This personal data confidentiality Agreement (hereinafter referred to as the "Agreement") governs the relations associated with the collection, processing, storage, transfer, and protection of personal data of clients at Closed Joint-Stock Company "Commercial Bank KSB" (hereinafter referred to as the "Bank").
1. Definition of terms
1.1. Basic concepts used in this Agreement:
• personal data repository holder – a state body, local self-government body, or legal entity vested with the authority to determine the purposes and categories of personal data and to control the collection, storage, processing, and use of personal data; • client – an individual entrepreneur, an individual, or a legal entity accepted for service or currently being serviced by the Bank, or with whom the Bank is establishing or has established a business relationship; • personal data processing – any operation or set of operations performed regardless of the methods by the personal data subject or on their behalf, by automated means or otherwise, for the purposes of collecting, recording, storing, updating, grouping, blocking, deleting, and destroying personal data; • list of personal data – a list of categories of data concerning a single personal data subject; • personal data – any information, including that on digital/tangible media, relating directly or indirectly to an identified or identifiable data subject; • consent of the personal data subject – a free, specific, unconditional, and informed expression of will by the personal data subject, provided in the form prescribed by the legislation of the Kyrgyz Republic on personal data, to perform procedures related to the processing of their personal data; • Personal data subject – an identified or identifiable individual to whom personal data relates directly or indirectly. The personal data subject may be the Client themselves (if an individual), or a representative, head, or employee of the Client (if the Client is a legal entity); • cross-border transfer of personal data – the transfer of personal data to personal data repository holders falling under the jurisdiction of foreign states; • third parties – individual entrepreneurs or legal entities who are not employees of the Bank and who may be granted access to personal data based on a contract, including technology partners, processing centers, and IT service providers involved in the operation of the website, internet banking, mobile application, and other digital services of the Bank; • authorized body for the protection of the rights of personal data subjects – a state body authorized to perform functions and powers to ensure that personal data processing complies with the requirements of the legislation of the Kyrgyz Republic, protect the rights of personal data subjects, register personal data system holders, maintain the Register of personal data system holders, and perform other tasks, functions, and powers provided for by the legislation of the Kyrgyz Republic; • digital services of the bank – remote service tools that allow Clients to manage finances, make transfers, pay for services, and open products online without visiting physical branches; • Cookies – small text files automatically saved on the user's device when visiting the website and using internet banking, the mobile application, and other digital services of the Bank.
2. General provisions
2.2. This Agreement shall apply to all methods of obtaining and processing personal data within the framework of providing banking services and/or establishing business relations with Clients, including visits to Bank branches, calls to the contact center, participation in surveys and questionnaires, submission of applications or requests through any communication channels, as
well as the use of internet banking, the mobile application, the website www.ksbc.kg, and other digital services of the Bank.
2.3. This Agreement also applies to the personal data of individuals acting on behalf of a Client of the Bank that is a legal entity, including members of executive bodies, heads, representatives, employees, as well as beneficial owners of the Client.
2.4. The Agreement has been developed in accordance with the requirements of the legislation of the Kyrgyz Republic and establishes requirements for ensuring the security of personal data.
2.5. The Bank, acting as the Personal Data System Holder, determines the purposes and methods of their processing, takes measures for their protection, and bears responsibility for compliance with the legislation of the Kyrgyz Republic on the protection of personal data.
2.6. Use of the Bank's products, services, and digital services by the Client, as well as the establishment of business relations with the Bank, shall constitute full and unconditional consent to the terms of this Agreement, unless otherwise provided by the legislation of the Kyrgyz Republic.
3. Purposes of personal data collection and processing
3.1. The Bank collects and processes personal data for the following purposes:
• provision of financial and banking services to the Client, including, but not limited to, opening and maintaining a bank account, carrying out money transfers and payments, cash services, attracting deposits, providing any credit product to the Client or to a person for whom the Client acts as a guarantor, and the provision of property or property rights as collateral to the Bank by the Client;
• conclusion of any contracts or agreements with the Client and their further performance;
• identification and verification of the Client and beneficiaries during the conduct of banking activities, authorization, and authentication of the Client for obtaining banking services and/or using the Bank's digital services;
• prevention of fraudulent actions associated with the use of the Bank's services, products, and digital services;
• processing of payments by the Client for goods, works, and services of third parties through Bank branches, using internet banking, the mobile application, peripheral devices, and other remote/distance service systems;
• establishment and further support of business relations with counterparties, including the collection, analysis, and verification of information necessary to identify the counterparty and related persons (representatives, employees, beneficial owners, etc.), assessment of legal capacity, business reputation, risk level, as well as compliance with the requirements of the legislation of the Kyrgyz Republic in the field of countering the financing of criminal activities and the legalization (laundering) of proceeds from crime;
• conduction of marketing and advertising campaigns/promotions;
• analysis and improvement of service quality and the use of the Bank's digital services, provision of new products, and expansion of services;
• verification and assessment of solvency and creditworthiness for making a decision on concluding a loan agreement (credit product) and/or an agreement securing the performance of obligations for loan repayment, further performance of the agreement(s), and obtaining the results of such assessment;
• collection of overdue debts to the Bank under any contract or agreement;
• provision of information to payment systems, correspondent banks, as well as other banks, financial organizations, payment infrastructure operators, processing centers, and other persons directly or indirectly involved in a transaction, regarding the operations performed by the Client, in the volume necessary for their execution, processing, completion, and support;
• investigation of disputed transactions;
4. Categories and list of processed personal data
4.1. The Bank processes the following categories of personal data:
4.1.1. Data provided by the personal data subject:
• full name, gender, year, month, date and place of birth, citizenship, nationality;
• identity document data;
• data of the document confirming the right of a foreign citizen to stay/reside in the Kyrgyz Republic;
• place of residence, place of registration, place of stay, place of work;
• contact details;
• personal number, taxpayer identification number, and other information constituting a tax secret in accordance with the Tax Code of the Kyrgyz Republic;
• data from pension certificates, marriage certificates, and birth certificates;
• information on employment, labor activity (including information on length of service, income, and expenses), marital status, financial status (including information on the availability of movable/immovable property and property-related obligations), education, profession, and family composition;
• information on the Client's bank accounts and cards, and operations performed thereon;
• information on the Client's representatives and beneficiaries;
• information on the existence and amount of the Client's debt to the Bank, as well as to other creditors, tax authorities, and the Social Fund of the Kyrgyz Republic, where grounds provided by the legislation of the Kyrgyz Republic exist, for the purposes of assessing the Client's solvency and creditworthiness and managing the Bank's risks;
• information on registration as an individual entrepreneur (registration date, state registration number, name of the registering authority, place of registration) and on the conduct of business activities as an individual entrepreneur and/or membership in the management bodies of legal entities;
• information on a patent or license (type of patent or license, patent or license number, date of issue, issuing authority, expiration date, list of permitted or licensed activities);
• information on data and established restrictions within the framework of criminal, administrative, civil, notarial, and enforcement proceedings;
4.1.2. Data collected automatically during the use of the Bank's digital services:
• data about the account created on the Bank's website or in the mobile application; metadata, geolocation (if permitted), cookie data, cookie identifiers, IP addresses, information about the browser, operating system, and the device used by the Client;
• files and photographic images uploaded by the Client;
• data on interaction with the mobile application or website (including analytical events, PUSH notifications, and error reports).
4.1.3. Other personal data as defined in the legislation of the Kyrgyz Republic on the protection of personal data, which have been or will be transferred by the personal data subject to the Bank, as well as those obtained or to be obtained by the Bank from official sources or from any third parties in the manner prescribed by law.
4.2. When using the Bank's services, the following personal data may be requested and obtained:
• information about the Client. When creating an account and/or registering and/or during the use of the Bank's services, the Bank requests the full name, gender, date of birth, residential address, email address, phone number, bank card details, or details of another electronic means of payment.
The Bank may also request additional information. With separate consent given by the Client, the Bank may obtain access to the Client's contact information, photo gallery (only if the Client intends to select a photo while using the Bank's services), and the mobile device camera (for scanning a QR code or barcode for service payment or transfer);
• information about the mobile device. The Bank collects data about the Client's mobile devices (mobile device model, operating system version, unique device identifiers, mobile network data, and mobile phone number);
• location information. Digital services of the Bank that support the geographical location function of the Client's mobile device allow the Bank to receive information about the actual location of the Client, including GPS data sent by the mobile device;
• information about performed operations. When performing operations for the payment of goods and services or money transfers, the Bank collects data on the place, time, and amount of operations, payment methods, data on the seller and/or service provider, descriptions of the reason for the operation, if any, as well as other information related to the performance of the above operations;
• information received from third parties. This information is necessary for the proper provision of services and the fulfillment of contractual obligations to the Client by third parties. The Bank receives information provided by third parties, which may contain data about the Client and other persons specified by the Client;
• other data available to the Bank which the Client has agreed to provide and/or which are obtained by the Bank from official sources or from any third parties to provide services through the Bank's services.
4.3. Personal data permitted for processing under this Agreement are provided to the Bank by:
• clients of the Bank (including users of internet banking, the mobile application, the website, and other digital services of the Bank) or their representatives;
• persons who have contacted the Bank with applications, complaints, requests, or by participating in the Bank's surveys;
• state and other bodies, commercial and non-commercial organizations, state information systems, and available data sources;
• other persons whose personal data are processed by the Bank on legal grounds.
5. Rights and obligations of the personal data subject
5.1. The personal data subject has the right to:
• receive information regarding the fact, purposes, and methods of processing their personal data;
• request clarification, blocking, or destruction of personal data if they are inaccurate or are being processed unlawfully;
• change, update, and supplement the provided personal data or any part thereof;
• withdraw their consent to the processing of personal data (withdrawal of consent entails the termination of services by the Bank);
• appeal to the authorized state body in the event of a violation of their rights.
5.2. The personal data subject is obliged to:
• provide the Bank with accurate and up-to-date information;
• timely notify the Bank of any changes to personal data;
• not interfere with the lawful processing of data.
5.3. For the provision of false data, the unlawful use of personal data of third parties, or other actions resulting in losses, the personal data subject shall bear responsibility in accordance with the legislation of the Kyrgyz Republic.
6. Rights and obligations of the Ban
6.1. The Bank has the right to:
• request and clarify personal data and/or documents containing personal data;
• continue processing the personal data of the subject in the event of the withdrawal of consent by the personal data subject, in accordance with the requirements of the legislation of the Kyrgyz Republic;
• restrict or block access to the Bank's digital services in cases where, in the Bank's opinion, a violation or attempted violation of the Bank's digital services security procedures occurs, including cases of suspected fraudulent transactions by third parties using personal data through the Bank's digital services, as well as in cases provided for by the legislation of the Kyrgyz Republic.
6.2. The Bank is obliged to:
• process the personal data of the subject on legal grounds and only for the stated purposes;
• ensure the accuracy, relevance, and confidentiality of personal data;
• provide a response to a request from the personal data subject within the timeframes specified in the legislation of the Kyrgyz Republic on personal data.
6.3. The Bank bears responsibility for the unlawful use of the personal data of the subject in accordance with the legislation of the Kyrgyz Republic, except for the cases provided for in clause
8.1 of this Agreement.
7. Personal data protection measures
7.1. The Bank, acting as the personal data system holder, takes necessary legal, organizational, and technical measures to ensure the security of personal data and protect them from unauthorized or accidental access, destruction, modification, blocking, copying, distribution, as well as from other unlawful actions.
7.2. Such measures include, in particular, the differentiation of access rights; identification, authentication, and authorization of users; use of encryption and secure communication channels; data backup and integrity control; and regular auditing and training of Bank employees on personal data protection issues.
7.3. The specific set of protection measures and the security levels of information systems are determined by the Bank's internal documents in accordance with the Resolution of the Government of the Kyrgyz Republic No. 760 dated November 21, 2017, "On Approval of Requirements for Ensuring Security and Protection of Personal Data during their Processing," and other regulatory legal acts of the Kyrgyz Republic.
7.4. Personal data are stored for the period necessary to achieve the purposes of their processing, taking into account the requirements of the legislation of the Kyrgyz Republic. Upon achievement of the processing purposes or loss of the need for them, the data are subject to destruction or depersonalization, unless otherwise provided by law or contract.
8. Transfer of personal data to third parties and transborder transfer
8.1. By receiving the Bank's services, products, and facilities, the Client authorizes the Bank to transfer, in full or in part, any personal data to any state or municipal authorities, enterprises, institutions, and organizations of the Kyrgyz Republic, credit bureaus, payment systems, and correspondent banks, as well as to transfer such data to other banks, financial and credit organizations, other legal entities supervised by the National Bank of the Kyrgyz Republic, payment system operators, payment organizations, processing centers, mobile operators, insurance organizations, electronic money operators, notaries, appraisal companies, audit organizations, the Bank's partners under bonus/marketing programs, and other third parties engaged by the Bank in the provision of services, products, and facilities necessary to achieve the purposes specified in this Agreement, as well as to receive from the specified bodies and organizations, in full or in part, personal data and other information about the Client for the purposes specified in this section, including the purposes of identification, verification, execution and support of transactions, fulfillment of obligations, and compliance with the requirements of the legislation of the Kyrgyz Republic.
8.2. The Client authorizes the Bank to verify and obtain personal data through state information systems and/or other available data sources and/or any available data sources in accordance with the legislation of the Kyrgyz Republic for the purposes specified in this Agreement.
8.3. The Bank may carry out the transborder transfer of personal data solely for the purpose of performing banking operations and providing banking products and services.
8.4. Transborder transfer shall be carried out only with the consent of the Client, unless otherwise provided by the legislation of the Kyrgyz Republic. The Client's consent to the transborder transfer of personal information may be expressed in writing or in an electronic form that allows for confirmation of the fact of its provision.
8.5. In the event of any transfer, including transborder transfer, the Bank shall take measures to ensure the confidentiality and security of personal data, including the use of protective tools and contractual obligations with the receiving party.
9. Dispute resolution
9.1. Prior to filing a lawsuit in court regarding disputes arising from the relationship between the personal data subject and the Bank, it is mandatory to submit a claim (a written proposal for the voluntary settlement of the dispute).
9.2. The recipient of the claim (the personal data subject or the Bank) shall, within 30 (thirty) calendar days from the date of receipt of the claim, notify the claimant in writing of the results of the claim's consideration.
9.3. If an agreement is not reached, any disputes, disagreements, claims, or demands arising out of or in connection with this Agreement, including those concerning its performance, violation, termination, cancellation, or invalidity, shall be resolved in a court of the Kyrgyz Republic at the location of the Bank. The applicable substantive law under which the dispute will be considered is the legislation of the Kyrgyz Republic.
9.4. This Agreement and the relationship between the personal data subject and the Bank shall be governed by the current legislation of the Kyrgyz Republic on personal data.
10. Final provisions
10.1. This Agreement is available on the Bank's official website – www.ksbc.kg – and in the Bank's mobile application.
10.2. The Bank has the right to unilaterally make changes and additions to this Agreement at any time without the prior consent or notification of the Client. A new version of the Agreement enters into force from the moment of its posting, unless otherwise provided by the provisions of the new version of the Agreement.
10.3. All relations concerning the processing of personal data that are not reflected in this Agreement shall be regulated by the legislation of the Kyrgyz Republic.
10.4. If, as a result of a change in the legislation of the Kyrgyz Republic, individual chapters of this Agreement come into conflict with the law, those sections shall become invalid, and until changes are made to this Agreement, the Bank shall be guided by the provisions of the legislation of the Kyrgyz Republic in force at the relevant time.
