1.1.        This Personal Data Processing Policy (the “Policy”) defines the Company's policy regarding the processing of personal data, the procedure for processing personal data of persons (users of the Website) by the Company, including the procedure for collecting, storing, using, transferring and protecting such data.

1.2.        The regulation of personal data treatment is aimed at ensuring the rights and freedoms of data owners whose personal data are being processed, maintaining the privacy and protection of personal data.

1.3.        The Policy has been developed on the basis of and in pursuance of:

a)         Constitution of the Republic of Kazakhstan;

b)        Law of the Republic of Kazakhstan “On Personal Data and Its Protection” No. 94-V dated 21 May 2013;

c)         other regulatory legal acts of the Republic of Kazakhstan, as well as international acts ratified by Kazakhstan.

2.1.        The following basic definitions and terms are used throughout this Policy:

a) Company or Owner means Novo Nordisk Kazakhstan LLP, Business Identification Number 170740001680, located at 42 Abai Avanue, Baykonyr Business Center, Almaty, 050022, Republic of Kazakhstan;

b) Group of Companies means a group of legal entities joined under the brand of Novo Nordisk (Denmark), a global pharmaceutical company;

c) Personal Data means information relating directly or indirectly to an identified or identifiable person;

d) Personal Data Subject or Data Subject means a natural person who is a user of the Website;

e) Personal Data Processing means any action (operation) or a set of actions (operations) performed towards personal data, whether using automation facilities or not, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of the Personal Data;

f) Automated Processing of Personal Data means the Personal Data Processing using computing machinery;

g) Personal Data Processing without automation facilities (manual processing) means actions towards the Personal Data, in particular, use, clarification, distribution or destruction, carried out with direct involvement of a person;

h) Provision of Personal Data means actions aimed at disclosing personal data to a certain person or a certain number of persons;

i) Blocking of Personal Data means temporary termination of the Personal Data Processing (unless such processing is necessary to clarify the Personal Data);

j) Destruction of Personal Data means actions, as a result of which it becomes impossible to restore the content of the Personal Data in the personal data information system and/or as a result of which the physical storage media of the Personal Data are destroyed;

k) Depersonalization of Personal Data means actions, as a result of which it is impossible to determine, without the use of additional information, whether the Personal Data is owned by a specific Personal Data Subject;

l) Cross-Border Transfer of Personal Data means the transfer of the Personal Data to the territory of a foreign state, a foreign state authority, a foreign natural person or a foreign legal entity;

m) Operator means a state body, a natural person and/or a legal entity that collects, processes and protects the Personal Data;

n) RK means the Republic of Kazakhstan.

3.1.        The Company processes the Personal Data of persons of the following categories:

a) users of the Website;

b) other persons, whose interaction with the Company necessitates processing of their Personal Data.

4.1.        The content and volume of the Personal Data of each category of persons shall be determined by the need to achieve specific purposes of such processing, and the need of the Company to exercise its rights and perform its obligations, as well as the rights and obligations of the relevant person.

4.2.        The Personal Data of the Website users may include:

a) l name, surname, patronymic;

b) nationality;

c) data on education, advanced training and professional retraining, academic credentials, academic title;

d) contact details (including business and/or mobile phone numbers, e-mail, etc.);

e) information about the place of actual residence;

f) position;

g) name of the employer;

h) information about the employer's business address;

i) information about payments;

j) taxpayer identification number;

k)  information of a medical nature (in cases provided for by law);

l) other data necessary for the performance of mutual rights and obligations between the Company and the user of the Website.

4.3.        The Personal Data of other persons includes:

a) name, surname, patronymic;

b) contact details;

c) other data necessary for the performance of mutual rights and obligations between the Company and the person.

5.1.        Processing of the Personal Data of the Data Subjects is based on the following principles:

a) processing of the Personal Data must be carried out on a legal and fair basis;

b) processing of the Personal Data that is incompatible with the purposes of collecting personal data is not allowed;

c) it is not allowed to combine databases containing the Personal Data the processing of which is carried out for purposes incompatible with each other;

d) while processing the Personal Data, it is necessary to ensure the accuracy, adequacy and, if and where necessary, the relevance to the purposes of the Personal Data Processing. The Owner must take, or ensure the taking of, necessary measures to delete or clarify incomplete or inaccurate data;

e) the Personal Data must be stored in a form that makes it possible to identify the Data Subject no longer than it is required for the purposes of the Personal Data Processing, unless provided otherwise by the law or this Policy and other policies of the Owner. The processed personal data are subject to destruction or depersonalization upon achievement of the processing purposes or if such achievement is no longer needed, unless provided otherwise by the law.

6.1.        The Personal Data of the Data Subjects is processed in order to provide access to the Website of the Company, namely, for:

a) providing information about the Company’s products;

b) holding events and ensuring the participation therein of the Data Subjects;

c) providing medical and scientific, reference and informational, as well as other information from the Company;

d) processing applications with claims or product safety information;

e) processing applications about negative developments or side effects;

f) processing other applications from the Data Subjects;

g) monitoring the effectiveness and safety of medicines;

h) performing and fulfilling the functions, powers and obligations assigned to the Company by the legislation of the RK and international treaties of the RK;

i) marketing purposes, to improve the Website and the services of the Website;

j) monitoring the effectiveness and safety of medicines in order to identify possible negative consequences of their use, or individual intolerance;

k) other purposes aimed at safeguarding the interests of the Company and compliance with laws and other regulatory legal acts;

6.2.        The Personal Data is processed solely for the achievement of the above purposes. In order to use the data for other purposes, it is necessary to inform the Data Subject and, if necessary, obtain a new consent for processing.

6.3.        The Personal Data Processing may be carried out for other purposes if this is necessary to comply with the legislation.

7.1. General Rules

7.1.1. The Personal Data is processed by way of mixed (both automated and non-automated) processing, including the use of the internal network and the Internet.

7.1.2. In cases established by the legislation of the RK, the main condition for processing the Personal Data is obtaining a consent from the relevant Data Subject in a form established by the legislation of the RK.

7.1.3. The consent of the Data Subject to the Personal Data Processing shall at least include:

a) name, surname, patronymic;

b) name, surname, patronymic of the legal representative of the Data Subject (it is prohibited to represent a Data Subject under a power of attorney);

c) name and address of the Company that receives the consent of the Data Subject;

d) the aim of the Personal Data Processing;

e) a list of the Personal Data for processing of which the consent of the Data Subject is to be granted;

f) a list of actions towards the Personal Data for which the consent is to be granted, the general description of processing methods used by the Operator;

g) a period, during which the consent is valid, as well as the procedure for withdrawal;

h) particulars of how the Data Subject may request information about processing of his/her Personal Data, make changes, additions to his/her Personal Data, withdraw consent to processing of his/her personal data;

i) the signature of the Data Subject or its equivalent (only if the consent is provided in writing or in the form of an electronic document).

7.1.4. The Data Subject shall provide his/her consent to processing of his/her Personal Data by electronic communications, via Internet or e-mail. 

7.2. Collection 

7.2.1. The source of all Personal Data shall be the Data Subject himself/herself. 7.2.2. Unless provided otherwise by the law, the Company may only obtain the Personal Data of the Data Subject from third parties upon receipt of the Data Subject's prior consent, or if the Data Subject has already given consent to such third party for the transfer of his/her Personal Data. 

7.2.3. The consent of the Data Subject for obtaining his/her Personal Data from third parties must contain:

a) a name and location of a person, who transmits the Personal Data of the Data Subject;

b) a name and location of a person, who receives the personal data of the Data Subject;

c) a list of personal data for processing of which the consent of the Data Subject is given;

d) the purpose of processing such Personal Data by the Company and the legal grounds therefor;

e) intended users of the Personal Data;

f) a list of actions towards the Personal Data, for which the consent is given, the general description of processing methods used by the Operator;

g) rights of the Data Subject established by law;

h) particulars of how the Data Subject may request information about processing of his/her Personal Data, make changes, additions to his/her Personal Data, withdraw consent to processing of his/her Personal Data;

i) a period, during which the consent is valid, as well as the procedure for withdrawal.

7.3. Storage

7.3.1. When storing the Personal Data, it shall be required to observe the conditions ensuring the safety of the Personal Data, as provided for by the legislation of the RK.

7.3.2. Documents containing the Personal Data stored on paper are kept in dedicated places with limited access in conditions that ensure their protection against the unauthorized access. A list of document storage locations is determined by the Company within its organization, as a whole. 

7.3.3. The Personal Data kept in an electronic form is protected against the unauthorized access using special technical, software, organizational and legal means of protection. It shall not be allowed to store the Personal Data in an electronic form outside the information systems used by the Company or databases specifically designated by the Company (off-system storage of the Personal Data). 

7.3.4. The Personal Data shall be kept in a form that allows identifying the Data Subject, but no longer than the purposes of processing thereof require, unless another period is established by the legislation of the RK or an agreement with the Data Subject. 

7.3.5. Unless provided otherwise by the legislation of the RK, the processed personal data is subject to destruction upon achievement of the processing purposes, or there is no further need in such achievement, or after the expiration of a period of storage thereof.

7.3.6. The destruction of the Personal Data must be carried out in a way that excludes further processing of this Personal Data. At the same time, if appropriate, it is necessary to preserve the ability of processing other data recorded on the corresponding physical storage media (deletion, defacement). 

7.3.7. If it is necessary to destroy or block a part of the Personal Data, the physical storage medium shall be destroyed or blocked, copying first the information that is not subject to destruction or blocking in a way that precludes the concurrent copying of personal data that is subject to destruction or blocking.

7.4. Use

7.4.1. The Personal Data is processed and used for the purpose specified in Clause 6.1 of this Policy.

7.4.2. The access to the Personal Data is provided only to persons, whose responsibilities involve treatment of the relevant Personal Data, and only for a period necessary for such treatment.

7.5. Transfer

7.5.1. The transfer of the Personal Data of the Data Subjects to third parties is allowed to the minimum extent required and only for achieving the purposes provided for by this Policy. The transfer of the Personal Data to third parties, including for commercial purposes, is allowed only with the consent of the Data Subject, or under other legal grounds.

7.5.2. To achieve the purposes specified above in this Policy, the Company shall give access to the Personal Data of the Data Subject for, and/or transfer such data to, the Group of Companies, other persons who help the Company to provide services to the Data Subjects, e.g.:

1)  providers of technological or analytical services;

2) financial service providers; 

3) persons providing services in the field of marketing, advertising, including social media, advertising agencies;

4) customer support service providers;

5) state bodies and state enterprises in the field of healthcare. 

7.5.3. The Group of Companies, as well as the persons to whom the data is transferred, may be located within or outside the territory of Kazakhstan. The Data Subject shall give a permission for the transfer of his/her Personal Data to the Group of Companies, and to third parties on the territory of Kazakhstan, as well as for the cross-border data transfer.

7.5.4. If the Personal Data is transferred to the territory of foreign states that do not provide personal data protection, the Company takes necessary measures to ensure the protection of the Personal Data of the Data Subjects. Such transfer shall be made in accordance with the requirements and rules provided for by the legislation of the RK for the cross-border transfer of the Personal Data. The Company will not transfer data to the territory of foreign states that do not ensure the personal data protection without the permission of the Data Subjects. 

7.5.5. The information containing the Personal Data shall be transferred in a way that ensures protection against the unauthorized access, destruction, modification, blocking, copying or dissemination of information to an unlimited number of persons, as well as other illegal actions in relation to such information.

7.5.6. Persons receiving the Personal Data are warned that such data may only be used for purposes for which it has been collected, and in compliance with the privacy regime. The Company may request from such persons the confirmation that this rule is observed.

7.5.7. In cases where the state bodies have the right to request the Personal Data, or where the Personal Data must be provided in accordance with law, as well as by a court order, the relevant information shall be provided to them in a manner established by the legislation of the RK.

7.5.8. The Data Subject may make a request to the Company to change, supplement, destroy his/her personal data, provide information about the Personal Data. All incoming requests from the Data Subjects are transferred to a person responsible for organizing the Personal Data Processing in the Company for consideration and preparation of a response. The Company shall have in place a person responsible for organizing the Personal Data Processing.

7.5.9. A Data Subject may send a request referred to in Clause 7.5.8 to the Company as follows: eaeu-safety@novonordisk.com. All requests from the subjects or their representatives in connection with processing of their Personal Data are recorded in an appropriate log.

7.5.10. A Data Subject also has the right to request that the Company provide him/her with a pool of the Personal Data in a structured and machine-readable form, so that the subject is able to transfer such data for processing to other owners or operators of databases.

7.5.11. The Company guarantees the Data Subject the exercise of his rights free of charge. 

7.6. Processing Delegation

7.6.1. The Company may delegate the Personal Data Processing to another person under an agreement entered into with such person. The person who processes the Personal Data on behalf of the Company shall commit to adhere to the principles and rules of the Personal Data Processing established for by the legislation of the RK.

7.6.2. An agreement with a person who processes the Personal Data on behalf of the Company shall include:

a) a list of actions (operations) towards the Personal Data that will be performed by the person processing the Personal Data;

b) processing purposes;

c) the undertaking of such a person to observe the privacy of the Personal Data and ensure the safety of the Personal Data while processing, as well as the requirements to the protection of processed the Personal Data in accordance with the legislation, and the liability for non-compliance with such requirements.

7.7. Protection

7.7.1.   The reference to the protection of the Personal Data shall mean a number of legal, organizational and technical measures aimed at:

a) ensuring the protection of information against the unauthorized access, destruction, modification, blocking, copying, provision, dissemination, or against other illegal actions in relation to such information;

b) maintaining the privacy of restricted information;

c) exercising the right of access to information.

7.7.2.   To protect the Personal Data, the Company takes the necessary measures provided for by law, including, but not limited to:

a) restricting and regulating a number of persons, whose duties require access to the information containing the Personal Data (including through the use of passwords for accessing electronic information resources);

b) ensuring conditions for the restricted-access storage of documents containing the Personal Data;

c) organizing the procedure for the destruction of information containing the Personal Data, unless the legislation establishes requirements for the storage of such data;

d) monitoring the compliance with the requirements for ensuring the security of the Personal Data, including those established by this Policy (by way of internal audits, installing special monitoring tools, etc.);

e) investigating cases of the unauthorized access or disclosure of the Personal Data, bringing the guilty employees to liability, or taking other measures;

f) implementing software and technical means of protection of electronic information;

g) ensuring the ability of restoring the Personal Data modified or destroyed due to the unauthorized access thereto, etc.

7.7.3.   To protect the Personal Data while processing in information systems, the Company takes the necessary measures provided for by law, including, but not limited to:

a) locating any threat to the safety of the Personal Data during processing;

b) implementing the organizational and technical measures to ensure the safety of the Personal Data during processing in personal data information systems, necessary to meet the statutory requirements for the protection of the Personal Data at levels established by the legislation of the RK;

c) recording machine-based storage media of the Personal Data;

d) locating any event of unauthorized access to the Personal Data and taking measures;

e) restoring personal data modified or destroyed due to the unauthorized access thereto;

f) establishing rules for the access to the Personal Data processed in the personal data information system, as well as ensuring the registration and record of all actions performed towards with the Personal Data in the personal data information system.

7.7.4.   The Company shall take other measures aimed at ensuring the Company’s compliance with its obligations in the field of personal data, as provided for by the legislation of the RK.

8.1.        The Data Subjects shall have the right to:

a) have access to their Personal Data;

b) withdraw their consent to processing of their Personal Data;

c) change, clarify, destroy or block their Personal Data;

d) receive information concerning processing of their Personal Data;

e) appeal against the unlawful actions or inaction in processing of Personal Data and claim appropriate compensation in court in a manner provided for by law;

f) appoint representatives to protect their personal non-property rights and represent their interests within the procedure provided for by law;

g) protect their rights and legitimate interests in the field of the Personal Data;

h) exercise other rights provided for by the regulatory acts of the RK.

8.2.        The Data Subject shall:

a) provide the Company with accurate personal data;

b) timely inform the Company about changes or additions to their Personal Data ;

c) exercise their rights in accordance with the law, other regulatory legal acts and local regulations of the Company for the Personal Data processing and protection;

d) perform other obligations stipulated by the law, other regulatory legal acts and local regulations of the Company for the Personal Data processing and protection.

9.1.        The Company is entitled to establish rules for the Personal Data Processing in the Company, amend this Policy, independently develop and apply form documents necessary to perform its obligations as the owner of the database containing the Personal Data, as required by the law.

9.2.        The Company shall:

a) ensure that the Personal Data is processed solely for the purposes for which it has been collected;

b) obtain a consent from the Data Subject to processing of his/her Personal Data;

c) protect the Personal Data against the unlawful use or loss;

d) perform other obligations stipulated by the legislation of the RK and local regulations of the Company for processing and protection of the Personal Data.

10.1.        The Company will process the data of the Data Subjects up until the date on which the purposes determined in this Policy are achieved. After achieving these purposes, the Personal Data of the Data Subjects will be destroyed by the Company.

10.2.        The Data Subject can withdraw his consent to the Personal Data Processing at any time and ask to destroy his Personal Data.