UNIDO Payments Personally Identifiable Information Processing and Security Policy

1. General provisions
UNIDO Payments LLP (Business Identification Number 181240014292) (the “Operator”) shall, as part of its core business, process personally identifiable information of various categories of personally identifiable information subjects using personally identifiable information systems, including the following websites of the Operator UNIDO Payments LLP, as well as other websites of the Operator that refer to this Policy.

In accordance with the statutory provisions of the Republic of Kazakhstan, UNIDO Payments LLP is a personally identifiable information operator.

  • When organizing and carrying out the personally identifiable information processing, the Operator shall be governed by the Law of the Republic of Kazakhstan No. 94-V of May 21, 2013 “On Personally Identifiable Information and its Protection” and other laws and regulations adopted in accordance therewith. For the purposes of this Policy, personally identifiable information means any information provided through websites to the Operator and/or collected using such websites, relating to a directly or indirectly identified or identifiable individual (subject of personally identifiable information).
2. Collection of personally identifiable information
The Operator collects information via websites in the following ways:
1. Personally identifiable information provided by users:
a. The Operator collects personally identifiable information which is entered into the data fields on the websites of the Operator by users themselves or other persons on their behalf.
2. Collecting user IP addresses and cookies.
3. Passive collection of personally identifiable information about the current connection in terms of statistical information (at the Operator’s discretion):
  • website-assigned user ID;
  • visited pages;
  • number of page views;
  • information about navigating through the website pages;
  • user session duration;
  • entry points (third-party sites from which the user follows a link to the Website);
  • exit points (links on the Website that take the user to third-party sites);
  • user’s country;
  • user’s region;
  • the time zone set on the user’s device;
  • user’s provider;
  • user’s browser;
  • canvas fingerprint;
  • browser fonts available;
  • installed browser plug-ins;
  • browser’s WebGL options;
  • type of media devices available in the browser;
  • ActiveX presence;
  • list of supported languages on the user’s device;
  • user device processor architecture;
  • user’s OS;
  • screen parameters (resolution, color depth, page positioning parameters on the screen);
  • information about the use of automation when accessing the Website.
With respect to registered users of the Website, the Operator may collect information about the use of ports on users’ devices in order to detect suspicious activity and protect users’ personal accounts. The data can be obtained using various methods, such as cookies and web file beacons, etc.

The Operator may use third-party Internet services (third-party technologies) to organize the collection of statistical personally identifiable information, third-party Internet services provide storage of the received data on their own servers.

The Operator is not responsible for localization of servers of third-party Internet services. However, such third-party Internet services (third-party technologies) installed on the Website and used by the Operator can install and read cookies from browsers of end users of the Website to collect information in the process of advertising activities on the Website. The procedure for the collection and use of data collected by such third-party Internet services (third-party technologies) shall be determined independently by these third-party Internet services, and they are directly responsible for compliance with this procedure and the use of the data they collect, including that these third-party Internet services shall be responsible for and shall ensure compliance with the applicable laws, including the personally identifiable information laws of the Republic of Kazakhstan.

The Operator shall not compare any information that is provided by the user independently and that allows to identify the subject of personally identifiable information with statistical personally identifiable information obtained through the use of similar passive methods of information collection.
3. Principles and conditions of personally identifiable information processing
Personally identifiable information shall be processed by the Operator in strict compliance with the statutory requirements of the Republic of Kazakhstan and shall be limited to achieving specific, predetermined and statutory goals, including, in accordance with the Joinder Agreement, the Payment Institution Rules.

Only personally identifiable information may be processed that meets the purposes for which it is being processed. The content and scope of personally identifiable information processed by the Operator shall comply with the stated processing purposes, and no excessive processing of personally identifiable information shall be permitted.

When processing personally identifiable information, the Operator shall ensure the accuracy of such personally identifiable information, its sufficiency and, where necessary, relevance in relation to the purpose of personally identifiable information processing. The Operator shall take necessary measures (ensure that they are taken) to remove or clarify incomplete or inaccurate personally identifiable information.

During the course of its activities, the Operator may provide and/or assign the processing of personally identifiable information to another person with the consent of the subject of such personally identifiable information, unless otherwise required by the personally identifiable information laws of the Republic of Kazakhstan. To this end, a prerequisite for providing and/or assigning the processing of personally identifiable information to another person is the obligation of the parties to ensure the confidentiality and security of personally identifiable information during the processing of such information.

The time frame for the processing of personally identifiable information shall be determined in accordance with the purposes for which the personally identifiable information was collected.
4. Rights of the subject of personally identifiable information
The subject of personally identifiable information has the right to:

  • request clarification of his/her personally identifiable information, blocking or destruction thereof if the personally identifiable information is incomplete, outdated, unreliable, illegally obtained or not required for the stated purpose of processing, as well as to take statutory measures to protect his/her rights;
  • request the list of his/her personally identifiable information processed by the Operator and the source from which it was obtained;
  • receive information about the timing of processing of his/her personally identifiable information, including the period of its storage;
  • demand notification of all persons who have been previously informed of incorrect or incomplete personally identifiable information about all exceptions, corrections or additions made thereto;
  • appeal to the authorized body in charge of protecting the rights of personally identifiable information or in court against unlawful acts or omissions in the processing of his/her personally identifiable information;
  • the protection of his/her rights and legitimate interests, including compensation for losses and/or compensation for moral damage in a court of law.

If you have any questions about the nature of the application, use, modification or deletion of your personally identifiable information that you have provided, or if you wish to opt out of any further processing thereof by the Operator, please contact us by mail, the Operator’s address or by email: info@unido.kz

Please note that the Operator of personally identifiable information is not responsible for inaccurate information provided by the subject of personally identifiable information.
5. Implementation of personally identifiable information protection requirements
In order to maintain business reputation and ensure compliance with the statutory requirements of the Republic of Kazakhstan, the Operator regards ensuring legitimacy of personally identifiable information processing in the Operator’s business processes and maintaining an appropriate security level of personally identifiable information processed by the Operator to be its most important objectives.

The Operator shall require that other persons who have obtained access to personally identifiable information refrain from disclosing and disseminating personally identifiable information to third parties without the consent of the subject of personally identifiable information, unless otherwise permitted by the laws of the Republic of Kazakhstan.

To ensure the security of personally identifiable information during its processing, the Operator shall take necessary and sufficient legal, organizational and technical measures to protect personally identifiable information from unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution of personally identifiable information, as well as from other unlawful actions in relation thereto.

The Operator shall ensure that all its activities towards the organizational and technical protection of personally identifiable information are carried out lawfully, including in accordance with the statutory requirements of the Republic of Kazakhstan with respect to the processing of personally identifiable information.

In order to ensure that personally identifiable information is adequately protected, the Operator shall assess any harm that may be caused to the subjects of personally identifiable information in case of a security breach of their personally identifiable information, and identify relevant threats to the security of personally identifiable information during its processing in personally identifiable information systems.

In accordance with the relevant threats identified, the Operator shall apply necessary and adequate legal, organizational and technical measures to ensure the security of personally identifiable information, including the use of information security measures, detection of unauthorized access to personally identifiable information and adoption of measures, recovery of personally identifiable information, restriction of access to personally identifiable information, registration and accounting of manipulations with personally identifiable information, and monitoring and evaluation of the effectiveness of security measures applied to personally identifiable information.

The Operator’s management understands the importance and necessity of personally identifiable information security and encourages continuous improvement of the protection system of personally identifiable information processed as part of the core business of the Operator.

The Operator has appointed persons responsible for organizing the processing and security of personally identifiable information.

Each new employee of the Operator directly engaged in processing of personally identifiable information shall be made familiar with the statutory requirements of the Republic of Kazakhstan regarding processing and security of personally identifiable information, this Policy and other local acts of the Operator dealing with processing and security of personally identifiable information, and shall be obliged to comply with the same.
info@unido.kz
In case of questions, drop us a line - we are one email away
Contact
© UNIDO 2022 — All Rights Reserved
Almaty city, Auezovsky district, Aksai-3A microdistrict, 88, 9, 050031