Introduction

This is the Privacy Statement (“Privacy Statement”) for Industrial Solutions & Supplies ("ISS", “we”, “us”, or “our”). ISS understands that your privacy is important. We are committed to protecting your privacy and personal information.

This Privacy Statement only applies to the personal information our clients provide via email or as they access and use materials on industrials.kz (“Site”) as well as personal information that they submit to ISS in response to a request for information or other outreach from ISS.

Depending on client’s relationship with ISS, additional or different privacy statements may apply to them. For our privacy practices in connection with the personal information we obtain from the client’s access to and use of our tools and solutions and the research and development thereof, please see our Solutions Privacy Statement below.

Changes to This Privacy Statement

ISS may, in its discretion, amend this Privacy Statement from time to time. To ensure our clients are able to remain informed, changes to our Privacy Statement will be reflected here.

Personal Data According to the Law of the Republic of Kazakhstan

The Kazakhstan Law on Personal Data and Protection Thereof defines “Personal data” as information that relates to an identified or identifiable individual recorded on digital, hard and/or other media.

“Personal data subject” means the individual to whom Personal data relate.

Categories of Personal Data

In terms of accessibility, personal data may be categorised either as generally accessible or as restricted.

“Generally accessible personal data” mean any personal data or information which are not applied the confidentiality requirement provided for by Kazakhstan law and which are easily accessible with consent of such data/information subject (e.g. information in mass media, telephone directories, etc.).

“Restricted personal data” mean any personal data the access to which is restricted by Kazakhstan law, including personal particulars (first name, middle name, surname, date of birth and nationality), residence and domicile details, individual identification number (IIN, identification document and number thereof, and other personal particulars).

Collection and Processing of Personal Data

“Collection of personal data” means any activity aimed at the acquisition of Personal data.

“Processing of personal data” means any activity aimed at the accumulation, storage, modification, complementation, use, distribution, anonymization, blocking or destruction of personal data.

Personal data may be collected and processed subject to a prior consent of such personal data subject or their lawful representative in the manner prescribed by Kazakhstan law.

Personal data may be collected and processed, only if adequately protected, to the extent required for the achievement of particular predetermined legitimate goals and objectives.

Personal data may not be processed for any goals that are inconsistent with the goals of such personal data collection.

Personal data may be collected and processed without a prior consent of such personal data subject or their lawful representative in certain exceptional circumstances, including, but not limited to, the following:

• when requested by government authorities for highly restricted purposes; or
• when required to protect constitutional rights and liberties of a man or a citizen, provided, however, that it is impossible to obtain consent of the personal data subject or their lawful representative; or
• when required for the performance of professional journalistic and/or mass media, scientific, literature or other artistic engagements, provided, however, that the engaged professionals strictly abide by Kazakhstan laws safeguarding the rights and liberties of man and citizen.

Cross-border Transfer of Personal Data (General Principles)

“Cross-border transfer of Personal data” means the transfer of personal data to a third country.

Subject to the Kazakhstan Law on Personal Data and Protection Thereof, Personal data may not be transferred to a third country until such third country ensures adequate protection of the transferred personal data in compliance with the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (28 January 1981, Strasbourg), if the third country is a member of the Convention.

Personal data may be transferred to a certain third country which cannot ensure adequate protection of the transferred Personal data when:

• the personal data subject or their lawful representative has granted consent to such cross-border transfer of their Personal data;
• such cross-border transfer of personal data is provided for by international treaties ratified by the Republic of Kazakhstan;
• such cross-border transfer of personal data is provided for by Kazakhstan laws and is absolutely necessary for the protection of the constitutional system and for the enforcement of public order, rights and liberties of man and citizen, as well as public health and moral; or
• such cross-border transfer of personal data is required for the protection of constitutional rights and liberties of man and citizen, if it is impossible to obtain consent of the personal data subject or their lawful representative.

When transferring data to a third country, due regard should be given to other provisions regulating the issues of Personal data storage. For example, the Kazakhstan Law on Personal Data and Protection Thereof states that “Personal data must be stored by the owner and/or operator and/or a third party in a database located in the Republic of Kazakhstan”.

Liability for Breach of Personal Data Protection Laws

A breach of personal data protection laws is punishable by a penalty of up to US$7,000 (in practice, maximum US$1,500) under Articles 79, 451 and 641 of the Kazakhstan Code of Administrative Offences, or by imprisonment for up to 7 years under Articles 147 and 211 of the Kazakhstan Criminal Code.

Personal Information that We Collect, and How We Use It

What information do we collect?

ISS collects personal data that you provide to us directly when you request information about our services; subscribe to our website services, email notifications and/or newsletters; make an enquiry through the different means. This may include:

• Identification and contact data such as name, surname, job title, phone number, email, address and country.
• Financial and industrial data such as financial statements, manufacturing capacities and capabilities, available equipment and certificates, including those which are in process of obtaining, etc.
• Any information that you voluntarily share with us such as feedback, opinions or information provided via any of our helplines.

ISS also collects personal data automatically when you visit our website. This may include:

• Device information such as IP address, referring website, ISS pages the client’s device visited and the time that their device visited our website.
• Internet log information and details, collected through our third parties such as Google Analytics, that does not specifically identify the client.
• Information collected by cookies.

Why we use Personal data?

ISS will use the client’s Personal data for the following different purposes:

• To improve our website with the objective of ensuring that content is presented in the most effective manner for the client and for their device.
• To send email and communicate with the client via email regarding our services and events which may be of interest to the client if this is in accordance with their industrial preferences.
• To analyse the client’s use of our website for trend monitoring and promotional purposes.
• To respond to enquiries and comments and provide the client with support via communication channels, such as customer or contact centre support.
• To keep our website safe and secure and comply with our legal requirements and obligations.
• To set up and manage the client’s user account, if applicable.
• To share it with ISS partners so that they may offer the client their products or services as our subcontractors.
• For any other new purpose for which we notify the client before collecting any personal data.

How we share Personal data?

ISS shares and transfers the client’s personal data as described here and only in accordance with all privacy practices and RoK Law requirements. We may occasionally share non-personal, anonymised and statistical data with third parties for our own business purposes.

The following are the parties with whom we may share personal information and why:

• To other ISS partners with which ISS has contractual relations on receiving services and getting products in the frame of subcontracting relationships where it is necessary to meet the purpose for which the client has submitted their Personal data and in particular if necessary for the provision of services, assistance, and support. We take steps to ensure that ISS partners, follow this Privacy Statement and applicable Rok Law when handling personal data.
• Occasionally to third party contractors and providers which perform certain functions on behalf of ISS, such as picking up and delivering samples, fulfilling inspection orders, sending email, removing repetitive information from client lists, analysing and processing data, direct marketing services, and cloud hosting services. These parties only have access to such information as necessary to perform their functions and may not use it for any purpose other than to provide services to us.

How long we keep Personal data?

ISS will retain the client’s personal data for the period of time that is necessary to fulfil the original purposes for which it has been collected. Please keep in mind that in certain cases a longer retention period may be required or permitted by RoK Law or to allow ISS to pursue its business interests, conduct audits, comply with our legal obligations, enforce our agreements or resolve any dispute.

The criteria used to determine our retention periods include:

• How long is the data needed to provide the client with our products or services or to operate our business?
• Are we subject to a legal, contractual, or similar obligation to retain the client’s data? Examples can include mandatory data retention laws in the applicable jurisdiction, government orders to preserve data relevant to an investigation, or data that must be retained for the purposes of contract or litigation.

How Personal data is protected?

ISS follows strict security procedures in the storage and disclosure of information which the client has given us in order to prevent unauthorised access, loss or destruction of their personal data. These may include:

• Physical safeguards, with locked doors and file cabinets, controlled access to our facilities.
• Technology safeguards, like the use of anti-virus and endpoint protection software, and monitoring of our systems and data centres to ensure that they comply with our security policies.
• Organisational safeguards, like training and awareness programs on security and privacy, to make sure employees understand the importance and means by which they must protect the client’s personal data.

ISS does not seek to collect sensitive personal data (also known as special categories of data). If we do so we will always collect the data in accordance with RoK Law on Personal Data and Protection. If the client chooses to provide us with unsolicited sensitive personal data, they will be asked to consent to our processing of such data on a case-by-case basis by using a specific express consent form.

ISS does not knowingly collect or solicit personal data from anyone under the age of 16. If you are aged under 16, please speak to your parent/guardian to get their permission before you provide any personal information to ISS because without this consent, you are not allowed to provide us with your personal data. If we learn that we have collected data from a person aged under 16, we reserve the right to delete such data with no prior notification or consent.