the collection, storage, processing and use of personal data in accordance with the Law.
The authorized state body for personal data (hereinafter referred to as the authorized state body) is a state body authorized by the Government of the Kyrgyz Republic to exercise the functions and powers to ensure that the processing of personal data meets the requirements of the Law, protection of the rights of personal data subjects (subjects), registration of holders (owners) of personal data arrays, maintaining the Register of holders of personal data arrays, other tasks, functions and powers provided for by the Law.
Processor is an individual or legal entity, determined by the holder (owner) of personal data, who processes personal information based on an agreement concluded with him.
The recipient of personal information is a public authority or local self-government bodies, legal entities and individuals, as well as a personal data subject (subject), to whom personal data is transferred and provided in accordance with the Law.
Collection of personal information is the procedure for obtaining personal information by the holder (possessor) of personal data array from the subjects of this data or from other sources in accordance with the legislation of the Kyrgyz Republic.
Processing of personal information is any operation or set of operations performed regardless of methods by the holder (owner) of personal information or on his behalf, by automatic means or without such, in order to collect, record, store, update, group, block, erase and destroy personal data.
The consent of the personal data subject is a free, specific, unconditional and conscious expression of the will of the person in the form provided for by this Law, in accordance with which the subject notifies of his consent to the implementation of procedures related to the processing of his personal data.
Transfer of personal information is a provision by the holder (owner) of personal data to third parties in accordance with the Law and international treaties.
Cross-border transfer of personal information is a transfer by the holder (owner) of personal information to holders under the jurisdiction of other states.
Updating personal information - promptly making changes to personal data in accordance with the procedures established by the current legislation of the Kyrgyz Republic.
Blocking personal information - temporary suspension of the transfer, clarification, use and destruction of personal data.
Destruction (erasure or crash) of personal information - actions of the holder (possessor) of personal information to bring this data into a state that does not allow restoring their content.
Depersonalization of personal information is the removal from personal information of the part that allows to be identified with a specific person.
Information system of personal information - a set of personal data contained in databases and ensuring their processing of information technologies and technical means.
2. The concept and content of personal data
2.1. For the purposes of this Policy, personal data means any information relating directly or indirectly to a specific individual (personal data subject).
2.2. Depending on the personal data subject, the Company, in order to carry out its activities and to fulfill its obligations, may process personal data of the following categories of subjects:
· Personal data of the Company employee, a candidate for a job is information required by the Company in connection with labor relations and concerning a specific employee;
· Client data - information that the Company needs to fulfill its obligations under the contractual relationship with the Client and to comply with the requirements of the legislation of the Kyrgyz Republic. This also includes data provided by potential clients, client representatives authorized to represent clients; heads and chief accountants of legal entities that are Company clients, persons who have concluded civil law contracts with the Company for the provision of services to the Company; employees of Company partners and other legal entities that have contractual relations with the Company, with which Company employees interact in the framework of their activities;
· personal data of the Client provided during registration on the website https://www.cctld.kg/ and http://domain.kg/, including when the Client makes Orders, as well as when using services, communication forms posted on the website at: https://www.cctld.kg/ and http://domain.kg/;
· personal data of other individuals who have consented to the processing of their personal information by the Company or individuals whose personal information processing is necessary for the Company to achieve the goals provided for by an international treaty of the Kyrgyz Republic or by law, for the implementation and fulfillment of the functions and obligations assigned on the hosting provider and the domain name registrar by the legislation of the Kyrgyz Republic;
· personal data of individuals that are made publicly available by them, and their processing does not violate their rights and complies with the requirements established by the Legislation on personal information.
2.3. The personal data subject included in the list of persons specified in clause 2.2, the client of the Company agrees to the processing of the following personal data: surname, name, patronymic; date of birth; mailing addresses (at the place of registration and for contacts); number of the main identity document of the Client, information about the date of issue of the specified document and the issuing authority; phone numbers; fax numbers; e-mail addresses.
3. Grounds and purposes of personal data processing
3.1. The Company processes personal data to carry out its activities, including for the provision of services to Clients. The Company has the right to:
3.2. The Company processes personal data only if at least one of the following conditions is met:
3.3. The Company and other persons who have gained access to personal information are obliged not to disclose to third parties and not to distribute personal information without the consent of the personal data subject, unless otherwise provided by law.
3.4. The Company can process personal information of subjects of personal information for the following purposes:
3.5. The Company does not process special categories of Personal Data related to race, nationality, political views, religious or philosophical beliefs, intimate life.
3.6. The legal grounds for processing personal information are the following legal acts:
4. Principles of personal data processing
4.1. The processing of personal information by the Company is carried out based on the following principles:
4.2. Employees of the Company admitted to the Processing of personal information must:
- legislation of the Kyrgyz Republic in the field of personal information, this Policy;
- local acts of the Company on the processing and security of personal information;
4.3. The security of personal information in the Company is ensured by the implementation of coordinated measures aimed at preventing (neutralizing) and eliminating threats to the security of personal information and minimizing possible damage.
5. Timeframe of personal data processing
5.1. The timeframe for processing personal data are determined based on the purposes of processing in the information systems of the Company, in accordance with the term of the contract, agreement with the personal data subject.
5.2. A condition for stopping the processing of personal information may be the achievement of the goals of processing personal information in accordance with the terms of the contract concluded between the Company and the personal data subject, expiration of the consent or withdrawal of the consent of the personal data subject to the processing of their personal data, as well as identification of illegal processing of personal data.
6. The persons authorized to process personal data
6.1. To achieve the goals of Article 3 of this Policy, only those employees of the Company who are entrusted with such a duty in accordance with their official (labor) duties are authorized to process personal information. Access of other employees may be granted only in cases provided by law. The Company requires its employees to maintain confidentiality and ensure the security of personal data during their processing.
6.2. The Company has the right to transfer personal data to third parties in the following cases:
- The personal data subject has clearly expressed his consent to such actions;
- The transfer is provided for by national or
other applicable law in the framework of the procedure established by law.
6.3. At the reasoned request of the authorized body and in accordance with the current legislation, personal data of the subject without his consent can be transferred:
· in connection with the administration of justice to the judicial authorities;
· to the internal affairs bodies, the State Committee for National Security, the prosecutor's office;
· to other bodies and organizations authorized by the current legislation and applicable legal norms in the cases established in regulatory legal acts that are binding on the operator.
7.1. In the process of providing services, in the implementation of internal economic activities, the Company uses automated and non-automated processing of personal information.
7.2. The Company has the right to entrust the personal information processing to another person with the consent of the Personal Data Subject, unless otherwise provided by the legislation of the Kyrgyz Republic, on the basis of an agreement concluded with this person, a prerequisite for which is compliance by this person with the principles and rules for Processing Personal Data provided for by the Law on Personal Data.
7.3. Personal data is not disclosed to third parties and is not distributed in any other way without the consent of the Personal Data Subject, unless otherwise provided by the legislation of the Kyrgyz Republic.
7.4. Representatives of public authorities (including those of controlling, supervisory, law enforcement and other bodies) get access to personal information processed in the Company, in the amount and manner established by the legislation of the Kyrgyz Republic.
7.5. As part of the personal data processing for the Personal Data Subject and the Company, the following rights are defined.
7.5.1. The personal data subject has the right to:
7.5.2. The Company has the right to:
7.6. In case of confirmation of the fact of inaccuracy of personal information or the illegality of its processing, personal information must be updated by the operator, and the processing must be stopped.
7.7. Upon achievement of the goals of processing personal information, as well as if the personal data subject withdraws consent to its processing, personal information is subject to destruction if:
7.8. The Company is obliged to inform the personal data subject or his representative about the processing of personal information of such a subject at the request of the latter.
7.9. The Company also has other rights and bears other obligations established by the law On Personal Data.
8. Implementation of personal data protection
8.1. The Company's activity in processing personal data in information systems is inextricably linked with the protection of the confidentiality of the information received by the Company. All employees of the Company are obliged to ensure the confidentiality of personal data, as well as other information established by the Company, if this does not contradict the current legislation of the Kyrgyz Republic.
8.2. The security of personal information during its processing in the
information systems of the Company is ensured by the information security
8.3. The exchange of personal information during its processing in information systems is carried out through communication channels protected by technical information protection means.
8.4. When processing personal data in the information systems of the Company the following is provided:
Copyright © Ilya O. Levin & Sergey D. Piryazev & Vitaliy Yurlov, 2000. Updated by Vitaliy Yurlov, 2020. All rights reserved.