Privacy Policy

1. General provisions
   1. This Privacy and Personal Data Processing Policy (hereinafter referred to as “Policy”) shall apply to all personal data that Happy Job Asia Limited Liability Partnership (Happy Job Asia LLP), BIN 230940032542, location: Republic of Kazakhstan, city of Astana, Saryarka district, Beibitshilik street, house 43 (hereinafter referred to as the “Data Controller”) may obtain, under the terms of this Policy, from a personal data subject who is an employee of the Data Controller, another person working/providing services under relevant agreements concluded with the Data Controller, as well as an employee and/or representative and/or consumer (including a potential consumer) of Data Controller’s Data Processor.
   2. Data Controller shall ensure protection of processed personal data from unauthorized access and disclosure, unlawful use or loss.
   3. Data Controller shall be entitled to amend the Policy. After doing so, the date of the last updated version shall be indicated in the Policy heading above. The Policy new version takes effect upon its posting at https://happy-job.kz/privacy-policy//, unless otherwise provided in a new version of the Policy.
   4. In cases where a license or other agreement concluded between the Data Controller and a Data Processor contains provisions how to use personal information and/or personal data, the provisions of the Policy and such agreement shall apply to the extent that they do not contradict the Policy.
   5. A Data Processor when concluding a license or other agreement with the Data Controller on terms and conditions of a relevant provision of Appendix 1 hereto (Data Processing Agreement) shall instruct the Data Controller to process the personal data of its employees and/or representatives and/or consumers (including potential consumers) sent by the Data Processor to the Data Controller for the purposes that the Data Controller fulfills its obligations under the agreement concluded with the Data Processor.
2. Terms and Abbreviations
   1. For the purposes of this Policy, the following terms are used:
      • Personal Data means any datasets relating directly or indirectly to a specific or identifiable individual (personal data subject).
      • Personal data processing means any action (operation) or set of actions (operations) performed in an automated manner or in a non-automated manner including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, disclosure, access), depersonalization, blocking, deletion, destruction of personal data.
      • Automated personal data processing means processing of personal data using computer technologies.
      • Personal data information system (PDIS) is a set of personal data contained in databases and the information technologies and technical means that ensure their processing.
      • Personal data made public by personal data subject is information an individual explicitly authorizes for dissemination to an unlimited number of people.
      • Blocking of personal data means temporary suspension of personal data processing (except in cases when processing is necessary to clarify personal data).
      • Destruction of personal data refers to actions that permanently remove data from the personal data information system so that it cannot be restored and (or) that result in destruction of tangible media of personal data.
      • Anonymization (depersonalization) of personal data means actions of permanently removing or altering personally identifiable information from a dataset ensuring the data can no longer be linked to a specific individual without additional information.
      • Data Controller means any entity, alone or jointly with other persons, involved into processing of personal data, and also defining the purposes of processing personal data to be processed, actions (operations) performed with personal data. Data Controller is Happy Job Asia Limited Liability Partnership (Happy Job Asia LLP), BIN 230940032542, location: Republic of Kazakhstan, city of Astana, Saryarka district, Beibitshilik street, house 43 3. For these purposes, the Data Controller acts as a processor, and the Data Processor acts as an Data Controller in accordance with Appendix 1 hereto (Data Processing Agreement).
      • Software means software specified in a license or other agreement concluded between the Data Controller and the Data Processor the right to use which is granted by the Data Controller to the Data Processor under terms and conditions of an ordinary (non-exclusive) license or through which the Data Controller provides services to the Data Processor.
      • Data Processor means an incorporated of unincorporated person who has entered into a license or other agreement with the Data Controller under which the Data Controller grants such Data Processor, under terms and conditions of an ordinary (non-exclusive) license, the right to use the Software or under which the Data Controller provides services to the Data Processor using this Software.
      • Web means web resource (domain — https://happy-job.kz/) including all domain levels.
      • Feedback form is an element of the Website interface to be filled in by the User for the purpose of communication with the Data Controller and further obtaining information from it about terms and conditions of provision of Data Controller's Software for use based on a license or other agreement.
      • User is an individual, any Website user who disclosed his/her Personal Data when filling out the fields of the Feedback Form or any other specialized form on the Website for the purposes of: 1) access to information and/or materials provided by the Data Controller; 2) communicating with the Data Controller and subsequently obtaining information from it regarding the terms of provision of Data Controller's software for use based on a license or other agreement. For the purposes of this Policy, a User is also considered to be any individual who has disclosed his/her Personal Data when filling out a specialized form on a third-party Internet resource if such form contained a reference to the Data Controller and an active link to this Policy.
3. Personal data processing
   1. Obtaining Personal Data
      
      1. All Personal Data shall be obtained from the Personal Data Subject. If subject’s personal data can only be obtained from a third party, then the data subject shall be notified of this by such third party or consent must be obtained from such third party. The third party shall confirm that he/she has full authority to disclose Subject’s Personal Data to the Data Controller. For the purposes of this clause of the Policy, the Data Processor shall be considered as a third party.
      2. Data Controller shall inform the personal data subject about the purposes, intended sources and methods of obtaining personal data, the nature of personal data to be obtained, the list of actions performed on personal data, the period during which consent is valid and the procedure for its revocation, as well as the consequences of the subject’s refusal to give written consent to receive them, except in cases where the processing of such personal data is assigned to the Data Controller by a Data Processor under Appendix 1 hereto (Data Processing Agreement).
      3. Documents containing Personal Data are created by:
         
         • copying original documents;
         • entering information into software access authorization forms including by personal data subjects during use of such software;
         • obtaining information and the content of documents or copies of such documents by sending such documents, including in electronic form, to the Data Controller;
         • obtaining originals of essential documents;
         • obtaining Personal data after filling in the fields of specialized forms on Website/third-party resource under terms and conditions of par. 15 cl. 2.1 hereof.
      4. Information obtained by software during its use by employees and/or representatives and/or consumers (including potential consumers) of the Data Processor.
         1. The software provided by the Data Controller to the Data Processor by virtue of a license or other agreement concluded between them shall collect, gain access to and use for the purposes specified herein the Personal Data of employees and/or representatives and/or consumers (including potential consumers) of the Data Processor, Data Controller’s employees or another person working/providing services under relevant agreements concluded with the Data Controller, and technical and other information related to such persons while using the software.
         2. Technical information shall not be considered Personal Data. The software uses cookies allowing identification of an employee and/or representative and/or consumer (including potential consumers) of the Data Processor, Data Controller’s employees or other person working/providing services under relevant agreements concluded with the Data Controller. Cookies are text files used by software to remember preferences of an employee and/or representative and/or consumer (including potential consumers) of the Data Processor, Data Controller’s employees or another person working/providing services under relevant agreements concluded with the Data Controller, including information about which pages of the software such person visited and the time such person spent on the software page. An employee and/or representative and/or consumer (including potential consumers) of the Data Processor, Data Controller’s employees or other person working/providing services under relevant agreements concluded with the Data Controller may disable cookies in the browser settings.
         3. Technical information also means information that is automatically transmitted by the software during its use installed on the device of an employee and/or representative and/or consumer (including potential consumers) of the Data Processor, Data Controller’s employees or another person working/providing services under relevant agreements concluded with the Data Controller, including IP address, browsing history, etc.
   2. Personal Data Processing
      
      1. Personal Data shall be processed:
         
         • with consent of a personal data subject to process his/her personal data;
         • with consent of a third party acting on behalf of a personal data subject to process his/her personal data;
         • in cases where the processing of Personal data is necessary to implement and perform functions, powers and duties imposed by applicable law;
         • in cases where the processing of Personal Data is assigned by the Data Controller to the Data Processor in accordance with the terms of Appendix 1 hereto (Data Processing Agreement);
         • in cases where Personal Data made public by the personal data subject is processed.
      2. Purpose of processing:
         
         Purposes specified in cl. 3.2.4.1.1, 3.2.4.2.1 and 3.2.4.3.1 hereof and email marketing.
      3. Personal Data Processing Operations:
         
         1. For personal data subject category according to cl. 3.2.4.1. and 3.2.4.2 hereof: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, disclosure, access), depersonalization, blocking, deletion, destruction of personal data.
         2. For personal data subject category according to cl. 3.2.4.3. hereof: collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, disclosure, and access), blocking, deletion, destruction of personal data.
      4. Personal Data Subject Categories
         
         1. Employees and/or representatives and/or consumers (including potential consumers) of the Data Processor (individuals):
            
            1. Personal data of employees and/or representatives and/or consumers (including potential consumers) of the Data Processor (individuals) is processed in order to fulfill a license or other agreement concluded between the Data Controller and the Data Processor under which the Data Controller grants such Data Processor, under terms and conditions of an ordinary (non-exclusive) license, the right to use the software or under which the Data Controller provides services to the Data Processor using this software. Data Processor and Data Controller have agreed upon the Personal Data Processing in accordance with Appendix 1 hereto (Data Processing Agreement) upon conclusion of a license or other agreement with the Data Controller.
            2. Legal grounds for Personal Data Processing: personal data subject’s consent, in this case the Data Processor shall be the Data Controller, and the Data Controller shall be the processor as specified in Appendix 1 hereto (Data Processing Agreement).
            3. Processing period: during a license or other agreement concluded between the Data Controller and the Data Processor.
            4. Personal data is processed: 1) in an automated manner; 2) in a non-automated manner.
         2. Data Controller’s employees and other persons working/providing services under relevant agreements concluded with the Data Controller such as:
            
            • Individuals employed by the Data Controller;
            • Individuals who have left the Data Controller's staff;
            • Individuals who apply for a job in a Data Controller’s body;
            • Individuals who are participants of civil law relations with the Data Controller.
            1. Processing employee data is lawful to fulfill obligations under an employment contract. Personal data of other persons who work/provide services under relevant agreements concluded with the Data Controller shall be processed to fulfill such agreements to which personal data subjects are parties.
            2. Legal grounds for Personal Data Processing: an agreement to which the personal data subject is a party.
            3. Processing period:
               
               • Employee data shall be processed in accordance with applicable law. Upon termination of the employment contract with a Data Controller's employee, his/her personal file shall be deposited in archives. Personal files of Data Controller's managers shall be kept on file.
               • Personal data of other persons who work/provide services under relevant agreements concluded with the Data Controller shall be processed to fulfill such agreements and in accordance with applicable law but at least until expiration of three years from the date of expiry of a relevant agreement concluded by such person with the Data Controller.
            4. Personal data is processed: 1) in an automated manner; 2) in a non-automated manner.
         3. Website users
            
            1. Website User’s Personal Data shall be processed for the purposes of:
               
               • providing Website Users with access to information and/or materials granted by the Data Controller (including when posting them on third-party resources);
               • to communicate with Users for his/her follow-up informing about the terms of provision of Data Controller’s software to use based on a license or other agreement.
            2. Legal grounds for Personal data processing: personal data subject’s consent.
            3. Processing period: until the purposes for which the personal data were collected have been achieved, unless otherwise provided by applicable law.
            4. Personal data is processed: 1) in an automated manner; 2) in a non-automated manner.
         4. Personal Data processed by the Data Controller
            
            1. The processed personal data of employees and/or representatives and/or consumers (including potential consumers) of the Data Processor (individuals) shall include as follows:
               
               • Surname, given name, patronymic;
               • Email;
               • Telephone;
               • Employer’s data;
               • Position;
               • Data gathered by analytics services;
               • Other data including information entered by personal data subjects into the software access authorization forms using such software (age, gender, length of service, city of work, department in which the personal data subject works, etc.)
            2. The processed employee’s data and personal data of persons who work/provide services under relevant agreements concluded with the Data Controller shall include as follows:
               
               • data obtained during employment relations;
               • data obtained during selection of job applicants;
               • data obtained in course of civil law relations.
         5. User Personal Data processed is as follows:
            
            • Surname, given name, patronymic;
            • Email;
            • Telephone;
            • Employer’s data;
            • Position;
            • Data gathered by analytics services.
         6. Automated and non-automated processing of Personal Data shall be provided on the basis of the following principles:
            
            • legitimacy of the purposes and methods of processing Personal Data;
            • compliance of processing purposes with the purposes previously determined and declared during the collection of Personal data including the purposes of processing in accordance with Appendix 1 hereto (Data Processing Agreement), if the Data Controller processes Personal data on its basis;
            • compliance of the volume and nature of the processed personal data, the processing methods with the processing purposes;
            • accuracy of Personal Data, its sufficiency for processing purposes, inadmissibility of the processing of Personal Data that is excessive in relation to the purposes stated when collecting the Personal Data;
            • inadmissibility of combining databases of Personal Data information systems created for incompatible purposes;
            • destruction of Personal Data after the purposes of processing have been achieved or if there is no longer a need to achieve them;
            • personal responsibility of Data Controller’s employees for Personal Data safety and privacy as well as storage media;
            • available clear permitting system for access of Data Controller's employees to documents and databases containing Personal data.
      5. Personal Data Storage
         
         1. Personal data of data subjects may be obtained, further processed and saved both on paper and in electronic form.
         2. Personal data on paper shall be stored in locked cabinets or in locked rooms with limited access.
         3. Personal data of data subjects automatically processed for different purposes shall be stored in different folders.
         4. It is not allowed to store and post documents containing Personal Data in open electronic catalogues (file share sites) on PDIS.
         5. Personal data shall be stored in a form that allows the identification of personal data subject only as long as is needed for the purposes of their processing; and the data is to destruct after the purposes of processing have been achieved or if there is no longer a need to achieve them.
      6. Depersonalization of Personal Data
         
         1. During the Personal Data processing of employees and/or representatives and/or consumers (including potential consumers) of the Data Processor (individuals) within the term of a license or other agreement concluded between the Data Controller and the Data Processor, the Data Controller is entitled to anonymize the Personal data of employees and/or representatives and/or consumers (including potential consumers) of the Data Processor (individuals) and to store such anonymized data.
         2. The Data Controller uses the following depersonalization techniques:
            
            • De-identification technique means replacing sensitive data with identifiers upon creation of a table of correspondence between identifiers and the main dataset;
            • Change in composition and semantics means changing the composition or semantics of personal data by replacing it with statistical values, generalization, or deletion of sensitive data;
            • Decomposition technique is division of an array (set) of personal data into several sub-arrays (subsets) with subsequent separate storage of sub-arrays (subsets);
            • Mixing technique is a reshuffle of separate values or groups of values of personal data attributed in an array of personal data set. The Data Controller in his sole direction shall determine the depersonalization technique of Personal data out of the list according to this clause above.
         3. The fact that personal data has been depersonalized (anonymized) shall be formally confirmed and verified by a documented Personal Data Depersonalization Act.
      7. Destruction of Personal Data
         
         1. Documents or media containing Personal Data shall be securely destroyed by burning, crushing (grinding), transformation into a shapeless mass or powder or chemical decomposition to ensure the information is completely unrecoverable. Using a shredder is the allowed method for destroying paper documents.
         2. Personal data on electronic media shall be destroyed by erasing or formatting the media to prevent data recovery.
         3. The fact that personal data has been destroyed shall be formally confirmed and verified by a documented Media Destruction Act.
      8. Transfer of Personal Data
         
         1. The Data Controller shall transfer Personal Data to third parties only when:
            
            • a personal data subject accepted and approved such transfer;
            • the transfer is permitted by applicable law, including cross-border transfer of Personal Data.
4. Data gathered by analytics services and technical information
   
   1. The Site uses the Yandex. Metrica analytic service to maintain statistics. Data processed is listed below:
      
      • cookies;
      • ID;
      • date and time of visit;
      • pages viewed;
      • visitor’s region;
      • type of device that visitor used to access the site and his/her operating system.
   2. Data Controller also processes technical information. Technical information refers to information automatically transmitted to the Data Controller during each Site visit, namely:
      
      • IP Address;
      • Browser;
      • Other non-personal technical information.
5. Personal Data Security
   
   1. The Data Controller establishes a Personal Data Protection System (PDPS) integrating legal, organizational, and technical subsystems to ensure full compliance with regulatory frameworks.
   2. The legal protection subsystem is a set of legal, organizational, administrative and regulatory documents that allows PDPS system to be established, operated, and legally enforced.
   3. The organizational security subsystem safeguards data by structuring management, controlling access rights, and enforcing protocols when interacting with personnel, partners, and third parties.
   4. The technical security subsystem refers to a comprehensive, multi-layered framework of hardware, software, and procedural controls designed to safeguard personal data.
   5. The technical security subsystem refers to a comprehensive, multi-layered framework of hardware, software, and procedural controls designed to safeguard personal data.
      
      1. Appointment by the Data Controller of a designated responsible person to independently manage personal data flows, provide mandatory employee training and instruction, and conduct internal compliance audits.
      2. Identifying and mitigating current ISPD threats and developing a personal data protection program.
      3. Developing this Personal Data Processing Policy.
      4. Establishing rules for access and tracking operations within the Personal Data Information System, and logging and tracking all Personal data operations.
      5. Setting up individual passwords for employees' access to the information system in accordance with their job duties.
      6. Applying duly completed conformity assessment procedures.
      7. Certified antivirus software with regularly updated databases.
      8. Compliance with conditions ensuring personal data safety and preventing unauthorized access.
      9. Detecting and addressing unauthorized access to personal data.
      10. Restoring personal data modified or destroyed by unauthorized access.
      11. Establishing a structured training program for personnel directly involved in data handling, including applicable legislation, requirements for the protection of Personal Data, documents defining the Data Controller's Policy, related local regulations and procedures.
      12. Internal control and audit.
   6. Persons (Data Controller’s employees and other persons working/providing services under the relevant agreements concluded with the Data Controller) who violate personal data processing rules of employees and/or representatives and/or consumers (including potential consumers) of the Data Processor may be subject to disciplinary and material liability, as well as other legal liability.
6. Fundamental rights of the Personal Data Subject and Obligations of the Personal Data Data Controller
   1. Fundamental rights and obligations of the Personal Data Subject.
      The Personal Data Subject has the right to access his/her personal data and the following information:
      
      • requesting confirmation from the Data Controller as to whether he/she is processing personal data;
      • legal grounds for and purposes of processing personal data;
      • purposes and processing techniques of Personal data used by the Data Controller;
      • name and location of the Data Controller, information about persons (except for the Data Controller’s employees) who have access to Personal Data or to whom Personal Data may be disclosed pursuant to an agreement with the Data Controller or on the basis of applicable law;
      • timing of the personal data processing and storage;
      • exercising personal data rights by data subjects under applicable laws;
      • in cases where Personal data is provided for a third party, the data subject who provided the Personal Data, or the Data Processor who assigned the Data Controller to process the Personal Data under the terms of Appendix 1 hereto (Data Processing Agreement) shall notify the subject of Personal data provided;
      • name or surname, given name, patronymic and address of the person authorized to process Personal data on behalf of the Data Controller in case of current or future authorization;
      • contacting the Data Controller and sending him/her requests;
      • appealing the acts or omissions of the Data Controller.
      1. The Personal Data Subject may withdraw his/her consent for personal data processing at any time by sending the Data Controller a corresponding written notice to the Data Controller’s postal address or to sales@happy-job.kz, provided that the Data Controller may continue to use it if permitted by applicable laws.
   2. Obligations of the Personal Data Data Controller.
      Personal Data Data Controller shall:
      1. at the time when personal data is obtained, provide the data subject with all the information thereof;
      2. in cases where the personal data was not obtained from the data subject, notify the data subject except in cases where the processing of such personal data is assigned to the Data Controller by a Data Processor under Appendix 1 hereto (Data Processing Agreement);
      3. in case of refusal to provide personal data, the data subject shall be informed about the consequences of refusing to provide personal data;
      4. publish a Personal Data Processing Policy and make information on implemented security requirements easily accessible;
      5. implement all the necessary legal, organizational and technical measures or ensure their adoption to protect Personal Data from unauthorized or accidental access, destruction, modification, blocking, copying, disclosure, distribution of personal data, as well as from any other unlawful misuse;
      6. provide responses to requests and appeals from personal data subjects, their representatives and Data Protection Authorities, except in cases where the processing of such personal data is assigned to the Data Controller by a Data Processor under Appendix 1 hereto (Data Processing Agreement).

Appendix No. 1 to the Privacy and Personal Data Processing Policy