Политика обработки персональных данных
Настоящая Политика определяет цели и принципы обработки персональных данных в ONEKYC, а также меры по защите прав субъектов данных.
Purpose, Operator and Scope
This Personal Data Processing Policy (the “Policy”) defines the purposes and general principles of personal data processing, as well as the measures implemented to protect the rights of personal data subjects by the Operator when using the KYC platform (SaaS) – ONEKYC – for business.
This Policy applies to all personnel of the Operator, including employees under employment contracts, trainees, and persons performing work under other agreements, after they have been ознакомлены with it or such obligations have been imposed by concluding agreements with the Operator.
The requirements of this Policy are also taken into account with respect to other persons where their participation in the Operator’s personal data processing activities is necessary, including partners, contractors, service providers, other counterparties, etc., including under personal data processing instructions, by entering into agreements with such persons and imposing the relevant obligations on them.
Personal Data Operator: Limited Liability Company “Kyulchoro” (LLC “Kyulchoro”) Registered address: Kyrgyz Republic, Bishkek, Leninsky District, Kyzyl-Adyr St. (Archa-Beshik residential area), 172A TIN: 01104202510167 Registration No.: 315102-3301-LLC
For the purposes of this Policy, the terms “personal data”, “personal records”, “owner of personal records”, “processor”, “incident in the digital environment”, “personal data breach”, “cross-border transfer of personal data”, and “automated decision” are used in the meanings established by the Digital Code of the Kyrgyz Republic (including Article 1 of the Digital Code of the Kyrgyz Republic).
Compliance with Applicable Laws
This Policy has been developed primarily on the basis of the legislation of the Kyrgyz Republic, as the Operator is registered in the territory of the Kyrgyz Republic. This Policy uses terms and definitions in accordance with their meanings as defined in the Law of the Kyrgyz Republic “On Information of a Personal Nature” dated 14 April 2008 No. 58. The Operator processes personal data taking into account the requirements of the said law, its subordinate regulations, and regulatory and methodological documents of the governmental authorities of the Kyrgyz Republic authorized in the field of information security and protection of the rights of personal data subjects.
With regard to relations in the digital environment, including personal data processing, digital identification/authentication, digital resilience and incident response, the Operator takes into account the requirements of the Digital Code of the Kyrgyz Republic dated 31 July 2025 No. 178 (in particular, Articles 57, 63, 73, 75–76, and 77–91).
Where possible, this Policy also takes into account provisions of other legislation applicable to the Operator’s activities in the field of personal data processing (e.g., the GDPR) to the extent not contradicting the legislation of the Kyrgyz Republic.
Principles of Personal Data Processing
The Operator processes personal data on a lawful and fair basis. The main legal grounds and processing principles are determined, inter alia, by Articles 78–79 of the Digital Code of the Kyrgyz Republic. The main legal grounds for processing include:
The content and scope of the processed personal data are determined based on the purposes of processing. Personal data that are excessive or incompatible in relation to the following main purposes are not processed:
The main categories of personal data subjects include:
For the specified categories of subjects, the following may be processed in accordance with the purposes of processing:
The Operator processes personal data using a mixed method: with and without automation tools.
Actions performed with personal data include: collection; recording; systematization; accumulation; storage; clarification (updating, modification); extraction; use; transfer (dissemination, provision, access); depersonalization; blocking; deletion; destruction.
During processing, the accuracy, sufficiency and relevance of personal data in relation to the purposes of personal data processing are ensured (Article 78 of the Digital Code of the Kyrgyz Republic). If inaccurate or incomplete personal data are identified, they may be уточнены and updated. Where updating personal data is outside the Operator’s area of responsibility, processing may be suspended until the data are updated. Obligations and liability for timely updating of personal data for certain processing cases may be established by the Operator’s agreements.
Personal data are processed and stored no longer than required by the purposes of processing, unless there are legal grounds for further processing (Article 78 of the Digital Code of the Kyrgyz Republic).
The processed personal data are subject to destruction or depersonalization upon the occurrence of the conditions listed in this Policy. Where grounds for deletion of personal records as provided for in Article 83 of the Digital Code of the Kyrgyz Republic exist, the Operator deletes personal records without undue delay, provided there are no legal grounds for further retention (for example, for bringing/defending claims or where retention is required by law - Article 83(2) of the Digital Code of the Kyrgyz Republic).
When carrying out cross-border transfer of personal data, the Operator takes into account the requirements of Article 89 of the Digital Code of the Kyrgyz Republic.
Automated decisions (where applicable): where automated decisions are used that produce legal effects for the data principal or similarly significantly affect them, the data principal is entitled to request that such decisions be discontinued and that they be reviewed with human involvement in accordance with Article 57 of the Digital Code of the Kyrgyz Republic.
Processing as a Sub-Processor and Engagement of Subcontractors
In addition to acting as a personal data operator, the Operator may act as a person processing personal data on behalf of other personal data operators under contracts and other agreements. Such cases include, for example:
Where necessary, the Operator may engage third-party organizations to process personal data as subcontractors, provided that the processing principles are complied with and there is an appropriate contract or agreement with them. Such cases include, for example:
Personal data processing under the Operator’s contracts and other agreements, including personal data processing instructions, is carried out in accordance with the terms of such contracts/agreements.
Obtaining the Data Subject’s Consent to Process Their Personal Data
Where the legal grounds for processing provided for in Article 79(1) of the Digital Code of the Kyrgyz Republic are absent, processing is carried out subject to obtaining the personal data subject’s consent.
Consent must be freely given, specific, informed and conscious, and may be provided in any form that makes it possible to confirm the fact that it was obtained.
The procedure for withdrawing consent must not be more burdensome than the procedure for providing consent.
Where personal data are obtained not directly from the subject but from other persons under a contract or processing instruction, the obligation to obtain the subject’s consent may be imposed on the person from whom the personal data were obtained.
If the subject refuses to provide their personal data in the necessary and sufficient scope, the Operator will not be able to perform the actions required to achieve the relevant processing purposes.
Processing of Electronic User Data, Including Cookies
For the purposes of personal data processing set out in this Policy, the Operator may collect electronic user data on its websites automatically, without requiring user participation or any actions to send data.
The Operator does not verify the accuracy of electronic data collected this way; the information is processed “as is” in the form in which it is received from the client device.
Visitors and users of the Operator’s websites may be shown pop-up notices about collection and processing of cookies data with a link to the Policy and buttons to accept the processing terms or close the pop-up notice.
Such notices mean that when visiting and using the Operator’s websites, information resources and web applications, information (e.g., cookies data) may be stored in the browser on the user’s device, allowing subsequent identification of the user or device, remembering a session, or saving certain user settings and preferences specific to those sites. After being stored in the browser and until expiry or deletion from the device, such information will be sent with each subsequent request to the website on behalf of which it was stored, together with such request, for processing on the Operator’s side.
Processing of cookies data is required by the Operator for proper functioning of websites, in particular functions relating to access by registered users to the Operator’s software products, services, works and resources; user personalization; increasing efficiency and convenience of working with websites, as well as other purposes provided for in this Policy.
In addition to cookies set by the Operator’s websites, users and visitors may receive cookies relating to third-party websites, for example, where third-party components and software are used on the Operator’s websites. Processing of such cookies is governed by the policies of the relevant websites and may change without notice to users of the Operator’s websites. Such cases may include placement on the websites of:
Acceptance by the user of cookies processing terms or closing the pop-up notice in accordance with this Policy is considered consent to processing of cookies data on the Operator’s websites.
If the user does not agree to processing of cookies, they must accept the risk that in this case the website’s functions and features may not be fully available, and then follow one of the following options:
The user may manage stored cookies data independently through built-in browser tools, including deleting or viewing information about cookies set by websites, including:
Confidentiality and Security of Personal Data
The Operator ensures confidentiality of personal data in accordance with applicable law and the terms of the Operator’s agreements and contracts, except where:
The Operator takes necessary and sufficient legal, organizational and technical measures to ensure personal data security and to protect them from unauthorized (including accidental) access, destruction, alteration, blocking of access and other unauthorized actions. Such measures include, in particular:
Incidents and notifications:
The Operator implements digital resilience and digital-environment risk management measures proportionate to the nature, scope and purposes of processing.
Rights of Personal Data Subjects
A personal data subject has the right to withdraw consent to personal data processing by sending a relevant request to the Operator or the Operator’s authorized representatives in other countries by mail or by personal visit.
A personal data subject has the right to receive information relating to processing of their personal data, including:
A personal data subject has the right to request that the Operator clarify their personal data, block or destroy them if the personal data are incomplete, outdated, inaccurate, unlawfully obtained or not necessary for the stated processing purpose, and to take measures provided for by applicable law to protect their rights.
If a personal data subject believes that the Operator processes their personal data in violation of applicable law or otherwise violates their rights and freedoms, the subject has the right to appeal the Operator’s actions or inaction in the manner provided for by applicable law.
A personal data subject has the right to protect their rights and legitimate interests, including compensation for losses and/or moral harm, in court.
The rights of the data subject/data principal are also exercised in accordance with the provisions of the Digital Code of the Kyrgyz Republic.
Roles and Responsibility
The rights, obligations and responsibility of the Operator are determined by applicable law and the Operator’s agreements.
The liability of the Operator’s employees involved in personal data processing by virtue of their functional duties for proper processing and unlawful use of personal data is established in accordance with the terms of the contract concluded between the Operator and the employee and the non- disclosure obligation.
The liability of persons involved in personal data processing under the Operator’s instructions for proper processing and unlawful use of personal data is established in accordance with the terms of the contract concluded between the Operator and the counterparty, a confidentiality agreement, or another agreement.
Persons guilty of violating rules governing processing and information security of personal data bear material, disciplinary, administrative, civil or criminal liability in the manner established by applicable law and the Operator’s agreements.
Publication and Updating of the Policy
The Policy is developed by persons responsible for organizing personal data processing in Limited Liability Company “Kyulchoro” and enters into force after approval by the Operator.
The Policy is a publicly available document of the Operator and provides the possibility for any persons to review its current version, including existing translations into foreign languages, by publishing it on the internet at https://onekyc.io.
Web forms, templates and standard forms of the Operator for collecting personal data must contain user notices about personal data processing in accordance with this Policy with a reference to it.
The Policy is valid indefinitely after approval until replaced by a new version. The Operator has the right to amend the Policy without notice to any persons.
Proposals and comments for amendments to the Policy may be sent by interested persons to info@onekyc.io.