Privacy policy for working with personal data of users
Bishkek c. as amended on the 12th of September 2022
1. Terms and definitions.
Personal data – any information relating to a certain or determined on the basis of such information to an individual (subject of personal data). Those. such information, in particular, may include any information provided by the user: last name, first name, patronymic, phone number, e-mail, and other information.
Processing of personal data – any action (operation) or a set of actions (operations) performed with or without the use of automation tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data. In this case, the transfer is carried out in accordance with the legal instructions of the authorized bodies or in accordance with the terms of the contract, upon signing of which the User consents to such processing.
Confidentiality of personal data – a mandatory requirement for those admitted to the processing of personal data of users of employees of the Company to properly comply with the rules for their processing, storage, to prevent their distribution without the consent of the subject or other legal grounds, as well as ensuring by the Company the necessary regime for the safety of the user’s personal data.
Use of personal data – actions (operations) with personal data aimed at identifying the User in order to provide access to the Site and obtain confirmation of the accuracy of the information specified by the User.
Destruction of personal data – actions as a result of which it is impossible to restore the content of personal data in the automated registration and accounting system of the Company’s Customers or the destruction of material carriers of personal data. The destruction of data is carried out in relation to Customers with whom there are no valid contracts and the storage period for their data has expired, or at the request of the Customer who withdraws his consent to the processing of personal data.
Information – information (messages, data) regardless of the form of their presentation.
Company – a legal entity that is the owner of the Site – “SnowLeopard” LLC, TIN: 00309200810191, ACEO: 25921333.
Publicly available personal data – personal data, access to which is granted to an unlimited number of persons with the consent of the subject or which, in accordance with laws, is not subject to the requirement of confidentiality.
Operator – a Company that processes personal data of users of the Site in order to provide the latter with authorized access to all services of the Site, as well as determines the purposes of processing personal data, the composition of personal data, actions (operations) performed with personal data, the procedure for storing and destroying personal data of Users.
Consent to the processing of personal data – voluntary performance of conclusive actions by the User when registering on the Company’s website https://snowleo.net/, namely putting a mark in the appropriate box, which is provided for the expression the User consents to the processing of personal data provided by him (hereinafter referred to as PD) and unconditional adoption (acceptance) of the procedure and conditions of the User Agreement and this Privacy Policy for working with User PD.
User – a visitor to the Site. The user is the subject of personal data upon completion of the registration procedure on the Site in the prescribed manner.
2. General regulations.
2.1 This Privacy Policy for working with personal data of users of “SnowLeopard” LLC (hereinafter referred to as the Security Policy) has been developed in accordance with the provisions of the Constitution of the Kyrgyz Republic, the Civil Code of the Kyrgyz Republic, the Law “On Personal Information” and other regulatory legal acts of the Kyrgyz Republic (hereinafter – KR) in the field of information security.
2.2 The purpose of developing the Privacy Policy is to determine the procedure for processing and protecting the personal data of all Users of the Company’s Website, whose data are subject to processing solely for the purpose of providing access to the features and services of the Website and complying with the legislation of the KR in the field of communications, ensuring the protection of the rights and freedoms of a person and a citizen of that country which the User is, when processing his personal data, including protecting the rights to privacy, personal and family secrets, as well as establishing the responsibility of officials who have access to personal data for failure to comply with the requirements of the rules governing the processing and protection of personal data.
2.3 This Privacy Policy comes into force from the moment of its approval by the General Director of the Company, is valid indefinitely, until the new edition of the Privacy Policy comes into force.
2.4 The Company has the right to make changes to the Privacy Policy at any time. When changing the Privacy Policy, the Company notifies the Users of this in the order of posting a new version on the Site at a permanent address. Previous versions of the Privacy Policy are stored in the archive of the Company’s documentation.
2.5 The continued use of the Site by the User after the posting of the Privacy Policy in the new edition is recognized by the Parties as the unconditional acceptance by the User of the terms of the Privacy Policy in full.
3. Composition of data.
3.1 The Company hereby notifies users of the Site that, in order to improve the convenience of working on the Site, cookies are used, a Google.Analytics service that can access users’ personal data in connection with the user’s use of the Site. Such personal data may include: email address, user IP address, user gender. The Company does not get access to the User’s personal data received by the services. By staying on the Site, the User unconditionally agrees to the policy of their use by the Company.
3.2 The personal data of Users processed by the Companies includes:
3.2.1 Personal data provided by the User in connection with registration on the Site or in case of registration for participation in events held by the Company: LF name, phone number, date of birth, country and e-mail address, phone number of a relative.
3.2.2 Personal data provided in connection with the User’s request to the Company with relevant requests (on the processing of PD, on termination of PD processing, etc.):LF name of the applicant, passport data, information about the reasons and purpose of the appeal, the signature of the user or his representative.
3.2.3 Additional personal data of the User provided by the User on a personal initiative without requiring such information from the Company.
3.3 The Company collects and stores the data specified in clause 3.2. of this Privacy Policy in electronic form, containing information about the User obtained as a result of filling in and sending by the User the registration form established by the Company on the Site, as well as the voluntary provision by the User of additional information about himself, including in connection with the Events held by the Company.
3.4 The Company stores only information in electronic form received from the Site, specified by the User himself, containing data about the User.
3.5 The Company does not process special and biometric personal data of Users.
4. Purpose of personal data processing.
4.1 The purpose of processing the User’s personal data is the implementation of a set of actions aimed at the implementation of the following tasks:
– registration of the user in the Events held by the company;
– sending to the User postal (email) messages and SMS notifications containing information about the Events and any other information relating to the User and related to the Event.
4.2 The condition for terminating the processing of personal data is the liquidation of the Company, as well as the corresponding requirement (request) of the User to delete his personal data.
4.3 The processing of personal data is carried out on the basis of the principles:
• legality of the purposes and methods of processing personal data;
• good faith;
• conformity of the purposes of processing personal data with the purposes predetermined and declared during the collection of personal data, as well as the powers of the Company;
• conformity of the volume and nature of the processed personal data, methods of processing personal data to the purposes of processing personal data.
5. Collection and protection of personal data.
5.1 The procedure for obtaining (collecting) personal data:
5.1.1 The User provides all personal data personally, voluntarily in electronic form.
5.1.2 The User’s consent to the processing of his personal data is stored electronically.
5.1.3 The User’s consent to the processing of personal data for the purposes specified in Section 4 of this Privacy Policy is valid until: the goals of their processing are achieved or until the User withdraws consent.
5.1.4 The processing of the User’s personal data without their consent is carried out in the following cases:
– personal data is publicly available;
– at the request of authorized state bodies in cases stipulated by the Legislation of the KR;
– processing of personal data is carried out on the basis of the current legislation of the KR;
– the processing of personal data is carried out for statistical purposes, subject to the mandatory depersonalization of personal data.
5.1.5 The Company does not request or process special categories of the User’s personal data: data on his race, nationality, political views, religious or philosophical beliefs, health status, intimate life.
5.2 The procedure for processing personal data:
5.2.1 The User (subject of personal data) provides the Company with reliable information about himself.
5.2.2 Only employees of the Company authorized to work with the User’s personal data can have access to the processing of Users’ personal data.
5.2.3 Employees authorized to work with personal data of Users perform their duties in accordance with this Privacy Policy.
5.2.4 The processing of personal data of Users can be carried out solely for the purposes established by the Privacy Policy and in compliance with the legislation of the KR.
5.2.5 When determining the scope and content of processed personal data, the Company is guided by the Constitution of the KR, legislation on personal data, and other laws of the KR.
5.3 Protection of personal data.
5.3.1 The protection of the User’s personal data is understood as a set of measures (organizational, administrative, technical) aimed at preventing unauthorized or accidental access to them, destruction, modification, blocking, copying, distribution of Users’ personal data, as well as other illegal actions.
5.3.2 Protection of personal data of Users is carried out at the expense of the Company in the manner prescribed by the legislation of the Kyrgyz Republic.
5.3.3 When protecting Users’ personal data, the Company takes all necessary organizational, administrative and technical measures, including:
– anti-virus protection;
– audit (monitoring) of security/vulnerability;
– registration and accounting;
– ensuring the storage of information containing personal data of Users, excluding access to them by third parties;
– general control over compliance by employees with measures to protect the personal data of Users;
– protection of Users’ personal data stored in the Company’s electronic databases from unauthorized access, distortion, transfer and destruction of information, as well as from other illegal actions;
– data transmission via secure communication channels. Interfaces of information systems are protected via HTTPS protocol using end data encryption certificates during transmission between the storage server and the workstation; an anonymized form is used to transfer information to the equipment, containing only IP addresses and other technical attributes of the services provided.
– familiarization of the person directly processing personal data with the provisions of the legislation of the KR on personal data, including the requirements for the protection of personal data, documents defining the policy regarding processing personal data;
– appointment of a person responsible for organizing the processing of personal data.
5.4 Storage of personal data.
5.4.1 Personal data of Users is electronically stored on the servers of the hosting provider.
5.4.2 Protection of access to personal data of Users is ensured by:
– use of anti-virus programs;
– firewall;
– physical protection of servers;
– and other measures that prevent unauthorized entry and access to personal data of Users.
5.4.3 Answers to written requests from other organizations and institutions about the personal data of Users are given only with the written consent of the User himself, unless otherwise provided by the legislation of the KR. Personal data may be transferred at the official request (instruction) of authorized and competent state bodies without obtaining the consent of the Users.
6. Transfer and storage of personal data.
6.1 Transfer of personal data.
6.1.1 The transfer of the User’s personal data means the transfer of information through communication channels and/or on physical media.
6.1.2 When transferring the User’s personal data, the Company must comply with the following requirements:
– not to disclose to third parties the personal data of the User for commercial purposes;
– not disclose the User’s personal data to a third party without the written consent of the User, except as otherwise established by the legislation of the KR;
– notify persons receiving the User’s personal data that these data can be used only for the purposes for which they are reported, and require these persons to confirm that this rule has been observed;
– allow access to personal data of Users only to specially authorized persons, while these persons should have the right to receive only those personal data of Users that are necessary to perform specific functions;
– transfer personal data of Users within the Company in accordance with this Privacy Policy;
– provide Users with access to their personal data when contacting or upon receipt of a User’s request. The Company is obliged to provide the User with information about the availability of personal data about him, as well as provide the opportunity to familiarize himself with them within ten working days from the date of the request.
6.2 Storage of personal data.
6.2.1 The storage of personal data of Users means the existence of records in electronic databases and on the material media of the Company. Personal data of Users is stored mainly on electronic media and processed using automated systems, except in cases where non-automated processing of personal data is necessary in connection with the fulfillment of legal requirements.
6.2.2 Users’ personal data may be stored no longer than required by the purposes of processing, unless otherwise provided by the legislation of the KR.
6.2.3 During the storage period, personal data cannot be anonymized or destroyed.
6.2.4 Upon expiration of the storage period, personal data may be anonymized and destroyed in the manner prescribed by the current legislation of the KR.
7. Blocking, depersonalization, destruction of personal data of Users.
7.1 The procedure for blocking and unblocking personal data:
7.1.1 Blocking of personal data of Users is carried out with a written application from the User.
7.1.2 Blocking of personal data implies a temporary suspension of the processing of personal data (unless the processing is necessary to clarify personal data).
7.1.3 Blocking of personal data of Users can be temporarily removed if it is required to comply with the legislation of the KR.
7.1.4 Unblocking of personal data of Users is carried out with his written consent (if there is a need to obtain consent) or a statement from the User.
7.1.5 The repeated consent of the User to the processing of his personal data (if necessary, obtaining it) entails the unblocking of his personal data.
7.2 The procedure for the destruction of the User’s personal data.
7.2.1 Destruction of personal data – actions, as a result of which it becomes impossible to restore the content of personal data in the information system of personal data and (or) as a result of which material carriers of personal data are destroyed, as well as the termination of any access to personal data.
7.2.2 When the User’s personal data is destroyed, the Company’s employees cannot gain access to personal data.
7.2.3 Personal data in the Company’s system and on the Website cannot be recovered.
7.2.4 The operation of destruction of personal data is irreversible.
7.2.5 The term for the destruction of personal data corresponds to the term determined by the legislation of the KR.
8. The rights of the Сompany when working with personal data.
8.1 The Company has the right:
– provide personal data of Users to third parties, if this is provided for by applicable law (tax, law enforcement, judicial authorities);
– refuse to provide personal data in cases stipulated by the legislation of the KR;
– use the User’s personal data without his consent in cases provided for by the legislation of the KR.
9. User rights.
9.1 The user has the right:
– demand clarification of their personal data, their blocking or destruction if the personal data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing, and also accept measures provided for by the legislation of the Kyrgyz Republic to protect their rights;
– require a list of processed personal data available in the Company and the source of their receipt;
– receive information about the tIme of personal data processing, including the time of their storage;
– demand notification of all persons who were previously informed of incorrect or incomplete personal data of all exceptions, corrections or additions made to them;
– appeal to the authorized body for the protection of the rights of subjects of personal data or in court against illegal actions or omissions in the processing of his personal data.
9.2 Users have the right to send their requests to the Company, including requests regarding the use of their personal data by sending a written application in any form addressed to the Organizer and sent to the Company at snowleo.trip@gmail.com. The request sent by the User must comply with the requirements established by Company, namely to contain the following information:
• last name, first name, patronymic of the applicant;
• passport data;
• information about the reasons and purpose of the appeal;
• signature of the user or his representative.
If necessary, for the purpose of prompt and complete consideration by the Company of the User’s request, the Company has the right to request additional information from the User.
The Company undertakes to consider and send a response to the User’s request no later than 30 days from the date of receipt of the request.
10. Responsibility for violation of the rules governing the processing and protection of personal data.
10.1 A company guilty of violating the rules governing the receipt, processing and protection of personal data bears disciplinary, administrative, civil or criminal liability in accordance with the current legislation of the KR.
10.2 The Company bears civil and administrative liability for violation of the law in the field of processing and protection of personal data.