1. General provisions
This personal data processing policy is prepared in accordance with the Law of the Kyrgyz Republic of 14 April 2008 No. 52-g "On Personal Data" (hereinafter — the Personal Data Law) and defines the procedure for processing personal data and measures to ensure their security.
1.1. The Operator considers its most important goal and condition of its activities to be respect for human and civil rights and freedoms when processing personal data, including protection of the rights to privacy, private and family life.
1.2. This Operator policy on personal data processing (hereinafter — the Policy) applies to all information that the Operator may obtain about visitors to the website https://giftovik.com/.
2. Key terms used in the Policy
2.1. Automated processing of personal data — processing using computer technology.
2.2. Blocking of personal data — temporary suspension of processing (except where processing is necessary to clarify personal data).
2.3. Website — a set of graphic and information materials, as well as computer programs and databases ensuring their availability on the Internet at https://giftovik.com/.
2.4. Personal data information system — a combination of personal data contained in databases and the information technologies and technical means that process them.
2.5. Anonymisation of personal data — actions as a result of which it is impossible to determine, without additional information, whether personal data relate to a specific User or other data subject.
2.6. Processing of personal data — any action or set of actions performed with or without automation, including collection, recording, systematisation, accumulation, storage, clarification, extraction, use, transfer, anonymisation, blocking, deletion and destruction of personal data.
2.7. Operator — a person who independently or jointly with others organises processing of personal data and determines the purposes and means of such processing.
2.8. Personal data — any information relating directly or indirectly to the User of the website https://giftovik.com/.
2.9. Personal data permitted for dissemination by the data subject — data to which access is permitted by the data subject.
2.10. User — any visitor to the website https://giftovik.com/.
2.11. Provision of personal data — actions aimed at disclosing personal data to a specific person or category of persons.
2.12. Dissemination of personal data — any actions aimed at disclosing personal data to an indefinite circle of persons.
2.13. Cross-border transfer of personal data — transfer of personal data to the territory of a foreign state.
2.14. Destruction of personal data — actions as a result of which personal data are destroyed without possibility of recovery.
3. Main rights and obligations of the Operator
3.1. The Operator has the right to:
3.2. The Operator must:
4. Main rights and obligations of data subjects
4.1. Data subjects have the right to:
4.2. Data subjects must:
4.3. Liability for providing false data lies with the person who provided it.
5. Personal data of the User that the Operator may process
5.1. Email address.
5.2. The website also collects and processes anonymised visitor data (including "cookie" files) using web analytics services (Yandex Metrica, Google Analytics and others).
5.3. The above data are hereinafter collectively referred to as Personal Data.
5.4. The Operator does not process special categories of personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, or intimate life.
5.5. Processing of personal data permitted for dissemination from among special categories is allowed if prohibitions and conditions provided by the Personal Data Law are observed.
5.6. The User's consent to processing of personal data permitted for dissemination is executed separately from other consents. Content requirements for such consent are set by the authorised body for protection of data subjects' rights.
5.6.1. Consent to processing of personal data permitted for dissemination is provided by the User to the Operator directly.
5.6.2. Within no more than three business days of receiving such consent, the Operator must publish information on processing conditions and on prohibitions and conditions for processing by an unlimited circle of persons of personal data permitted for dissemination.
5.6.3. Transfer (dissemination, provision, access) of personal data permitted by the data subject for dissemination must be stopped at any time at the data subject's request. The request must include the data subject's surname, first name and patronymic (if any), contact information (phone, email or postal address) and a list of personal data whose processing must be stopped. Personal data specified in the request may be processed only by the Operator to whom it is addressed.
5.6.4. Consent to processing of personal data permitted for dissemination ceases to be effective from the moment the Operator receives the request referred to in clause 5.6.3 regarding processing of personal data.
6. Principles of personal data processing
6.1. Processing is carried out on a lawful and fair basis.
6.2. Processing is limited to achieving specific, predefined and lawful purposes. Processing incompatible with the purposes of collection is not permitted.
6.3. Combining databases whose processing purposes are incompatible is not permitted.
6.4. Only personal data that meet the purposes of processing are subject to processing.
6.5. The content and volume of processed data correspond to the stated purposes; excessive data are not processed.
6.6. When processing personal data, accuracy, sufficiency and, where necessary, relevance to the purposes of processing are ensured. The Operator takes necessary measures to delete or clarify incomplete or inaccurate data.
6.7. Storage is in a form that allows identification of the data subject for no longer than required by the purposes of processing, unless a storage period is established by law, contract or agreement with the data subject. Upon achievement of purposes, data are destroyed or anonymised unless otherwise provided by the Personal Data Law.
7. Purposes of personal data processing
7.1. Purposes of processing the User's personal data:
7.2. The Operator may send the User notifications about new products and services, special offers and events. The User may opt out of informational messages by emailing info@giftovik.com with the subject line "Opt-out of new products, services and special offers".
7.3. Anonymised data collected through web analytics are used to collect information about User actions on the website and to improve the quality and content of the website.
8. Legal grounds for processing personal data
8.1. Legal grounds for the Operator's processing include:
8.2. The Operator processes the User's personal data only if they are filled in and/or sent by the User independently through forms on https://giftovik.com/ or by email. By sending data, the User agrees to this Policy.
8.3. The Operator processes anonymised User data if permitted in the User's browser settings (cookies enabled and JavaScript used).
8.4. The data subject independently decides whether to provide personal data and gives consent freely, by their own will and in their own interest.
9. Conditions for processing personal data
9.1. Processing is carried out with the data subject's consent to processing of their personal data.
9.2. Processing is necessary to achieve the purposes provided for by an international treaty of the Kyrgyz Republic or by law, for performance of the operator's duties.
9.3. Processing is necessary for the administration of justice, execution of judicial acts and acts of public authorities.
9.4. Processing is necessary for performance or conclusion of a contract to which the data subject is a party.
9.5. Processing is necessary to exercise the rights and legitimate interests of the Operator or third parties or to achieve socially significant purposes, subject to respect for the data subject's rights and freedoms.
9.6. Processing of personal data to which an unlimited circle of persons has access at the data subject's request (publicly available personal data).
9.7. Processing of personal data subject to publication or mandatory disclosure in accordance with the law.
10. Procedure for collection, storage, transfer and other types of processing
Security of personal data processed by the Operator is ensured through legal, organisational and technical measures required to comply fully with applicable personal data protection legislation.
10.1. The Operator ensures integrity of personal data and takes all possible measures to exclude access by unauthorised persons.
10.2. The User's personal data will never under any conditions be transferred to third parties, except as related to compliance with applicable law or where the data subject has given the Operator consent to transfer data to a third party for performance of obligations under a civil-law contract.
10.3. If inaccuracies are found, the User may update data by notifying the Operator at info@giftovik.com with the subject "Personal data update".
10.4. The processing period is determined by achievement of the purposes for which the data were collected, unless another period is provided by contract or law. The User may withdraw consent at any time by emailing info@giftovik.com with the subject "Withdrawal of consent to personal data processing".
10.5. Information collected by third-party services (payment systems, communications providers, other service providers) is stored and processed by those parties under their user agreements and privacy policies. The User must review those documents independently. The Operator is not liable for third parties' actions.
10.6. Restrictions set by the data subject on transfer (other than access), or on processing or conditions of processing (other than access) of personal data permitted for dissemination, do not apply where processing is carried out in state, public or other public interests defined by the legislation of the Kyrgyz Republic.
10.7. The Operator ensures confidentiality of personal data when processing.
10.8. The Operator stores personal data in a form that allows identification of the data subject for no longer than required by the purposes of processing, unless a storage period is established by law or a contract to which the data subject is a party.
10.9. Processing may cease upon achievement of purposes, expiry or withdrawal of consent, or detection of unlawful processing.
11. List of actions performed by the Operator with personal data
11.1. The Operator collects, records, systematises, accumulates, stores, clarifies (updates, changes), extracts, uses, transfers (disseminates, provides, grants access), anonymises, blocks, deletes and destroys personal data.
11.2. The Operator performs automated processing with or without transmission of information via information and telecommunications networks.
12. Cross-border transfer of personal data
12.1. Before commencing cross-border transfer, the Operator must ensure that the foreign state provides reliable protection of data subjects' rights.
12.2. Transfer to states that do not meet these requirements is possible only with written consent of the data subject and/or for performance of a contract with them.
13. Confidentiality of personal data
The Operator and other persons who have gained access to personal data must not disclose or disseminate such data without the data subject's consent unless otherwise provided by law.
14. Final provisions
14.1. The User may obtain clarifications on processing of their personal data by contacting the Operator at info@giftovik.com.
14.2. This document will reflect any changes to the Operator's personal data processing policy. The Policy is valid indefinitely until replaced by a new version.
14.3. The current version of the Policy is freely available at: https://giftovik.com/.