"ASIAINFO" LLC Personal Data Protection and Processing Policy (Confidentiality Policy)
1. General Provisions
1.1. This Policy is carried out by "ASIAINFO" LLC (hereinafter referred to as the "Company") in relation to the processing and protection of personal information of individuals (personal data subjects) on the ground of Articles 29 and 33 of the Constitution of the Kyrgyz Republic and the Law No. 58 On Personal Data.
1.2. The policy applies to all personal data that can be obtained by the Company during its activities, including the Company clients. The processing of personal data of the Company is carried out in accordance with the following regulatory legal acts:
CODE of the Kyrgyz Republic dd. 4 August 2004 No.106 "Labor Code of the Kyrgyz Republic"
Law of 14 April 2008 No. 58 On Personal Data;
Law of 14 July 2014 No.136 About biometric registration of citizens of the Kyrgyz Republic;
Resolution of the Government of the Kyrgyz Republic dd. 21 November 2017 No. 759 "The procedure for obtaining the consent of the personal data subject to the collection and processing of his personal data, the procedure and form of notifying personal data subjects about the transfer of their personal data to a third party";
other regulatory legal acts of the Kyrgyz Republic and regulatory documents of the state executive bodies.
1.3. The purpose of the Policy is to inform the persons who provide their personal data with the necessary information to assess what personal data and for what purposes are processed by the Company, what methods of ensuring their security are implemented, as well as establishing the basic principles and approaches to processing and ensuring the security of personal data in the Company.
1.4. The policy ensures the protection of the rights and freedoms of individuals when processing their personal data using automation tools or without using such means, and also establishes the responsibility of persons who have access to personal data for failure to comply with the requirements governing the processing and protection of personal data.
1.5. Users, using the Company services posted on the website of the Company at www.cctld.kg, informing the Company their personal data, including through the mediation of third parties, acknowledge their consent to the processing of personal data in accordance with this Policy. In case of disagreement with this Policy as a whole, as well as in case of disagreement with any clause of this Policy, the User must refrain from using the Services.
The Company receives and starts processing personal data of the Subject from the moment it receives their consent. Consent to the processing of personal data can be given by the Personal data subject in any form that allows confirming the fact of obtaining consent, unless otherwise provided by law: in written, oral or other form provided for by the current legislation, including when the Personal data subject performs actions when using the services on the Company's website at www.cctld.kg, using feedback forms and accepting offers containing provisions on the processing of personal data in accordance with current legislation and posted on the links - www.cctld.kg/privacy-policy. In the absence of the consent of the personal data subject to the processing of their personal data, such processing is not carried out.
1.6. Consent to the processing of personal data can be revoked by the personal data subject. If the personal data subject withdraws consent to the processing of personal data, the operator has the right to continue processing personal data without the consent of the personal data subject if there are grounds specified by the current legislation.
1.7. This Policy may be changed by the Company. The Company has the right at any time, at its sole discretion, to make changes to this Policy without prior notification of the User about it. When making changes in the current edition, the date of the last update is indicated. The new version of the Policy comes into force from the moment it is posted on the web server, unless otherwise provided by the new edition of the Policy.
1.8. This Policy applies only to information about the User obtained while using the Company Services. The Company does not control and is not responsible for the processing of information about the User by third-party websites, to which the User can click on the links available on the official web server of the Company.
1.9. Definitions used in this Policy:
Personal information (personal data) - information recorded on a material medium about a specific person, identified with a specific person or which can be identified with a specific person, allowing this person to be identified directly or indirectly, through reference to one or more factors specific to his biological, economic, cultural, civic or social identity.
Personal data includes biographical and identification data, personal characteristics, information about marital status, financial condition, health status, and more.
List of personal information - a list of categories of data about this subject.
Personal data array is any structured collection of personal information of a certain number of subjects, regardless of the type of information carrier and the means used for their processing (archives, file cabinets, electronic databases, etc.).
Publicly available personal data arrays - arrays of personal data, access to which is not limited by law, and intended for general use (directories, phone books, address books, etc.).
Confidentiality mode for personal information - normatively established rules that determine restrictions on access, transfer, provision and storage conditions for personal data.
The personal data subject (subject) is an individual to whom the relevant personal data relates.
The holder (possessor) of personal data array - state authorities, local governments and legal entities that are entrusted with the authority to determine the purposes, categories of personal information and control the collection, storage, processing and use of personal data in accordance with the Law.
The authorized state body for personal data (hereinafter referred to as the authorized state body) is a state body authorized by the Government of the Kyrgyz Republic to exercise the functions and powers to ensure that the processing of personal data meets the requirements of the Law, protection of the rights of personal data subjects (subjects), registration of holders (owners) of personal data arrays, maintaining the Register of holders of personal data arrays, other tasks, functions and powers provided for by the Law.
Processor is an individual or legal entity, determined by the holder (owner) of personal data, who processes personal information based on an agreement concluded with him.
The recipient of personal information is a public authority or local self-government bodies, legal entities and individuals, as well as a personal data subject (subject), to whom personal data is transferred and provided in accordance with the Law.
Collection of personal information is the procedure for obtaining personal information by the holder (possessor) of personal data array from the subjects of this data or from other sources in accordance with the legislation of the Kyrgyz Republic.
Processing of personal information is any operation or set of operations performed regardless of methods by the holder (owner) of personal information or on his behalf, by automatic means or without such, in order to collect, record, store, update, group, block, erase and destroy personal data.
The consent of the personal data subject is a free, specific, unconditional and conscious expression of the will of the person in the form provided for by this Law, in accordance with which the subject notifies of his consent to the implementation of procedures related to the processing of his personal data.
Transfer of personal information is a provision by the holder (owner) of personal data to third parties in accordance with the Law and international treaties.
Cross-border transfer of personal information is a transfer by the holder (owner) of personal information to holders under the jurisdiction of other states.
Updating personal information - promptly making changes to personal data in accordance with the procedures established by the current legislation of the Kyrgyz Republic.
Blocking personal information - temporary suspension of the transfer, clarification, use and destruction of personal data.
Destruction (erasure or crash) of personal information - actions of the holder (possessor) of personal information to bring this data into a state that does not allow restoring their content.
Depersonalization of personal information is the removal from personal information of the part that allows to be identified with a specific person.
Information system of personal information - a set of personal data contained in databases and ensuring their processing of information technologies and technical means.
2. The concept and content of personal data
2.1. For the purposes of this Policy, personal data means any information relating directly or indirectly to a specific individual (personal data subject).
2.2. Depending on the personal data subject, the Company, in order to carry out its activities and to fulfill its obligations, may process personal data of the following categories of subjects:
Personal data of the Company employee, a candidate for a job is information required by the Company in connection with labor relations and concerning a specific employee;
Client data - information that the Company needs to fulfill its obligations under the contractual relationship with the Client and to comply with the requirements of the legislation of the Kyrgyz Republic. This also includes data provided by potential clients, client representatives authorized to represent clients; heads and chief accountants of legal entities that are Company clients, persons who have concluded civil law contracts with the Company for the provision of services to the Company; employees of Company partners and other legal entities that have contractual relations with the Company, with which Company employees interact in the framework of their activities;
personal data of the Client provided during registration on the website www.cctld.kg and domain.kg, including when the Client makes Orders, as well as when using services, communication forms posted on the website at www.cctld.kg and domain.kg;
personal data of other individuals who have consented to the processing of their personal information by the Company or individuals whose personal information processing is necessary for the Company to achieve the goals provided for by an international treaty of the Kyrgyz Republic or by law, for the implementation and fulfillment of the functions and obligations assigned on the hosting provider and the domain name registrar by the legislation of the Kyrgyz Republic;
personal data of individuals that are made publicly available by them, and their processing does not violate their rights and complies with the requirements established by the Legislation on personal information.
2.3. The personal data subject included in the list of persons specified in clause 2.2, the client of the Company agrees to the processing of the following personal data: surname, name, patronymic; date of birth; mailing addresses (at the place of registration and for contacts); number of the main identity document of the Client, information about the date of issue of the specified document and the issuing authority; phone numbers; fax numbers; e-mail addresses.
3. Grounds and purposes of personal data processing
3.1. The Company processes personal data to carry out its activities, including for the provision of services to Clients. The Company has the right to:
carry out the functions assigned to the Company by the legislation of the Kyrgyz Republic in accordance with the Law No. 58 On Personal Data and other laws and regulatory legal acts of the Kyrgyz Republic, as well as the Company Articles of Association and regulatory acts;
The Company collect and store the Client's personal data necessary for the provision of services, the execution of agreements and contracts, the fulfillment of obligations to the Client.
3.2. The Company processes personal data only if at least one of the following conditions is met:
personal data processing is carried out with the consent of the personal data subject to the processing of their personal data;
personal data processing is necessary to achieve the goals stipulated by the law, for the implementation and fulfillment of the functions, powers and duties imposed by the legislation of the Kyrgyz Republic on the operator;
personal data processing is necessary for the performance of an agreement to which the personal data subject is a party or beneficiary or guarantor, as well as for concluding an agreement initiated by the personal data subject or an agreement under which the personal data subject will be the beneficiary or guarantor;
personal data processing is necessary to exercise the rights and legitimate interests of the Company or third parties or to achieve socially significant goals, provided that this does not violate the rights and freedoms of the personal data subject;
personal data processing is carried out, access of an unlimited number of persons to which is provided by the personal data subject or at his request;
personal data processing that is subject to publication or mandatory disclosure in accordance with the law.
3.3. The Company and other persons who have gained access to personal information are obliged not to disclose to third parties and not to distribute personal information without the consent of the personal data subject, unless otherwise provided by law.
3.4. The Company can process personal information of subjects of personal information for the following purposes:
to identify the personal data subject;
to implement the possibility of registration and maintenance of a domain name;
to communicate with the personal data subject, if necessary, including sending offers, notifications, information and inquiries, both related and not related to the provision of services, as well as processing applications, requests and applications of the Client;
improving the quality of services provided by the Company.
3.5. The Company does not process special categories of Personal Data related to race, nationality, political views, religious or philosophical beliefs, intimate life.
3.6. The legal grounds for processing personal information are the following legal acts:
Law of the Kyrgyz Republic dd. 2 April 1998 No. 31 On electric and postal communications;
Law dd. 19 July 2017 No. 127 On Electronic Government;
Statutory documents of the Company;
Agreements concluded between the Company and the Clients in accordance with the existing licenses of the Company;
other acts adopted by authorized state bodies and organizations regulating the activities of providers, as well as the domain name registrar in the Kyrgyz Republic.
4. Principles of personal data processing
4.1. The processing of personal information by the Company is carried out based on the following principles:
the legality of the purposes and methods of Processing personal information;
the fair practice of the Company, as an operator of personal information, which is achieved by fulfilling the requirements of the legislation of the Kyrgyz Republic in relation to the Processing of personal information;
compliance of the content and volume of processed personal information, as well as methods of processing personal information to the stated purposes of Processing;
the accuracy and sufficiency, and, if necessary, the relevance of personal data in relation to the stated purposes of their Processing;
destruction of Personal Information upon reaching the goals of Processing in a manner that excludes the possibility of their recovery;
inadmissibility of combining databases containing personal information, the processing of which is carried out for purposes incompatible with each other.
4.2. Employees of the Company admitted to the Processing of personal information must:
Know and strictly follow the provisions of:
legislation of the Kyrgyz Republic in the field of personal information, this Policy;
local acts of the Company on the processing and security of personal information;
Process personal information only as part of the performance of their official duties;
not disclose personal information processed in the Company;
Report the actions of other parties that may lead to a violation of the provisions of this Policy;
Report known facts of violation of the requirements of this Policy to the Person Responsible for organizing the Processing of personal information in the Company.
4.3. The security of personal information in the Company is ensured by the implementation of coordinated measures aimed at preventing (neutralizing) and eliminating threats to the security of personal information and minimizing possible damage.
5. Timeframe of personal data processing
5.1. The timeframe for processing personal data are determined based on the purposes of processing in the information systems of the Company, in accordance with the term of the contract, agreement with the personal data subject.
5.2. A condition for stopping the processing of personal information may be the achievement of the goals of processing personal information in accordance with the terms of the contract concluded between the Company and the personal data subject, expiration of the consent or withdrawal of the consent of the personal data subject to the processing of their personal data, as well as identification of illegal processing of personal data.
6. The persons authorized to process personal data
6.1. To achieve the goals of Article 3 of this Policy, only those employees of the Company who are entrusted with such a duty in accordance with their official (labor) duties are authorized to process personal information. Access of other employees may be granted only in cases provided by law. The Company requires its employees to maintain confidentiality and ensure the security of personal data during their processing.
6.2. The Company has the right to transfer personal data to third parties in the following cases:
The personal data subject has clearly expressed his consent to such actions;
The transfer is provided for by national or other applicable law in the framework of the procedure established by law.
In this case, all obligations to comply with the terms of this Policy in relation to the data received by him are transferred to the acquirer.
6.3. At the reasoned request of the authorized body and in accordance with the current legislation, personal data of the subject without his consent can be transferred:
in connection with the administration of justice to the judicial authorities;
to the internal affairs bodies, the State Committee for National Security, the prosecutor's office;
to other bodies and organizations authorized by the current legislation and applicable legal norms in the cases established in regulatory legal acts that are binding on the operator.
7. The procedure and methods for personal data processing
7.1. In the process of providing services, in the implementation of internal economic activities, the Company uses automated and non-automated processing of personal information.
7.2. The Company has the right to entrust the personal information processing to another person with the consent of the Personal Data Subject, unless otherwise provided by the legislation of the Kyrgyz Republic, on the basis of an agreement concluded with this person, a prerequisite for which is compliance by this person with the principles and rules for Processing Personal Data provided for by the Law on Personal Data.
7.3. Personal data is not disclosed to third parties and is not distributed in any other way without the consent of the Personal Data Subject, unless otherwise provided by the legislation of the Kyrgyz Republic.
7.4. Representatives of public authorities (including those of controlling, supervisory, law enforcement and other bodies) get access to personal information processed in the Company, in the amount and manner established by the legislation of the Kyrgyz Republic.
7.5. As part of the personal data processing for the Personal Data Subject and the Company, the following rights are defined.
7.5.1. The personal data subject has the right to:
receive information related to the processing of their personal data, in the manner, form and terms established by the legislation on personal information;
demand clarification of their personal data, its Blocking or Destruction if the personal information is incomplete, outdated, inaccurate, illegally obtained, is not necessary for the stated purpose of processing or is used for purposes not previously stated when the Subject provided personal information consent to the processing of personal data;
conclude with the Company an Agreement on the private mode of access to personal information of the client
take measures provided by law to protect their rights;
withdraw their consent to the personal data processing.
7.5.2. The Company has the right to:
process the personal data of the personal data subject in accordance with the stated purpose;
require the personal data subject to provide reliable personal information necessary for the execution of the contract, the provision of services, identification of the personal data subject, as well as in other cases provided for by the Legislation on personal data;
restrict the access of the personal data subjects to their personal data if the Processing of personal information is carried out in accordance with the legislation on combating the legalization (laundering) of proceeds from crime and the financing of terrorism, the access of personal data subjects to their personal data violates the rights and legitimate interests of third parties, as well as in other cases provided for by the legislation of the Kyrgyz Republic;
process publicly available personal data of individuals;
carry out the processing of personal data subject to publication or mandatory disclosure in accordance with the legislation of the Kyrgyz Republic;
entrust the processing of personal data to another person with the consent of the Personal Data Subject.
7.6. In case of confirmation of the fact of inaccuracy of personal information or the illegality of its processing, personal information must be updated by the operator, and the processing must be stopped.
7.7. Upon achievement of the goals of processing personal information, as well as if the personal data subject withdraws consent to its processing, personal information is subject to destruction if:
otherwise is not provided for by the contract, the party to which, the beneficiary or the guarantor of which is the personal data subject;
The Company is not entitled to carry out processing without the consent of the personal data subject on the grounds provided for by the legislation of the Kyrgyz Republic;
otherwise is not provided by another agreement between the Company and the personal data subject.
7.8. The Company is obliged to inform the personal data subject or his representative about the processing of personal information of such a subject at the request of the latter.
7.9. The Company also has other rights and bears other obligations established by the law On Personal Data.
8. Implementation of personal data protection
8.1. The Company's activity in processing personal data in information systems is inextricably linked with the protection of the confidentiality of the information received by the Company. All employees of the Company are obliged to ensure the confidentiality of personal data, as well as other information established by the Company, if this does not contradict the current legislation of the Kyrgyz Republic.
8.2. The security of personal information during its processing in the information systems of the Company is ensured by the information security system.
Ensuring the security of processed personal information is carried out by the Company within the framework of a unified integrated system of organizational, technical and legal measures for the protection of information constituting a commercial secret, taking into account the requirements of the legislation on personal information, adopted in accordance with the regulatory legal acts.
8.3. The exchange of personal information during its processing in information systems is carried out through communication channels protected by technical information protection means.
8.4. When processing personal data in the information systems of the Company the following is provided:
carrying out measures aimed at preventing unauthorized access to personal information and (or) transferring it to persons who do not have the right to access such information;
timely detection of facts of unauthorized access to personal information;
prevention of impact on technical means of automated personal data processing, as a result of which their functioning may be damaged;
the possibility of immediate recovery of personal data, modified and destroyed due to unauthorized access to it;
constant monitoring of the level of personal data protection.
appointment of officials responsible for organizing the processing and protection of personal information;
limitation of the number of persons who have access to personal data;
familiarization of subjects with the requirements of legislation and regulations of the Company for the processing and protection of personal data;
the employees of the Company who process personal data are familiarized with the requirements of the legislation of the Kyrgyz Republic on personal data, local acts on the personal data processing.