POLICY
for the Collection, Processing and Protection of Personal Data Subjects' Personal Data

General Provisions

Purpose of the Document
This Policy for the Collection, Processing and Protection of Personal Data Subjects' Personal Data is the fundamental internal document of the Limited Liability Partnership "CDEK Central Asia" (hereinafter: the Partnership) that governs the collection, processing and protection of personal data.
This Policy is drawn up in accordance with the Constitution of the Republic of Kazakhstan, the Civil Code of the Republic of Kazakhstan, effective legislation of the Republic of Kazakhstan in the sphere of personal data protection, including Law of the Republic of Kazakhstan dated May 21, 2013 No. 94-V "On Personal Data and their Protection" (hereinafter: the Law) and serves for the familiarization of unlimited audience through publication on the www.cdekfranchise.kz website.
The Policy shall establish the procedure for personal data collection and processing for personal data subjects, including establishing actions for personal data collection, classification, accumulation, storage, revision (updating, modification), and destruction, as well as establishing the procedures aimed at safeguarding personal data.
The Partnership management shall acknowledge the importance and necessity of personal data safeguarding and encourage constant improvement in the personal data protection system.
The approval and revision of the Policy shall be performed every three years, as well as:
- in the case of changes in the regulatory framework that affect the principles and/or processes of personal data processing in the Partnership;
- when new or existing processes for clients' personal data processing are created or changed, accordingly.

Normative References
Law of the Republic of Kazakhstan dated May 21, 2013 No. 94-V "On Personal Data and their Protection".
Republic of Kazakhstan Government Decree No. 909 dated September 3, 2013 "On Approving the Rules for Taking Measures to Protect Personal Data by the Owner and (or) Operator, as well as Third Parties".
Republic of Kazakhstan Government Decree No. 1214 dated November 12, 2013 "On Approving the Rules for Determining the Owner and (or) Operator of the List of Personal Data, Necessary and Sufficient for Their Fulfillment of Tasks".
Order of the Minister of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan dated October 21, 2020 No. 395/NK "On Approving the Rules for the Collection, Processing of Personal Data".
1.3. Abbreviations used
PD — personal data;
PDB — database containing PD;
Partnership — "CDEK Central Asia" LLP;
RK — Republic of Kazakhstan;
Website — www.cdekfranchise.kz.

1.4. Scope of Application
1.4.1. The validity of this Policy shall extend to all Partnership processes in which PD of PD subjects are collected and processed using computer equipment, including information-telecommunication networks, as well as without the use of such devices.
This Policy shall be applicable, including but not limited to:
during navigation on the www.cdekfranchise.kz website without making an order for servicing, as well as during the use of services offered on the www.cdekfranchise.kz website, including without registration on the www.cdekfranchise.kz website;
during registration on the www.cdekfranchise.kz website;
when making an order on the www.cdekfranchise.kz website or in an office of the Partnership;
when filling out a request form for contract conclusion on the www.cdekfranchise.kz website;
when using the www.global.cdek.kz service;
during another use of the www.cdekfranchise.kz website in accordance with the User Agreement.
The validity of this Policy shall not extend to PD processing of employees of the Partnership and candidates for vacant positions, other PD subjects not directly designated in this Policy, since these relationships are regulated by other internal acts.
The Regulation does not set out the matters of ensuring the safety of PD classified in accordance with the established procedure as information constituting a state secret of the Republic of Kazakhstan.

1.5. Terms and definitions used
1) Personal data — information related to a PD subject identified or indetifiable on the basis thereof, captutred on electronic, paper and/or other tangible media; 2)
PD blocking — actions to temporarily suspend the collection, accumulation, modification, addition, use, distribution, depersonalization and destruction of PD;
3) PD accumulation —actions to organize PD by entering them into a database containing PD;
4) PD destruction — actions resulting in the impossibility to restore PD;
5) PD depersonalization — actions resulting in the impossibility to determine whether PD belongs to a PD subject;
6) a database containing PD — an array of organized PD;
7) the owner of a database containing PD — a state body, an individual and/or a legal entity exercising the right to own, use and dispose of a database containing PD in accordance with the laws of the Republic of Kazakhstan;
8) the operator of a database containing PD (hereinafter — the operator) is a state body, an individual and/or a legal entity that collects, processes and protects PD.
The operator under this Regulation is the Limited Liability Partnership "CDEK Central Asia";
9) PD protection — a set of measures, including legal, organizational and technical, implemented for the purposes established by this Law;
10) PD security service — a service that ensures communication between owners and/or operators with the subject, including obtaining the subject's consent to collect, process PD or transfer them to third parties, including through the implementation of such communication by owners and/or operators on their own;
11) PD processing — actions aimed at PD accumulation, storage, modification, addition, use, distribution, depersonalization, blocking and destruction;
12) PD use — actions invloving personal data aimed at implementing the goals of the owner, operator and third party;
13) PD storage —actions to ensure the PD integrity, confidentiality and availability;
14) PD dissemination — actions resulting in the PD transfer, including through the mass media, or providing access to personal data by any other method;
15) PD subject — an individual to whom the PD belong;
16) a third party — a person that is not a subject, owner and/or operator, but is connected with them/it through circumstances or legal relations concerning the PD collection, processing and protection;
17) PD collection — actions aimed at obtaining PD.

Basic Normative Provisions

2.1. PD Collection, Processing Principles
The Partnership shall ensure compliance with the principles of PD collection, processing and protection set out in Art. 5 of the Law.
PD collection and processing shall be done on a legal and just basis and shall be limited to achieving specific, pre-defined and legal goals and tasks. Redundancy of processable data is not allowed.
When processing PD, accuracy of PD must be ensured, their sufficiency, and if necessary, also relevance in relation to the goals of PD processing.
The Partnership shall store PD in a form allowing determination of the PD subject not longer than required by the goals and tasks of PD processing, and shall destroy PD when the goals of their processing have been reached or if there is no need to achieve these goals, if not otherwise specified by federal law.
Processable PD shall be destroyed or depersonalized when the processing goals have been achieved or if it is not necessary to reach these goals, if not otherwise specified by the Law of this Policy.

PD Processing Objectives
The Partnership processes the PD subject's personal information with the following objectives:
1) Providing the PD subject with the opportunity to interact with the Website, including the access to personalized Website resources, to the Partnership partners' Websites or services in accordance with the User Agreement;
2) Establishing communication with the PD subject, including to provide them with information about the services, by sending notifications, requests and information concerning the provision of services and/or fulfillment of existing agreements, as well as processing requests and applications from the PD subject;
3) Provision of services, conclusion and fulfillment of agreements and contracts with clients (potential clients);
4) Improvement of the quality of services and convenience of their use, development of new services (sending information about special offers, new services, events, any information messages, including advertising and other information on behalf of the Partnership or on behalf of the Partnership's partners to the PD subject via information communication systems, SMS, e-mail and other means of communication);
5) Compliance with the requirements of the legislation of the Republic of Kazakhstan;
6) Conducting statistical and other studies based on depersonalized data, conducting surveys and studies aimed at revealing client satisfaction/dissatisfaction with the Partnership's services, improving the quality of services.

Categories of Collected, Processed PD
The Partnership processes the following PD categories:
1) PD of an individual — website user transmited on his/her own: name, email, address (city, street, house number, apartment number), phone number, as well as automatically transmitted by the website and services during their use: details of the browser used (or other software thereby the website is accessed), cookie file details, location, IP address, requested web pages, the Website access source and other similar information.
2) PD of an individual — client (potential client) whose PD became known to the Partnership in connection with the conclusion and fulfillment of the contract: full name, identity document details, address (country, city, street, house number, apartment number), email, phone number (home, mobile);
3) PD of an individual whose PD were received by the Partnership from the Customer that uses courier services under a contract for the provision of paid courier services: full name, identity document details, address (country, city, street, house number, apartment number, phone number (home, mobile);
4) PD of other subjects transferred to the Partnership by other parties on the basis of concluded contracts and/or consent to the PD collection, processing.
The Partnership shall not collect and process PD of customers concerning race, nationality, political views, religious or philosophical convictions, state of health and intimate life.
The Partnership shall not verify the reliability of the personal information provided by the subject and shall not be able to evaluate their competence. However, the Partnership shall proceed from the fact that the user provides reliable and sufficient personal information and maintains this information in an up-to-date state.

The Procedure and Conditions for PD Collection, Processing
Methods of obtaining a subject's PD
The collection and processing of a PD subject's PD is carried out by the Partnership upon consent of the subject or his/her legal representative. It is permitted for the Partnership to collect the Clients' PD by:
- personal submission of own data (provision of documents) by a subject when ordering delivery in the office;
- entering own data by the subject in any section of the Website;
- entering data in marketing flyers (coupons) by the PD subject;
- from third parties (clients, counterparties);
- from generally available sources.

The Procedure of Giving the Subject'S Consent to the PD Collection, Processing
The consent to PD processing can be given by the subject (or his/her legal representative) in writing, in the form of an electronic document, via a PD security service or any other method using the protective actions' elements that do not contradict the legislation of the Republic of Kazakhstan.
In a case where a PD subject enters his/her data on the Website, the consent to the PD processing is deemed to be provided by the PD subject by performing the following conclusive actions in aggregate: putting a special mark — a "tick" or "web tag" in a special field on the Website when ordering a callback, when making a contact via the feedback form, when registering in his/her personal account, when filling out a questionnaire to enter into a contract, when making a request to call a courier and pressing the appropriate button.
These actions shall be evaluated clearly as acceptance of the User Agreement terms and conditions and consent to PD processing in the scope, for the purposes and per the procedure specified in the text (text "Consent" - Appendix No. 1 to this Policy) specified in the special sign for reading the text suggested before submission.
In the case where a PD subject fills out marketing leaflets, delivery notes, and other documents by affixing his/her signature, the PD Subject expresses his/her consent to accept the terms of the Public Offer set out in the Contract for the Provision of Paid Courier Services and the Regulation for the Provision of Paid Courier Services published on the website, which means, among others, a consent to the PD processing.
If PD are obtained from third parties (customers, contractors), the obligation to obtain consents to PD processing and transfer shall be placed on these third parties.
If PD are obtained from public information sources, no consent is required from the PD subjects.
Consent shall be considered received from the time of entering the special sign (signature) and shall be valid until the PD subject sends the relevant statement of termination of PD processing at the location of the Operator.
If there is no consent from the Subject to process their PD, such processing shall not be done.

PD Access and Confidentiality
In the course of its activities, the Partnership delegates the PD processing to third parties upon consent of the PD subjects, subject to mandatory compliance of the party that performs the delegated PD processing with the principles and rules of processing, as well as ensuring the PD security.
The list of individuals allowed to collect and process PD shall be determined by the instructions of the Executive body and internal local regulatory acts of the Partnership. Such parties shall be familiarized with the following before the commencement of work:
the provisions of RK legislation on PD, including the requirements for the PD protection procedure;
documents defining the Operator's actions in relation to the PD collection, processing, including this Policy;
local guidelines on the PD collection, processing.
Access to PD of PD subjects shall be given to the Operator's employees in accordance with their official duties. The Operator's employees processing the PD of PD subjects must be informed about such processing, about the features and rules for such processing established by the regulatory legal acts and internal documents of the Operator. The Partnership employee entitled to process PD of PD subjects shall be given a unique login and password to duly access the relevant information system. Information about the identifiers assigned to the Employee (login and password) shall be confidential and cannot be communicated by the Employee to third parties. The Employee shall ensure compliance with the confidentiality requirements and shall bear the risk of the consequences related to violation of such requirements. The authentication procedure shall be conducted by the employer's technical center when the employee accesses the information system by comparing the entered login and password with the relevant login and password assigned to the employee, information about which is contained in the information system. If the authentication procedure is passed successfully, the Employer shall be able to perform operations with the PD of the PD subject in the information system.
The Partnership shall not post the PD of PD subjects in public sources.

PD Accumulation and Storage
The PD accumulation is carried out by collecting the PD necessary and sufficient to carry out the tasks performed by the owner and/or operator, as well as by a third party.
PD of the PD subject, whose processing goals vary, shall be stored separately within the information system, or if stored on storage drives, within the structure of business of the Operator's relevant division.
PD of the PD subjects shall be stored by the Partnership in a form allowing determination of the PD subject.
The duration of PD storage shall be no longer than required by the PD processing objectives; if no PD storage duration is established by law or contract or defined by the terms of the consent to the PD processing (Annex1), or until the User declares their desire to withdraw consent to the PD collection, processing.
The PD shall be blocked on the Website based on a written statement from the PD subject.
The PD subject shall be entitled to demand in writing the destruction of their PD if the PD are incomplete, outdated, unreliable, obtained illegally or are not necessary for the stated purpose of the processing.
If it is not possible to destroy the PD, the Operator shall block such PD.
PD shall be destroyed by erasing information using certified software with guaranteed destruction (in accordance with the assigned characteristics for the established software with guaranteed destruction).

PD Protection
During the PD collection, processing, the Partnership takes all necessary legal, organizational and technical measures to protect personal data from unlawful or accidental access, destruction, modification, blocking, copying, provision, distribution of PD, as well as other unlawful actions. A person responsible for arranging PD processing shall be appointed in the Partnership.
The PD safety of is achieved, in particular, by:
- the appointment of a person responsible for organizing the PD collection and processing;
- the approval by the Partnership of this Policy, local guidelines on the PD collection, processing, as well as local guidelines establishing procedures aimed at preventing and detecting violations of the law, eliminating the consequences of such violations;
- the application of legal, organizational and technical measures to ensure the PD safety in accordance with Art. 22 of the Law;
- the implementation of internal control over the compliance of the PD collection, processing and storage with the Law and regulations adopted in accordance therewith, requirements for the PD protection, this Policy and local guidelines of the Partnership;
- the familiarization of the operator's workers (employees) directly engaged in the PD collection, processing and storage with the provisions of the legislation of the Republic of Kazakhstan on PD, including the requirements for the PD protection, this Policy, local guidelines on the PD collection, processing and storage, and/or worker (employee) training.

Processing of the PD Subjects' Requests
To ensure compliance with the PD subjects' rights established by law, the Partnership has developed and introduced the procedure for dealing with the PD subjects' applications and requests, as well as the procedure for providing PD subjects with information defined by the RK legislation in the sphere of PD.
The request from a PD subject must contain the number of the main document identifying the PD subject or their legal representative, information about the date of issue of the indicated document and its issuing body, information confirming the participation of the PD subject in relationships with the Partnership (contract number, date of entry into the contract, conventional word designation and (or) other information), or information otherwise confirming the fact of PD processing by the Partnership, signature of the PD subject or their representative, and date of contact.
The Partnership workers shall not have the right to answer questions related to transfer or disclosure of PD by telephone or fax because in such a case it is not possible to identify the accessing person.
Requests from subjects must be sent to: 404/67 Seyfullina Prospekt, Almaty, Republic of Kazakhstan, 050004.



Annex 1 to the Policy
for the Collection, Processing and Protection of Personal Data Subjects' Personal Data


To the CEO of "CDEK Central Asia" LLP
BIN120440014325
Address: 404/67 Seyfullina Prospekt,
Almaty, Republic of Kazakhstan, 050004

Form of Consent
for PD collection, processing, for the website users


Acting freely, voluntarily and in my interest I hereby declare that I have been informed and agree that, in accordance with the Law of the Republic of Kazakhstan dated May 21, 2013 No. 94-V "On Personal Data and their Protection" and other regulatoions of the Republic of Kazakhstan (hereinafter jointly referred to as the Law), the information provided by me, including:
family name, first name, patronymic;
email;
address (city, street, house number, apartment number) for collecting/delivering parcels;
phone number;
details of the used brawser;
location;
IP address;
cookie file details;
requested web pages;
source from where the www.cdekfranchise.kz website is accessed;
passport details (where necessary)
will be entered to the information systems of "CDEK Central Asia" LLP.

I grant the right to collect, process, transfer (including the right to cross-border transfer) these data with the use of methods that do not contradict the law, in order to organize the process of providing the information requested by me about the services of "CDEK Central Asia" LLP, receiving feedback from "CDEK Central Asia" LLP, ordering services, registering a Personal Account, etc, with the exception of cases where it is expressly established otherwise. I am notified that my personal data will be used for the purposes of:
- providing the opportunity to interact with the Website, including the provision of access to personalized Website resources, to the Partnership partners' Websites or services in accordance with the User Agreement;
- establishing communication, including to provide information about the services, by sending notifications, requests and information related to the provision of services and/or the fulfillment of existing agreements, as well as for processing requests and applications;
- provision of services, conclusion and fulfillment of agreements and contracts;
- improvement of the quality of services and the convenience of their use, development of new services (sending information about special offers, new services, events, any information messages, including advertising and other information on behalf of the Partnership or on behalf of the Partnership partners to the PD subject via information communication systems, SMS, e-mail and other means of communication);
- compliance with the requirements of the legislation of the Republic of Kazakhstan;
- conducting statistical and other studies based on depersonalized data, conducting surveys and studies aimed at identifying client satisfaction/dissatisfaction with the Partnership's services, improving the quality of services.

In relation to the aforementioned goals, I understand that my personal data may be reported to third parties, and I consent to this.
If my data are given to third parties, including contact data, I confirm that the third party has been informed about the processing of their personal data by the Operator.
I consent to the use of the submitted PD to send commercial information by the Operator for PD processing to third parties by this telephone number and e-mail address.
I give the right to send me information about services, proposals and advertising events of the Operator and/or its Partners, including via electronic and mobile communication.
This consent shall be valid from the day of its submission to the day of recall in writing.
I hereby was informed that I am entitled to demand revisions in my PD, their blocking or destruction if the PD are incomplete, outdated, inaccurate or are not necessary for the stated processing goal, also at any time I may demand termination of PD processing after sending the relevant statement to the Operator's location. I understand that the result of recalling the consent regarding part of the data and/or regarding certain goals may result in complete termination of processing of my PD to implement the goals of this consent.
I have also been informed that at any time I can refuse to receive commercial information, after sending my statement to the Operator's location.
The text of this consent was read by me (us), I (we) have no additions, comments or objections.