Personal Data Protection Policy
This personal data protection policy (hereinafter referred to as the Policy) sets forth the basic principles for the processing of the personal data of the consumers, customers, suppliers, business partners, employees and others individuals, and determines the main activities for processing of personal data and data protection measures for undertakings operating under the direction and supervision of the IBA Group a.s., the list of which is given in Annex 1 (hereinafter referred to as the IBA or the organisation).
The purposes of this Policy are to ensure the protection of human rights and freedoms when processing the personal data, including privacy rights, personal and family secrecy, and to unify the organization’s rules for personal data processing with the requirements of the international law and the laws of the countries where the organization operates.
In its everyday business operations, IBA makes use of a variety of data about identifiable individuals, including data about:
- Current, past and prospective employees,
- Users of its websites,
- Other stakeholders.
While collecting and using this data, the organisation is subject to a variety of legislation acts, controlling how such activities should be carried out and the safeguards that must be put in place to protect it.
IBA is committed to complying with the applicable laws and regulations related to Personal Data protection in the countries where the organisation operates.
Policy is reviewed annually and in case if significant changes take place within the organisation or in the relevant legislation.
The Policy is mandatory for all IBA’s employees, both staff and contractors, and all organisational units, including separate subdivisions. The Policy also applies to other persons if they are to participate in the personal data processing in the organisation, as well as in cases of the transfer of personal data to them in the established order under an agreements and contracts.
The Policy applies to any personal data, regardless of the type of media on which they are recorded.
The Policy is a public document of the IBA and any persons can get acquainted with it.
The Policy is developed on the basis of and in accordance with the requirements:
- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation, GDPR);
- The Law of the Republic of Kazakhstan No. 94-V of May 21, 2013 “On Personal Data and their Protection”.
If, as a result of changes in the legislation of the countries in which the IBA’s undertakings are registered, any requirements of this Policy conflict with the legislation of these countries, such requirements will become invalid and the laws of the countries in which the IBA’s undertakings are registered will be applied before the time of introducing changes and additions to the Policy.
Terms and Definition
The following terms are used in this document with the corresponding definitions:
Personal data means any information relating to an identified or identifiable natural person (‘data subject‘); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the personal data processing; where the purposes and means of such processing are determined by the law of the data subject location country, the controller or the specific criteria for its nomination may be provided for by the law of the data subject location country;
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Special categories of personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or data concerning a natural person’s sex life or sexual orientation, genetic data, biometric data for the purpose of uniquely identifying a natural person;
IBA’s undertakings means undertakings operating under the direction and supervision of the IBA Group a.s. – their head office, the list of which is given in Annex 1
Principles Relating to Personal Data Processing
The organisation is committed to observe the following principles with regard to personal data processing:
Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘the lawfulness, fairness and transparency principle’);
(b) collected tor specified, explicit and legitimate purposes and shall not be further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘the purpose limitation principle’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘the data minimisation principle’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, depending on the purposes for which they are processed, are erased or corrected without delay (‘the accuracy principle’);
(e) kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to implementation of the appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject (‘the storage limitation principle’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘the integrity and confidentiality principle’).
IBA is committed to comply with all of these principles not only with the current processing of personal data, but also with the introduction of new methods and systems of processing.
In respect of its activities as a controller, the organisation is ready to confirm compliance with the above principles to the supervisory authority upon request (‘the accountability principle’).
Lawfulness of Processing
IBA determines the legal basis before the start of personal data processing as a controller.
If the organisation as a controller processes special category of personal data, or data related to criminal convictions and offenses, the organisation identifies both a legal basis for general processing and separate conditions for processing these types of data.
IBA keeps reasonable, documented evidence of the legitimacy of the personal data processing, with respect of its activities as a controller, and makes the evidence available when it is necessary.
The organisation processes the personal data as a processor only on the basis of documented instructions from the controller governed by a contract or other legal act that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller. In this case, the controller determines the lawfulness of the processing.
There are six available legal bases for general processing of personal data. There are ten separate conditions for special category data processing. The options are described in the following sections.
The organisation will always obtain explicit consent from a data subject in order to collect and process their data, unless consent is not required in accordance with the law.
In the case of children under the age of 16 (a lower age may be allowed in specific countries), the consent of a parent or a legal guardian must be obtained.
While requesting for consent, IBA informs the data subjects about the organisation’s identity, the nature and purpose of the processing, the list of personal data categories for processing, and explains the rights of individuals with regard to their personal data, including the right to withdraw consent. This information is provided in an intelligible and easily accessible form, using clear and plain language.
IBA requests separate consent for different purposes and types of processing, and does not use pre-ticked boxes or any other type of default consent in the consent requests.
6.2 Performance of a Contract
When the collected and processed personal data are required to fulfil contract with the data subject, explicit consent is not required. This will often be the case when the contract cannot be completed without the personal data in question e.g., a delivery cannot be made without an address to deliver to.
6.3 Legal Obligation
If the personal data is required to be collected and processed in order to comply with the law, then explicit consent is not required. This may be the case for some data related to employment and taxation for example, and for many areas addressed by the public sector.
6.4 Vital Interests of the Data Subject
In the case when the personal data are required to protect the vital interests of the data subject or another individual, then this necessity may be used as the legal basis of the processing. As an example, this case may be applied to the aspects of social care, particularly in the public sector.
6.5 Task Carried Out in the Public Interest
When the organisation needs to perform a task that is believed to be in the public interest or presents itself as a part of organisation’s official duty then the data subject’s consent will not be requested.
6.6 Legitimate Interests
If the result of data processing or specific personal data are a part of the legitimate interests of the organisation and are judged not to affect the rights and freedoms of the data subject in a significant way, then this may be defined as the legal reason for the processing.
IBA performs a legitimate interest assessment (LIA) to ensure compliance with the principle of proportionality.
6.7 Conditions for Special Category Data Processing
Performing its role of a controller the organisation processes special category of personal data only if it has identified one of the following conditions for processing:
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where the law of the data subject location country does not provide the right of the data subject to cancel the prohibition on processing;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, provided that appropriate safeguards are ensured for the fundamental rights and interests of the data subject;
(c) processing is necessary to protect the vital interests of the data subject or of another individual if the data subject is physically or legally incapable of giving consent;
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e) processing relates to personal data which are explicitly made public by the data subject;
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
(g) processing is necessary for reasons of substantial public interest provided that suitable and specific safeguards are ensured for the fundamental rights and the interests of the data subject;
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;
(i) processing is necessary for the reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, provided that suitable and specific safeguards are ensured for the rights and freedoms of the data subject, in particular professional secrecy;
(j) processing is necessary for archiving purposes of the public interest, scientific or historical research purposes or statistical purposes, provided that suitable and specific safeguards are ensured for the fundamental rights and the interests of the data subject.
IBA processes personal data related to criminal convictions and offenses only under the control of an official authority, or when the law of the data subject location country permits processing, and only appropriate safeguards are provided for the rights and freedoms of data subjects.
Rights of the Data Subject
The data subject has the following rights:
1. The right to be informed.
Individuals have the right to be informed about the collection and use of their personal data.
2. The right of access.
Individuals have the right to access their personal data.
3. The right of correction.
Individuals have the right to make inaccurate personal data corrected or completed, if they are incomplete.
4. The right of erasure (‘right to be forgotten’).
Individuals have the right to have their personal data erased.
5. The right to restrict processing.
Individuals have the right to request the restriction or suppression of their personal data processing.
6. The right of data portability.
Individuals have the right to obtain and reuse their personal data for their own purposes across different services.
7. The right to object.
Individuals have the right to object to the processing of their personal data.
8. Rights in relation to automated decision making and profiling.
Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effect on them.
The organisation supports each of these rights with appropriate procedures that allow the necessary steps to be taken within the timeframes specified in table 1.
Table 1 – Timescales for data subject requests.
|Data Subject Request||Timescale|
|The right to be informed||When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)|
|The right of access||One month|
|The right of correction||One month|
|The right of erasure||Without undue delay|
|The right to restrict processing||Without undue delay|
|The right of data portability||One month|
|The right to object||On receipt of objection|
|Rights in relation to automated decision making and profiling.||Not specified|
Personal Data Protection in Business Activities of the Organisation
IBA takes, or in some cases may take if necessary, a number of organisational and technical measures in its business activities to protect personal data from unauthorised or unlawful processing, as well as from accidental loss, destruction, damage or other illegal actions in respect of personal data. These measures include:
- adopting and implementing regulatory documents for the processing and protection of personal data;
- taking a ‘data protection by design and default’ approach – putting appropriate data protection measures in place throughout the entire lifecycle of the processing operations;
- putting in place written contracts with processors which process personal data on behalf of the organization;
- providing appropriate safeguards during the transfer of personal data to third countries
- documenting its processing activities;
- implementing appropriate security measures;
- recording and, where necessary, reporting personal data breaches;
- carrying out data protection impact assessments for uses of personal data that are likely to result in a high risk to individuals’ interests;
- appointing a data protection officer (where necessary);
- adhering to relevant codes of conduct and compliance with certification schemes (where possible).
8.1 Data Protection by Design and Default
The organisation adopts the principle of “data protection by design and default” and carries out appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights.
In essence, “data protection by design” means that IBA has integrated data protection into systems, services, products and business practices, from the design stage right through the lifecycle. The organisation only uses data processors that provide sufficient guarantees of their technical and organisational measures for data protection by design. The organisation takes into account the data protection by design when it purchases products for use in its processing activities.
In fact, “data protection by default” means that IBA, in respect of its activities as a controller:
- specifies the minimum set of personal data required to achieve specific processing purposes before the processing starts;
- appropriately informs the data subjects;
- only processes the data necessary for processing purposes;
- does not process additional personal data until the data subject authorises to do so;
- ensures that personal data is not automatically available to others until the data subject allows it;
- ensures that personal data is automatically protected in any IT system, service, product and / or business practice, so that individuals should not have to take any specific actions to protect their privacy
- offers strong privacy defaults, user-friendly options and controls, and respect user preferences.
The organisation takes into account the use of techniques such as pseudonymisation where applicable and appropriate.
8.2 Contracts Involving the Personal Data Processing
IBA ensures that all relationships it enters into that involve the personal data processing are regulated by documented contracts that include the specific information and conditions required by the law.
Contracts of the organisation include the following compulsory information:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the types of personal data and categories of data subjects;
- the obligations and rights of the controller.
Contracts of the organisation include the following compulsory terms:
- the processor must only act on the written instructions of the controller (unless required by law to act without such instructions);
- the processor must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- the processor must take appropriate measures to ensure the security of processing;
- the processor must only engage a sub-processor with the prior consent of the data controller and a written contract;
- the processor must assist the data controller to ensure that data subjects exercise their rights in accordance with the law of the data subject location country;
- the processor must assist the data controller in meeting its obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- the processor must delete or return all personal data to the controller as requested at the end of the contract;
- the processor should contribute to audits and inspections provide the controller with whatever information necessary to confirm the processor’s compliance with his obligations, and notify the controller immediately if it is asked to do something infringing data protection legislation.
IBA as a controller only appoints processors who can provide “sufficient guarantees” that the requirements of the law of the data subjects’ location countries will be observed, and the rights of data subjects will be protected.
8.3 International Transfers of Personal Data
IBA transfers personal data to the third country or the international organisation only if the requirements of the law of the data subjects’ location countries are fully observed, for example, if the transfer of personal data to that third country or international organisation is authorised by the regulatory body without additional authorisation by the supervisory authority, since there is an adequate level of protection that meets the requirements of the law, or if the organisation receiving the personal data has provided appropriate safeguards that comply with the requirements of the law.
Before such transfer IBA makes sure, that, as a result, the level of protection of data subjects ensured by law will not be undermined, including the cases of onward transfers of personal data from the third country or an international organisation to controllers, processors in the same or another third country or international organisation.
Following such transfer, individuals’ rights must be enforceable and effective legal remedies for individuals must be available.
8.4 Documenting Processing Activities
As a controller, IBA maintains records of the following categories to document its processing activities:
- records of processing activities;
- the legal basis for the processing,
- records of consent;
- Legitimate Interests Assessment reports,
- information provided to data subjects;
- controller-processor contracts;
- the location of personal data;
- Data Protection Impact Assessment reports;
- records of personal data breaches.
As a processor, IBA maintains records of the following categories to document its processing activities:
- records of processing activities;
- controller-processor contracts;
- the location of personal data;
- records of personal data breaches.
IBA’s undertakings employing fewer than 250 persons do not keep records of processing activities unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of personal data or personal data relating to criminal convictions and offences.
The records are kept in writing. The records are kept up to date and reflect current processing activities.
The organisation makes the records available to the supervisory authority upon request.
8.5 Implementing Appropriate Security Measures
IBA has identified and regularly updates the security threats to personal data, performs risk analysis related to the personal data processing, documents findings and uses them to assess the appropriate level of security that needs to be put in place.
The security threat to personal data means a factor that creates the danger of unauthorised, including accidental, processing of personal data, as well as the accidental or intentional loss, destruction or damage of personal data.
IBA has allocated responsibility for information security to certain employees and teams and provided them with the appropriate resources and authority. Employees who are authorized by the organization to process personal data, before starting to work with personal data, undertake responsibility to comply with confidentiality and other requirements of the Policy.
IBA’s undertakings have an information security rules and take the necessary steps to implement it. Where required, IBA’s undertakings adopt additional regulatory documents and ensure that controls are in place to enforce them.
IBA regularly reviews its information security regulatory documents and, if necessary, improves them. IBA conducts regular testing and reviews of its information security measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement.
IBA’s undertakings keep records of assets involved in the personal data processing (applications, systems, personnel, and media).
IBA uses encryption and/or pseudonymisation, where it is appropriate to do so.
IBA’s undertakings mandatory use cryptographic security means if personal data is transmitted through open communication channels.
IBA’s undertakings have proper backup processes so that they can restore integrity and access to personal data in the event of any incidents, as soon as reasonably possible.
IBA’s undertakings make sure that any data processor they are using also implements appropriate technical and organizational measures.
IBA’s undertakings provide the necessary physical security measures to protect premises, equipment and information from unauthorized access.
IBA has defined business continuity arrangements that protect and recover any personal data the organization holds.
IBA conducts appropriate initial and refresher training for personnel involved in data processing on data protection issues and, including, inter alia, personal data processing duties, employees responsibility for personal data protection, rules and restrictions for employees to use the systems and services (for example, to avoid virus infection or spam).
8.6 Personal Data Breaches
The organisation has prepared a response plan for addressing any personal data breaches that may occur. IBA has allocated responsibility for managing breaches to certain employees and teams. The organisation’s employees know how to escalate a security incident to the proper responsible person or team in IBA to determine whether a breach has occurred.
IBA adopted a process to notify the supervisory authority of a breach within 72 hours after becoming aware of it, even if there are still no details. The organisation adopted a process to inform without undue delay the affected individuals about a breach, when it is likely to result in a high risk to their rights and freedoms. The organisation’s Data Protection Officers supervise the process of notifying the data subjects and supervisory authorities of the personal data breaches.
IBA documents all breaches, even if not all of them are in need to be reported.
8.7 Data Protection Impact Assessment (DPIA)
As a controller, IBA does a DPIA when personal data processing is likely to result in a high risk to individuals.
The organisation considers expediency of fulfilment of a DPIA in any major project involving the personal data processing carried out as the controller. If IBA decides not to carry out a DPIA, it will document the reasons.
- describe the nature, scope, context and purposes of the processing;
- assess the need for processing and proportionality to the purposes;
- identify and assess risks to individuals;
- identify any measures to mitigate those risks and to confirm compliance with legislation.
If the organisation identifies a high risk that it cannot mitigate, it should consult the supervisory authority before starting the processing.
8.8 Data Protection Officer (DPO)
IBA is not required to appoint a DPO, since it is not a public authority or body, does not perform large-scale monitoring, and does not process special categories of personal data on a large scale, but it has decided to do so voluntarily. The organisation understands that the same duties and responsibilities apply as with the mandatory appointment of DPO. IBA appoints the DPO at the head office and, if necessary, at some undertakings of the organisation.
IBA tasked its DPOs to monitor compliance with data protection laws and organisation’s data protection regulatory documents, awareness raising, employees training and the related audits. IBA timely involves its DPOs on all issues relating to the personal data protection.
The organisation’s DPOs inform and advise the employees of the organisation who carry out the personal data processing on their obligations under the data protection legislation.
The DPO of the head office reports directly to the top management of the organisation. The DPOs of other IBA’s undertakings cooperate with the DPO of the head office and report to the management of their enterprises and the top management of the organisation. All organisation’s DPOs are given the required independence to perform their tasks.
The organisation’s DPOs are easily accessible as the contact points for our employees, individuals and supervisory authorities. IBA published the contact details of its DPOs and communicated them to the supervisory authority.
8.9 Compliance with codes of conduct and certification systems
Professional associations and representative bodies may prepare codes of conduct covering topics such as fair and transparent processing, the legitimate interests pursued by controllers, pseudonymisation and the exercise of human rights, etc.
In addition, supervisory authorities or accredited certification bodies may issue certificates of compliance with the legislative requirements of data processing activities.
Compliance with the code of conduct and obtaining a certificate are voluntary, but the organisation sees them as an excellent way to monitor and demonstrate compliance with the requirements for the personal data protection.