Personal Data Processing Policy
CHAPTER 1. GENERAL PROVISIONS
1.1. The Personal Data Processing Policy (hereinafter referred to as the “Policy”) of Astana-Expo KS Exhibition Company LLP (hereinafter referred to as the “Company”) defines the basic principles, purposes, conditions, and methods of personal data processing, the categories of data subjects and personal data processed, the Company’s functions in processing personal data, the rights of personal data subjects, and the personal data protection requirements implemented by the Company.
1.2. This Policy has been prepared in accordance with the Constitution of the Republic of Kazakhstan, the Law of the Republic of Kazakhstan No. 94-V dated May 21, 2013 “On Personal Data and Their Protection” (hereinafter referred to as the “Law”), other regulatory legal acts, and applies to all personal data processed by the Company, which may be received from the subject or the representative of the personal data subject who is a party to a civil-law contract with the Company, or from a legal entity having entered into a civil-law contract with the Company, from a personal data subject having labor relations with the Company, from visitors to the Company’s office, as well as from visitors to the Company’s websites and any other personal data subjects.
The Policy complies with the current legislation of the Republic of Kazakhstan and is based on:
Constitution of the Republic of Kazakhstan;
Labor Code of the Republic of Kazakhstan;
Laws of the Republic of Kazakhstan dated May 21, 2013 “On Personal Data and Their Protection” and dated November 24, 2015 “On Informatization”;
Order of the Minister of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan dated October 21, 2020 “On Approval of the Rules for Collection and Processing of Personal Data”;
other regulatory legal acts of the Republic of Kazakhstan.
1.3. This Policy also applies to all information that the Company may obtain about visitors to the Company’s websites, including: astana-expo.com, kmfexpo.kz, kss-expo.kz, btexpo.kz, waterexpo.kz, flora-expo.kz, kadex.kz, digital-aex.com, cds-forum.kz, grow-expo.kz, cmexpo.kz, promweek.kz.
1.4. Key terms and definitions used in this Policy and other local legal acts and documents of the Company regulating personal data processing issues:
Biometric data — personal data characterizing physiological and biological features of a personal data subject, on the basis of which the subject’s identity may be established;
Blocking of personal data — actions for temporary suspension of collection, accumulation, amendment, supplementation, use, dissemination, depersonalization, and destruction of personal data;
Use of personal data — actions with personal data aimed at implementing the purposes of the owner, operator, and third party;
Candidate — an individual applying for a vacant position;
Accumulation of personal data — actions for systematizing personal data by entering them into a database containing personal data;
Depersonalization of personal data — actions resulting in the impossibility of determining that personal data belongs to a specific subject;
Processing of personal data — actions aimed at accumulation, storage, amendment, supplementation, use, dissemination, depersonalization, blocking, and destruction of personal data;
Publicly available personal data — personal data or information not subject to confidentiality requirements under the legislation of the Republic of Kazakhstan and freely accessible with the subject’s consent;
Operator of a database containing personal data (hereinafter — the “Operator”) — a state body, individual and/or legal entity collecting, processing, and protecting personal data;
Personal data — information relating to a specific or identifiable personal data subject, recorded on electronic, paper, and/or other tangible media;
Dissemination of personal data — actions resulting in transfer of personal data, including via mass media, or granting access to personal data by any other means;
Collection of personal data — actions aimed at obtaining personal data;
Personal data subject — an individual to whom the personal data relates;
Cross-border transfer of personal data — transfer of personal data to the territory of foreign states;
Destruction of personal data — actions resulting in impossibility of restoring personal data;
Storage of personal data — actions to ensure integrity, confidentiality, and availability of personal data.
CHAPTER 2. PRINCIPLES AND PURPOSES OF PERSONAL DATA PROCESSING
2.1. The Company, as the Operator of personal data, processes personal data of the Company’s employees and other personal data subjects not having labor relations with the Company.
2.2. Personal data processing in the Company is carried out with due regard to the need to protect the rights and freedoms of employees and other personal data subjects, including the right to privacy and personal and family secrecy, based on the following principles:
personal data are processed on a lawful and fair basis;
personal data are processed proportionately to the stated processing purposes and ensure at all stages a fair balance of the interests of all concerned parties;
personal data are processed with the consent of the personal data subject, except where otherwise provided by law;
personal data processing is transparent. The subject may be provided with relevant information regarding processing exclusively of his/her own personal data;
the Operator takes measures to ensure the accuracy of processed personal data and updates them where necessary;
personal data are stored in a form allowing identification of the subject no longer than required by the stated purposes of processing;
personal data are processed on the basis of confidentiality of restricted-access personal data.
2.3. Personal data are processed by the Company for the following purposes:
performance of functions, powers, and duties imposed on the Company by the legislation of the Republic of Kazakhstan, including provision of personal data to tax authorities, the Unified Accumulative Pension Fund of the Republic of Kazakhstan, the State Social Insurance Fund of the Republic of Kazakhstan, the Social Medical Insurance Fund, and other bodies;
regulation of labor relations with the Company’s employees;
preparation, conclusion, execution, and termination of contracts and other relations with counterparties;
exercise of the Company’s rights and legitimate interests within the scope of its activities;
attracting and selecting job candidates;
informing and conducting events, promotions, surveys, and research by the Company;
other lawful purposes, where necessary to ensure compliance with legislation.
CHAPTER 3. LIST OF SUBJECTS WHOSE PERSONAL DATA ARE PROCESSED BY THE COMPANY
3.1. The Company processes personal data of the following categories of subjects:
Company employees;
relatives of Company employees;
job candidates;
individuals having civil-law relations with the Company;
individuals who are counterparties (clients) of the Company;
employees and other representatives of legal entity counterparties;
other subjects whose interaction with the Company requires personal data processing.
CHAPTER 4. LIST OF PERSONAL DATA PROCESSED BY THE COMPANY
4.1. The list of personal data processed by the Company is determined in accordance with the legislation of the Republic of Kazakhstan and the Company’s local legal acts, taking into account the purposes of personal data processing specified in this Policy.
4.2. Personal data of employees’ relatives include:
surname, first name, patronymic;
date of birth;
IIN;
citizenship;
passport details or details of another identity document;
registered address details;
actual residence details;
medical information (where required by law);
information on social benefits and payments;
contact details.
4.3. Personal data of job candidates include:
surname, first name, patronymic (as well as all previous surnames);
date and place of birth;
IIN;
citizenship;
passport details or details of another identity document;
gender;
information on marital status and family composition, including surnames, names, patronymics of family members, dates of birth, places of work and/or study;
registered address details;
actual residence details;
number and series of the state social insurance certificate;
information on education, advanced training, professional retraining, academic degree, academic title;
employment history (including length and experience of work, employment data indicating position, division, employer details, etc.);
specialty, profession, qualification;
military registration data;
medical information (where required by law);
biometric personal data (including photographs, CCTV images, voice recordings);
information on social benefits and payments;
contact details;
awards and incentives;
information provided by the candidate in personal questionnaires; and other data that may be specified in the candidate’s résumé or application form.
4.4. Personal data of employees and other representatives of legal entity counterparties include:
surname, first name, patronymic;
passport details or details of another identity document;
IIN;
registered address details;
contact details;
position;
other data necessary for fulfillment of mutual rights and obligations between the Company and the counterparty.
4.5. Personal data of counterparties who are individuals include:
surname, first name, patronymic;
citizenship;
IIN;
passport details or details of another identity document;
registered address details;
number and series of the state social insurance certificate;
bank account details;
taxpayer identification number;
contact details;
property registration certificate details;
other data necessary for fulfillment of mutual rights and obligations between the Company and the counterparty.
4.6. Personal data of individuals having civil-law relations with the Company include:
surname, first name, patronymic (and all previous surnames);
date of birth;
citizenship;
passport details or details of another identity document;
gender;
place of stay details;
number and series of the state social insurance certificate;
information on education, advanced training, professional retraining, academic degree, academic title;
bank account details;
specialty, profession, qualification;
medical information (where required by law);
biometric personal data (including photographs, CCTV images, voice recordings);
information on social benefits and payments;
contact details;
other data necessary to fulfill mutual rights and obligations.
4.7. The Company does not process special personal data concerning racial or ethnic origin, political views, membership in trade unions, religious or other beliefs, health or intimate life, administrative or criminal liability, as well as genetic personal data.
CHAPTER 5. FUNCTIONS OF THE COMPANY IN PERSONAL DATA PROCESSING
5.1. When processing personal data, the Company:
takes measures necessary and sufficient to ensure compliance with the legislation of the Republic of Kazakhstan and local legal acts in the field of personal data;
takes legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, dissemination, and other unlawful actions;
appoints a person responsible for internal control over personal data processing;
issues local legal acts defining the Company’s policy and issues of personal data processing and protection;
familiarizes Company employees directly engaged in personal data processing with the provisions of the legislation of the Republic of Kazakhstan and the Company’s local legal acts in the field of personal data, including personal data protection requirements, and provides training to such employees;
publishes or otherwise ensures unrestricted access to this Policy;
informs personal data subjects or their representatives, in the prescribed manner, about the existence of personal data relating to them, and provides an opportunity to review such data upon request, unless otherwise established by law;
ceases processing and destroys personal data in cases provided for by the legislation of the Republic of Kazakhstan;
performs other actions предусмотренные by the legislation of the Republic of Kazakhstan in the field of personal data.
CHAPTER 6. CONDITIONS OF PERSONAL DATA PROCESSING IN THE COMPANY
6.1. Personal data are processed with the consent of the personal data subject, unless otherwise provided by the legislation of the Republic of Kazakhstan in the field of personal data.
6.2. Without the consent of the personal data subject, the Company does not disclose personal data to third parties and does not disseminate them, unless otherwise provided by the legislation of the Republic of Kazakhstan.
6.3. The subject or his/her legal representative gives (withdraws) consent to the collection and processing of personal data in writing or in the form of an electronic document.
6.4. Access to processed personal data is granted only to Company employees engaged in personal data processing.
CHAPTER 7. LIST OF ACTIONS WITH PERSONAL DATA AND METHODS OF PROCESSING
7.1. The Company processes personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, dissemination, provision, and deletion of personal data.
7.2. Personal data processing is carried out:
using automation tools;
without automation tools, provided that personal data search and/or access to them is ensured according to specific criteria (lists, databases, logs, etc.).
7.3. Cross-border transfer of personal data is prohibited if the foreign state does not ensure an adequate level of protection of the rights of personal data subjects, except in cases of:
consent of the subject or his/her legal representative to cross-border transfer;
international treaties ratified by the Republic of Kazakhstan;
cases provided for by the laws of the Republic of Kazakhstan where necessary to protect the constitutional order, public order, human and civil rights and freedoms, public health and morality;
protection of constitutional rights and freedoms where obtaining the subject’s or representative’s consent is impossible.
CHAPTER 8. RIGHTS AND OBLIGATIONS OF PERSONAL DATA SUBJECTS
8.1. Personal data subjects have the right to:
know about the existence of their personal data with the Operator and third parties, and receive information containing:
confirmation of the fact, purposes, sources, and methods of collection and processing of personal data;
a list of personal data;
periods of personal data processing, including storage periods;
require the Operator to amend and supplement their personal data where grounds confirmed by relevant documents exist;
require the Operator and/or third parties to block their personal data if there is information about violation of the conditions for collection and processing;
require the Operator and/or third parties to destroy personal data collected and processed in violation of the legislation of the Republic of Kazakhstan, as well as in other cases established by the Law and other regulatory legal acts;
withdraw consent to collection and processing of personal data, except where otherwise provided by the laws of the Republic of Kazakhstan;
consent (or refuse consent) to dissemination of their personal data in public personal data sources;
protection of their rights and legitimate interests, including compensation for moral and material damage;
exercise other rights provided by the Law and other laws of the Republic of Kazakhstan.
8.2. The personal data subject is obliged to:
provide the Operator with accurate personal data;
timely notify the Operator of changes and additions to personal data;
fulfill other obligations established by the legislation of the Republic of Kazakhstan.
CHAPTER 9. MEASURES TAKEN BY THE COMPANY TO ENSURE OPERATOR OBLIGATIONS IN PERSONAL DATA PROCESSING
9.1. Measures necessary and sufficient to ensure fulfillment of the Operator’s obligations include:
providing personal data subjects with necessary information before obtaining consent;
explaining to personal data subjects their rights related to personal data processing;
obtaining written consent of personal data subjects, except where otherwise provided by the legislation of the Republic of Kazakhstan;
appointing a person responsible for internal control over personal data processing;
issuing documents defining the Company’s policy on personal data processing;
familiarizing employees directly engaged in personal data processing with personal data legislation;
establishing procedures for access to personal data, including data processed in information resources;
implementing technical protection of personal data;
ensuring unrestricted access, including via the Internet, to documents defining the policy on personal data processing before such processing begins;
terminating personal data processing in the absence of grounds for such processing;
amending, blocking, or deleting inaccurate or unlawfully obtained personal data;
limiting processing of personal data to specific, pre-declared lawful purposes;
storing personal data in a form allowing identification of the subject no longer than required by the declared processing purposes.
9.2. Measures to ensure the security of personal data processed in personal data information systems are established in accordance with the Company’s local legal acts regulating personal data security.
CHAPTER 10. TRANSFER OF PERSONAL DATA TO THIRD PARTIES AND THE LEADSCAN SYSTEM
10.1. This section defines the conditions, purposes, procedure, and legal grounds for transferring personal data to third parties and processing such data using the LeadScan system. Personal data processing is carried out in accordance with the Law of the Republic of Kazakhstan “On Personal Data and Their Protection.”
10.2. In accordance with Article 7 of the Law of the Republic of Kazakhstan “On Personal Data and Their Protection,” processing of personal data, including transfer to third parties, is permitted only with the consent of the personal data subject, except where directly provided by the legislation of the Republic of Kazakhstan.
10.3. The Organizer and/or persons authorized by it use the automated LeadScan system (hereinafter — the “System”) to collect, store, process, and transfer visitors’ personal data. Actions performed with personal data using the System include:
collection of the visitor’s personal data, including surname, first name, contact phone number, email address, company name, and position;
transfer of personal data to exhibitors, if the visitor has consented to such transfer, for the purposes of establishing business contact, further communication, and informing about goods, services, offers, and other events related to the exhibitor’s activities.
10.4. Visitors’ personal data may be transferred to exhibitors solely for the following purposes:
establishing business contacts between the visitor and the exhibitor;
sending the visitor information about the exhibitor’s goods, services, offers, and events;
implementation of other purposes expressly declared by the visitor and agreed with the exhibitor.
Personal data are transferred only to the extent necessary to achieve the stated purposes.
10.5. A visitor’s registration for the event and marking consent to this Policy constitute the freely given, informed, and unambiguous consent of the personal data subject to:
a) collection of personal data by the Organizer;
b) automated processing of personal data using the System;
c) transfer of personal data to exhibitors for the purposes specified in clause 10.4 of this section.
Consent takes effect from the moment of registration and remains valid until withdrawn in accordance with this Policy and the legislation of the Republic of Kazakhstan.
10.6. Exhibitors receiving personal data through the System are independent operators (or other persons responsible for personal data processing) with regard to further processing of such data within their own activities. Processing of personal data by exhibitors is carried out on the basis of the data subject’s consent and in accordance with the legislation of the Republic of Kazakhstan on personal data. The Organizer shall not be liable for exhibitors’ further data processing beyond the purposes specified in this section.
10.7. The personal data subject has the right to:
receive information on the availability of his/her personal data with the Operator and/or third parties;
demand clarification, blocking, or destruction of personal data if such data are incomplete, inaccurate, outdated, unlawfully obtained, or unnecessary for the stated purposes;
withdraw consent to personal data processing by sending a written statement to the Organizer;
exercise other rights provided by the legislation of the Republic of Kazakhstan.
CHAPTER 11. CONTROL OVER COMPLIANCE WITH THE LEGISLATION OF THE REPUBLIC OF KAZAKHSTAN AND LOCAL LEGAL ACTS IN THE FIELD OF PERSONAL DATA, INCLUDING PERSONAL DATA PROTECTION REQUIREMENTS
11.1. Control over compliance with the legislation of the Republic of Kazakhstan and the Company’s local legal acts in the field of personal data, including personal data protection requirements, is carried out to verify that personal data processing complies with the legislation of the Republic of Kazakhstan and local legal acts in the field of personal data, including personal data protection requirements, as well as the measures taken to prevent and detect violations, identify possible leakage channels and unauthorized access to personal data, and eliminate the consequences of such violations.
11.2. Internal control over compliance with the legislation of the Republic of Kazakhstan and local legal acts in the field of personal data, including personal data protection requirements, is exercised by the person responsible for organizing personal data processing in the Company.
1.1. The Personal Data Processing Policy (hereinafter referred to as the “Policy”) of Astana-Expo KS Exhibition Company LLP (hereinafter referred to as the “Company”) defines the basic principles, purposes, conditions, and methods of personal data processing, the categories of data subjects and personal data processed, the Company’s functions in processing personal data, the rights of personal data subjects, and the personal data protection requirements implemented by the Company.
1.2. This Policy has been prepared in accordance with the Constitution of the Republic of Kazakhstan, the Law of the Republic of Kazakhstan No. 94-V dated May 21, 2013 “On Personal Data and Their Protection” (hereinafter referred to as the “Law”), other regulatory legal acts, and applies to all personal data processed by the Company, which may be received from the subject or the representative of the personal data subject who is a party to a civil-law contract with the Company, or from a legal entity having entered into a civil-law contract with the Company, from a personal data subject having labor relations with the Company, from visitors to the Company’s office, as well as from visitors to the Company’s websites and any other personal data subjects.
The Policy complies with the current legislation of the Republic of Kazakhstan and is based on:
Constitution of the Republic of Kazakhstan;
Labor Code of the Republic of Kazakhstan;
Laws of the Republic of Kazakhstan dated May 21, 2013 “On Personal Data and Their Protection” and dated November 24, 2015 “On Informatization”;
Order of the Minister of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan dated October 21, 2020 “On Approval of the Rules for Collection and Processing of Personal Data”;
other regulatory legal acts of the Republic of Kazakhstan.
1.3. This Policy also applies to all information that the Company may obtain about visitors to the Company’s websites, including: astana-expo.com, kmfexpo.kz, kss-expo.kz, btexpo.kz, waterexpo.kz, flora-expo.kz, kadex.kz, digital-aex.com, cds-forum.kz, grow-expo.kz, cmexpo.kz, promweek.kz.
1.4. Key terms and definitions used in this Policy and other local legal acts and documents of the Company regulating personal data processing issues:
Biometric data — personal data characterizing physiological and biological features of a personal data subject, on the basis of which the subject’s identity may be established;
Blocking of personal data — actions for temporary suspension of collection, accumulation, amendment, supplementation, use, dissemination, depersonalization, and destruction of personal data;
Use of personal data — actions with personal data aimed at implementing the purposes of the owner, operator, and third party;
Candidate — an individual applying for a vacant position;
Accumulation of personal data — actions for systematizing personal data by entering them into a database containing personal data;
Depersonalization of personal data — actions resulting in the impossibility of determining that personal data belongs to a specific subject;
Processing of personal data — actions aimed at accumulation, storage, amendment, supplementation, use, dissemination, depersonalization, blocking, and destruction of personal data;
Publicly available personal data — personal data or information not subject to confidentiality requirements under the legislation of the Republic of Kazakhstan and freely accessible with the subject’s consent;
Operator of a database containing personal data (hereinafter — the “Operator”) — a state body, individual and/or legal entity collecting, processing, and protecting personal data;
Personal data — information relating to a specific or identifiable personal data subject, recorded on electronic, paper, and/or other tangible media;
Dissemination of personal data — actions resulting in transfer of personal data, including via mass media, or granting access to personal data by any other means;
Collection of personal data — actions aimed at obtaining personal data;
Personal data subject — an individual to whom the personal data relates;
Cross-border transfer of personal data — transfer of personal data to the territory of foreign states;
Destruction of personal data — actions resulting in impossibility of restoring personal data;
Storage of personal data — actions to ensure integrity, confidentiality, and availability of personal data.
CHAPTER 2. PRINCIPLES AND PURPOSES OF PERSONAL DATA PROCESSING
2.1. The Company, as the Operator of personal data, processes personal data of the Company’s employees and other personal data subjects not having labor relations with the Company.
2.2. Personal data processing in the Company is carried out with due regard to the need to protect the rights and freedoms of employees and other personal data subjects, including the right to privacy and personal and family secrecy, based on the following principles:
personal data are processed on a lawful and fair basis;
personal data are processed proportionately to the stated processing purposes and ensure at all stages a fair balance of the interests of all concerned parties;
personal data are processed with the consent of the personal data subject, except where otherwise provided by law;
personal data processing is transparent. The subject may be provided with relevant information regarding processing exclusively of his/her own personal data;
the Operator takes measures to ensure the accuracy of processed personal data and updates them where necessary;
personal data are stored in a form allowing identification of the subject no longer than required by the stated purposes of processing;
personal data are processed on the basis of confidentiality of restricted-access personal data.
2.3. Personal data are processed by the Company for the following purposes:
performance of functions, powers, and duties imposed on the Company by the legislation of the Republic of Kazakhstan, including provision of personal data to tax authorities, the Unified Accumulative Pension Fund of the Republic of Kazakhstan, the State Social Insurance Fund of the Republic of Kazakhstan, the Social Medical Insurance Fund, and other bodies;
regulation of labor relations with the Company’s employees;
preparation, conclusion, execution, and termination of contracts and other relations with counterparties;
exercise of the Company’s rights and legitimate interests within the scope of its activities;
attracting and selecting job candidates;
informing and conducting events, promotions, surveys, and research by the Company;
other lawful purposes, where necessary to ensure compliance with legislation.
CHAPTER 3. LIST OF SUBJECTS WHOSE PERSONAL DATA ARE PROCESSED BY THE COMPANY
3.1. The Company processes personal data of the following categories of subjects:
Company employees;
relatives of Company employees;
job candidates;
individuals having civil-law relations with the Company;
individuals who are counterparties (clients) of the Company;
employees and other representatives of legal entity counterparties;
other subjects whose interaction with the Company requires personal data processing.
CHAPTER 4. LIST OF PERSONAL DATA PROCESSED BY THE COMPANY
4.1. The list of personal data processed by the Company is determined in accordance with the legislation of the Republic of Kazakhstan and the Company’s local legal acts, taking into account the purposes of personal data processing specified in this Policy.
4.2. Personal data of employees’ relatives include:
surname, first name, patronymic;
date of birth;
IIN;
citizenship;
passport details or details of another identity document;
registered address details;
actual residence details;
medical information (where required by law);
information on social benefits and payments;
contact details.
4.3. Personal data of job candidates include:
surname, first name, patronymic (as well as all previous surnames);
date and place of birth;
IIN;
citizenship;
passport details or details of another identity document;
gender;
information on marital status and family composition, including surnames, names, patronymics of family members, dates of birth, places of work and/or study;
registered address details;
actual residence details;
number and series of the state social insurance certificate;
information on education, advanced training, professional retraining, academic degree, academic title;
employment history (including length and experience of work, employment data indicating position, division, employer details, etc.);
specialty, profession, qualification;
military registration data;
medical information (where required by law);
biometric personal data (including photographs, CCTV images, voice recordings);
information on social benefits and payments;
contact details;
awards and incentives;
information provided by the candidate in personal questionnaires; and other data that may be specified in the candidate’s résumé or application form.
4.4. Personal data of employees and other representatives of legal entity counterparties include:
surname, first name, patronymic;
passport details or details of another identity document;
IIN;
registered address details;
contact details;
position;
other data necessary for fulfillment of mutual rights and obligations between the Company and the counterparty.
4.5. Personal data of counterparties who are individuals include:
surname, first name, patronymic;
citizenship;
IIN;
passport details or details of another identity document;
registered address details;
number and series of the state social insurance certificate;
bank account details;
taxpayer identification number;
contact details;
property registration certificate details;
other data necessary for fulfillment of mutual rights and obligations between the Company and the counterparty.
4.6. Personal data of individuals having civil-law relations with the Company include:
surname, first name, patronymic (and all previous surnames);
date of birth;
citizenship;
passport details or details of another identity document;
gender;
place of stay details;
number and series of the state social insurance certificate;
information on education, advanced training, professional retraining, academic degree, academic title;
bank account details;
specialty, profession, qualification;
medical information (where required by law);
biometric personal data (including photographs, CCTV images, voice recordings);
information on social benefits and payments;
contact details;
other data necessary to fulfill mutual rights and obligations.
4.7. The Company does not process special personal data concerning racial or ethnic origin, political views, membership in trade unions, religious or other beliefs, health or intimate life, administrative or criminal liability, as well as genetic personal data.
CHAPTER 5. FUNCTIONS OF THE COMPANY IN PERSONAL DATA PROCESSING
5.1. When processing personal data, the Company:
takes measures necessary and sufficient to ensure compliance with the legislation of the Republic of Kazakhstan and local legal acts in the field of personal data;
takes legal, organizational, and technical measures to protect personal data from unlawful or accidental access, destruction, alteration, blocking, copying, provision, dissemination, and other unlawful actions;
appoints a person responsible for internal control over personal data processing;
issues local legal acts defining the Company’s policy and issues of personal data processing and protection;
familiarizes Company employees directly engaged in personal data processing with the provisions of the legislation of the Republic of Kazakhstan and the Company’s local legal acts in the field of personal data, including personal data protection requirements, and provides training to such employees;
publishes or otherwise ensures unrestricted access to this Policy;
informs personal data subjects or their representatives, in the prescribed manner, about the existence of personal data relating to them, and provides an opportunity to review such data upon request, unless otherwise established by law;
ceases processing and destroys personal data in cases provided for by the legislation of the Republic of Kazakhstan;
performs other actions предусмотренные by the legislation of the Republic of Kazakhstan in the field of personal data.
CHAPTER 6. CONDITIONS OF PERSONAL DATA PROCESSING IN THE COMPANY
6.1. Personal data are processed with the consent of the personal data subject, unless otherwise provided by the legislation of the Republic of Kazakhstan in the field of personal data.
6.2. Without the consent of the personal data subject, the Company does not disclose personal data to third parties and does not disseminate them, unless otherwise provided by the legislation of the Republic of Kazakhstan.
6.3. The subject or his/her legal representative gives (withdraws) consent to the collection and processing of personal data in writing or in the form of an electronic document.
6.4. Access to processed personal data is granted only to Company employees engaged in personal data processing.
CHAPTER 7. LIST OF ACTIONS WITH PERSONAL DATA AND METHODS OF PROCESSING
7.1. The Company processes personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, dissemination, provision, and deletion of personal data.
7.2. Personal data processing is carried out:
using automation tools;
without automation tools, provided that personal data search and/or access to them is ensured according to specific criteria (lists, databases, logs, etc.).
7.3. Cross-border transfer of personal data is prohibited if the foreign state does not ensure an adequate level of protection of the rights of personal data subjects, except in cases of:
consent of the subject or his/her legal representative to cross-border transfer;
international treaties ratified by the Republic of Kazakhstan;
cases provided for by the laws of the Republic of Kazakhstan where necessary to protect the constitutional order, public order, human and civil rights and freedoms, public health and morality;
protection of constitutional rights and freedoms where obtaining the subject’s or representative’s consent is impossible.
CHAPTER 8. RIGHTS AND OBLIGATIONS OF PERSONAL DATA SUBJECTS
8.1. Personal data subjects have the right to:
know about the existence of their personal data with the Operator and third parties, and receive information containing:
confirmation of the fact, purposes, sources, and methods of collection and processing of personal data;
a list of personal data;
periods of personal data processing, including storage periods;
require the Operator to amend and supplement their personal data where grounds confirmed by relevant documents exist;
require the Operator and/or third parties to block their personal data if there is information about violation of the conditions for collection and processing;
require the Operator and/or third parties to destroy personal data collected and processed in violation of the legislation of the Republic of Kazakhstan, as well as in other cases established by the Law and other regulatory legal acts;
withdraw consent to collection and processing of personal data, except where otherwise provided by the laws of the Republic of Kazakhstan;
consent (or refuse consent) to dissemination of their personal data in public personal data sources;
protection of their rights and legitimate interests, including compensation for moral and material damage;
exercise other rights provided by the Law and other laws of the Republic of Kazakhstan.
8.2. The personal data subject is obliged to:
provide the Operator with accurate personal data;
timely notify the Operator of changes and additions to personal data;
fulfill other obligations established by the legislation of the Republic of Kazakhstan.
CHAPTER 9. MEASURES TAKEN BY THE COMPANY TO ENSURE OPERATOR OBLIGATIONS IN PERSONAL DATA PROCESSING
9.1. Measures necessary and sufficient to ensure fulfillment of the Operator’s obligations include:
providing personal data subjects with necessary information before obtaining consent;
explaining to personal data subjects their rights related to personal data processing;
obtaining written consent of personal data subjects, except where otherwise provided by the legislation of the Republic of Kazakhstan;
appointing a person responsible for internal control over personal data processing;
issuing documents defining the Company’s policy on personal data processing;
familiarizing employees directly engaged in personal data processing with personal data legislation;
establishing procedures for access to personal data, including data processed in information resources;
implementing technical protection of personal data;
ensuring unrestricted access, including via the Internet, to documents defining the policy on personal data processing before such processing begins;
terminating personal data processing in the absence of grounds for such processing;
amending, blocking, or deleting inaccurate or unlawfully obtained personal data;
limiting processing of personal data to specific, pre-declared lawful purposes;
storing personal data in a form allowing identification of the subject no longer than required by the declared processing purposes.
9.2. Measures to ensure the security of personal data processed in personal data information systems are established in accordance with the Company’s local legal acts regulating personal data security.
CHAPTER 10. TRANSFER OF PERSONAL DATA TO THIRD PARTIES AND THE LEADSCAN SYSTEM
10.1. This section defines the conditions, purposes, procedure, and legal grounds for transferring personal data to third parties and processing such data using the LeadScan system. Personal data processing is carried out in accordance with the Law of the Republic of Kazakhstan “On Personal Data and Their Protection.”
10.2. In accordance with Article 7 of the Law of the Republic of Kazakhstan “On Personal Data and Their Protection,” processing of personal data, including transfer to third parties, is permitted only with the consent of the personal data subject, except where directly provided by the legislation of the Republic of Kazakhstan.
10.3. The Organizer and/or persons authorized by it use the automated LeadScan system (hereinafter — the “System”) to collect, store, process, and transfer visitors’ personal data. Actions performed with personal data using the System include:
collection of the visitor’s personal data, including surname, first name, contact phone number, email address, company name, and position;
transfer of personal data to exhibitors, if the visitor has consented to such transfer, for the purposes of establishing business contact, further communication, and informing about goods, services, offers, and other events related to the exhibitor’s activities.
10.4. Visitors’ personal data may be transferred to exhibitors solely for the following purposes:
establishing business contacts between the visitor and the exhibitor;
sending the visitor information about the exhibitor’s goods, services, offers, and events;
implementation of other purposes expressly declared by the visitor and agreed with the exhibitor.
Personal data are transferred only to the extent necessary to achieve the stated purposes.
10.5. A visitor’s registration for the event and marking consent to this Policy constitute the freely given, informed, and unambiguous consent of the personal data subject to:
a) collection of personal data by the Organizer;
b) automated processing of personal data using the System;
c) transfer of personal data to exhibitors for the purposes specified in clause 10.4 of this section.
Consent takes effect from the moment of registration and remains valid until withdrawn in accordance with this Policy and the legislation of the Republic of Kazakhstan.
10.6. Exhibitors receiving personal data through the System are independent operators (or other persons responsible for personal data processing) with regard to further processing of such data within their own activities. Processing of personal data by exhibitors is carried out on the basis of the data subject’s consent and in accordance with the legislation of the Republic of Kazakhstan on personal data. The Organizer shall not be liable for exhibitors’ further data processing beyond the purposes specified in this section.
10.7. The personal data subject has the right to:
receive information on the availability of his/her personal data with the Operator and/or third parties;
demand clarification, blocking, or destruction of personal data if such data are incomplete, inaccurate, outdated, unlawfully obtained, or unnecessary for the stated purposes;
withdraw consent to personal data processing by sending a written statement to the Organizer;
exercise other rights provided by the legislation of the Republic of Kazakhstan.
CHAPTER 11. CONTROL OVER COMPLIANCE WITH THE LEGISLATION OF THE REPUBLIC OF KAZAKHSTAN AND LOCAL LEGAL ACTS IN THE FIELD OF PERSONAL DATA, INCLUDING PERSONAL DATA PROTECTION REQUIREMENTS
11.1. Control over compliance with the legislation of the Republic of Kazakhstan and the Company’s local legal acts in the field of personal data, including personal data protection requirements, is carried out to verify that personal data processing complies with the legislation of the Republic of Kazakhstan and local legal acts in the field of personal data, including personal data protection requirements, as well as the measures taken to prevent and detect violations, identify possible leakage channels and unauthorized access to personal data, and eliminate the consequences of such violations.
11.2. Internal control over compliance with the legislation of the Republic of Kazakhstan and local legal acts in the field of personal data, including personal data protection requirements, is exercised by the person responsible for organizing personal data processing in the Company.
Astana-Expo KS
Exhibition company
010000, Kazakhstan, Astana city, Sarayshyk district, Zhumeken Nazhimedenov Street, building 16G
Tel.: + 7 7172 64 23 23
Email: office@astana-expo.com
Exhibition company
010000, Kazakhstan, Astana city, Sarayshyk district, Zhumeken Nazhimedenov Street, building 16G
Tel.: + 7 7172 64 23 23
Email: office@astana-expo.com
April 8-10, 2026
Astana, "EXPO" IEC
Astana, "EXPO" IEC
Subscribe to newsletter