1. General Provisions

Limited Liability Partnership “DISK”, BIN 240740023944 (hereinafter – the Company), located at: 010000, Kazakhstan, Astana, Saryarka District, Shaimerden Koshshyguly Street, Building 11, Apt. 8 (RKA1201600058684467), pays special attention to the security of personal data in the course of its activities. All business processes within the Company are designed to ensure the security of personal data.

This Personal Data Processing Policy (hereinafter – the Policy) has been developed in accordance with the requirements of the Law of the Republic of Kazakhstan dated May 21, 2013 No. 94-V “On Personal Data and Their Protection” (hereinafter – the Law on Personal Data), the Law of the Republic of Kazakhstan dated November 24, 2015 No. 418-V “On Informatization” (hereinafter – the Law on Informatization), and other regulatory legal acts of the Republic of Kazakhstan, and defines the procedures for collecting and processing personal data and the measures to ensure their security.

The terms contained in Article 1 of the Law on Personal Data are used in this Policy with the same meaning.

This Policy is a publicly available document of the Company and is subject to placement on the official website of the Company on the Internet (hereinafter – the Website).

2. Subjects of Personal Data and List of Personal Data

The Company collects and processes general personal data of the following categories of personal data subjects:

2.1. Personal data of website visitors, executives, other employees and representatives of legal entities, as well as individual entrepreneurs who interact with the Company in the context of potential cooperation, negotiations for the conclusion, conclusion, and execution of civil law contracts.

List of personal data:

• last name, first name, patronymic;

• email address;

• mobile phone number.

2.2. Other information not classified as personal data, processed by the Company about Website visitors:

• Data on the technical devices of Website visitors: operating system type, device type (personal computer, mobile phone, tablet), browser type, geographical location.

• Anonymized data about Website visitors (including “cookie” files) is collected and processed using web analytics services (“Yandex.Metrica,” and others).

3. Purposes of Personal Data Processing

3.1. The Company processes personal data of website visitors, executives, other employees and representatives of legal entities, as well as individual entrepreneurs who interact with the Company in the context of potential cooperation, negotiations for the conclusion, conclusion, and execution of civil law contracts for the following purposes:

• fulfillment of the Company’s obligations towards counterparties, feedback communication with counterparties, including sending notifications, requests, informational messages for the purpose of providing services, supplying goods, performing work, and sending emails and other forms of communication via phone or email to the counterparty, as well as for processing requests and applications from counterparties;

• providing counterparties with technical support for the Company’s products and services;

• assessing and improving the quality of services, the Company’s operations, developing new services, and promoting services;

• conducting statistical and marketing research, including those related to the Company’s operations;

• conducting marketing activities, sending promotional messages and offers to counterparties to participate in special promotions and events.

3.2. The Company processes personal data of website visitors who are individuals and interact with the Company in the context of negotiations for the conclusion, conclusion, and execution of civil law contracts for the following purpose:

• conducting negotiations, concluding, and executing contracts.

3.3. The Company processes other information that is not personal data from website visitors for the following purposes:

• assessing and improving the quality of services, the Company’s operations, developing new services, and promoting services;

• conducting statistical and marketing research, including those related to the Company’s operations;

• conducting marketing activities, sending promotional messages and offers for participation in special promotions and events.

4. Personal Data Processing Periods

4.1. The processing of personal data of personal data subjects is carried out until the purposes of personal data processing are achieved or until the period specified in the consent for the collection and processing of personal data expires.

4.2. Personal data whose processing (storage) period has expired, as well as in the event of termination of legal relations between the subject and the Company, must be destroyed unless otherwise provided by the legislation of the Republic of Kazakhstan. The storage of personal data after the termination of its processing is allowed only if it is anonymized.

5. Principles of Personal Data Collection, Processing, and Storage

5.1. The collection and processing of personal data are carried out with the consent of the personal data subjects.

5.2. Personal data is collected in the following ways:

• by the subject providing personal data when filling out web forms on the Website;

• by automatic collection of personal data on the Website using technologies and services such as web protocols, cookies, and web beacons, which are activated only upon entering one’s data;

• by the provision of personal data in written form, including via communication means.

5.3. The content and volume of the personal data being processed correspond to the stated purposes in advance, as specified in Section 3 “Purposes of Personal Data Processing” of this Policy.

5.4. Personal data is kept confidential, except in cases where such data is publicly available.

5.5. For the purposes of conducting statistical and marketing research, the Company collects and processes anonymized personal data.

5.6. The Company stores personal data in a database located in the territory of the Republic of Kazakhstan.

5.7. Personal data may be transferred to third parties exclusively for the purposes specified in Section 3 “Purposes of Personal Data Processing” of this Policy and with the consent of the personal data subject. The transfer of data to third parties is carried out only on the condition that such third parties undertake confidentiality obligations and comply with other requirements provided for by the Law on Personal Data.

5.8. Personal data may be transferred to authorized government bodies of the Republic of Kazakhstan only on the grounds and in accordance with the procedures established by the legislation of the Republic of Kazakhstan.

6. Rights and Obligations of the Personal Data Subject

6.1. The subject has the right to:

6.1.1. be informed of the Company’s possession of their personal data and receive information including:

• confirmation of the fact, purposes, sources, and methods of collecting and processing personal data;

• the list of personal data being processed;

• the periods of personal data processing, including retention periods.

6.1.2. require the Company to amend and supplement their personal data where there are grounds confirmed by the relevant documents;

6.1.3. require the Company to block their personal data if there is information indicating a violation of the conditions for the collection and processing of personal data;

6.1.4. require the Company to destroy their personal data that were collected and processed in violation of the legislation of the Republic of Kazakhstan, as well as in other cases established by the Law on Personal Data and other regulatory legal acts of the Republic of Kazakhstan;

6.1.5. withdraw consent to the collection and processing of personal data, except in cases provided for by paragraph 2 of Article 8 of the Law on Personal Data;

6.1.6. consent (or refuse) to the Company’s dissemination of their personal data in publicly accessible sources of personal data;

6.1.7. the protection of their rights and legitimate interests;

6.1.8. exercise other rights provided for by the Law on Personal Data and other laws of the Republic of Kazakhstan.

6.2. The subject may exercise the rights specified in clause 6.1 by sending a letter containing a written communication with the appropriate request to the Company’s email address: toodiskoffice@gmail.com

7. Rights and Obligations of the Company

7.1. The Company is obliged to:

7.1.1. approve the list of personal data necessary and sufficient to fulfill the tasks carried out by the Company, unless otherwise provided by the laws of the Republic of Kazakhstan;

7.1.2. take and comply with the necessary measures, including legal, organizational, and technical measures, to protect personal data in accordance with the legislation of the Republic of Kazakhstan;

7.1.3. comply with the legislation of the Republic of Kazakhstan on personal data and their protection;

7.1.4. take measures to destroy personal data upon achieving the purpose of its collection and processing, as well as in other cases established by the Law on Personal Data and other regulatory legal acts of the Republic of Kazakhstan;

7.1.5. provide proof of obtaining the subject’s consent to the collection and processing of their personal data in cases provided for by the legislation of the Republic of Kazakhstan;

7.1.6. provide information related to the subject within three business days from the date of receiving a request from the subject or their legal representative, unless other deadlines are provided by the laws of the Republic of Kazakhstan;

7.1.7. in the event of refusal to provide information to the subject or their legal representative, provide a justified response within no more than three business days from the date of receiving the request, unless other deadlines are established by the laws of the Republic of Kazakhstan;

7.1.8. within one business day:

• amend and/or supplement personal data based on the relevant documents confirming their accuracy, or destroy personal data if it is impossible to amend and/or supplement them;

• block personal data related to the subject if there is information indicating a violation of the conditions of their collection or processing;

• destroy personal data if the fact of its collection or processing in violation of the legislation of the Republic of Kazakhstan is confirmed, as well as in other cases established by the Law on Personal Data and other regulatory legal acts of the Republic of Kazakhstan;

• remove the block on personal data if the fact of violation of the conditions of collection or processing is not confirmed.

7.1.9. provide the subject or their legal representative with the opportunity to access the personal data related to that subject free of charge;

7.1.10. appoint a person responsible for organizing the processing of personal data.

7.2. The employee of the Company responsible for organizing the processing of personal data is obliged to:

• carry out internal control over the Company’s and its employees’ compliance with the legislation of the Republic of Kazakhstan on personal data and their protection, including requirements for the protection of personal data;

• inform the Company's employees about the provisions of the legislation of the Republic of Kazakhstan on personal data and their protection, regarding the processing of personal data and the requirements for their protection;

• monitor the receipt and processing of requests from subjects or their legal representatives.

8. Personal Data Protection

8.1. Legal measures for personal data protection:

• entering into confidentiality agreements regarding personal data with third parties who have access to such data;

• adoption of the Company’s documents, including this Policy, which define the policy for collecting and processing personal data, security threats and data protection measures, procedures aimed at preventing and detecting violations of the legislation of the Republic of Kazakhstan on personal data and their protection, eliminating the consequences of such violations, and other provisions aimed at protecting personal data.

8.2. Organizational measures for personal data protection:

• establishing security control over premises where personal data carriers are located to prevent unauthorized entry or presence of individuals not authorized to access such premises;

• separating personal data from other information by storing them on separate personal data carriers;

• categorizing personal data into publicly accessible and restricted-access types;

• determining storage locations for personal data carriers under conditions that ensure the safety of personal data;

• defining the list of individuals responsible for collecting and processing personal data or those who have access to such data in the course of their job duties;

• appointing a person responsible for organizing the collection and processing of personal data, as formalized by the Company’s official document;

• conducting internal audits of personal data processing activities;

• familiarizing employees with this Policy and other documents adopted by the Company to protect personal data.

8.3. Technical measures for personal data protection:

• using specialized technical and software tools that block unauthorized access to personal data;

• using specialized programs that anonymize personal data.

9. Cross-Border Transfer of Personal Data

9.1. Cross-border transfer of personal data to the territory of foreign states may be carried out only if such states ensure the protection of personal data. The personal data of the subject may be transferred to third parties exclusively for the purposes specified in Section 3 “Purposes of Personal Data Processing” of this Policy, provided that such third parties undertake obligations to ensure the confidentiality and protection of the received personal data and with the consent of the personal data subject.

9.2. Cross-border transfer of personal data to the territory of foreign states that do not ensure the protection of personal data may be carried out only in cases provided for by the Law on Personal Data.

9.3. The Company does not carry out cross-border transfer of personal data.

10. Final Provisions

10.1. This Policy is subject to amendment and supplementation in the following cases, by decision of the Company’s authorities and officials within their competence:

• in case of changes to the legislation of the Republic of Kazakhstan on personal data and their protection;

• in case of changes to the purposes of personal data processing;

• when new technologies for the collection, processing, and protection (including transfer and storage) of personal data are implemented;

• in other cases.

10.2. The Company reserves the right to amend this Policy (in whole or in part) unilaterally at any time without prior consent of the personal data subject. All amendments take effect from the moment the updated version of the Policy is published on the Website.

10.3. The personal data subject undertakes to independently monitor changes to the Policy by reviewing its current version.

10.4. Control over the implementation of the Policy’s requirements is carried out by the persons responsible for organizing the processing of personal data within the Company.