7.1. General Rules
7.1.1. The Personal Data is processed by way of mixed (both
automated and non-automated) processing, including the use of the
internal network and the Internet.
7.1.2. In cases established by the legislation of the Republic of
Azerbaijan, the main condition for processing the Personal Data is
obtaining a consent from the relevant Data Subject, including the
consent in writing.
7.1.3. The consent of the Data Subject to the Personal Data
Processing shall at least include:
a) name, surname, patronymic;
b) name, surname, patronymic of the
representative of a Data Subject;
c) name and address of the Company that
receives the consent of the Data Subject;
d) the aim of the Personal Data Processing;
e) a list of the Personal Data for
processing of which the consent of the Data Subject is to be granted;
f) a list of actions towards the
Personal Data for which the consent is to be granted, the general
description of processing methods used by the Operator;
g) a period, during which the consent
is valid, as well as the procedure for withdrawal;
h) the signature of the Data Subject,
or the equivalent thereof;
i) the conditions for destroying or
archiving, in a manner established by law, the Personal Data collected
in respect of the Data Subject upon the expiration of a period of the
Personal Data storage in the relevant information system or in case of
7.1.4. In cases, where the Personal Data Processing requires
obtaining a consent, but not a written consent, from a Data Subject,
the Data Subject may provide his/her consent by electronic
communications, via Internet, e-mail or fax.
7.2.1. The source of information about all Personal Data is the Data
7.2.2. Unless provided otherwise by the law, the Company may only
obtain the Personal Data of the Data Subject from third parties upon
notifying, or receipt of a consent from, the Data Subject to such obtaining.
7.2.3. A notice to the Data Subject of obtaining his/her Personal
Data from third parties must contain:
a) a name and a place of business of
b) the purpose of processing such
Personal Data by the Company and the legal grounds therefor;
c) intended users of the Personal Data;
d) statutory rights of the Data Subject;
e) a source of obtaining the Personal Data.
7.3.1. When storing the Personal Data, it shall be required to
observe the conditions ensuring the safety of the Personal Data.
7.3.2. Documents containing the Personal Data stored on paper are
kept in dedicated places with limited access in conditions that ensure
their protection against the unauthorized access. A list of document
storage locations is determined by the Company within its
organization, as a whole.
7.3.3. The Personal Data kept in an electronic form is protected
against the unauthorized access using special technical and software
safeguards. It shall not be allowed to store the Personal Data in an
electronic form outside the information systems used by the Company or
databases specifically designated by the Company (off-system storage
of the Personal Data).
7.3.4. The Personal Data shall be kept in a form that allows
identifying the Data Subject, but no longer than the purposes of
processing thereof require, unless another period is established by
the legislation of the Republic of Azerbaijan or a contract, to or
under which the Data Subject is a party, beneficiary or surety.
7.3.5. Unless provided otherwise by the legislation, the processed
Personal Data is subject to destruction or depersonalization upon
achievement of the processing purposes, or there is no further need in
such achievement, or after the expiration of a period of storage thereof.
7.3.6. The destruction or depersonalization of the Personal Data
must be carried out in a way that excludes further processing of this
Personal Data. At the same time, if appropriate, it is necessary to
preserve the ability of processing other data recorded on the
corresponding physical storage media (deletion, defacement).
7.3.7. If it is necessary to destroy or block a part of the Personal
Data, the physical storage medium shall be destroyed or blocked,
copying first the information that is not subject to destruction or
blocking in a way that precludes the concurrent copying of personal
data that is subject to destruction or blocking.
7.4.1. The Personal Data is processed and used for the purpose
specified in Clause 6.1 of this Policy.
7.4.2. The access to the Personal Data is provided only to persons,
whose responsibilities involve treatment of the relevant Personal
Data, and only for a period necessary for such treatment.
7.5.1. The transfer of the Personal Data of the Data Subjects to
third parties is allowed to the minimum extent required and only for
performing tasks consistent with the objective reason of collecting
7.5.2. The transfer of the Personal Data to third parties, including
for commercial purposes, is allowed only with the consent of the Data
Subject, or under other legal grounds.
7.5.3. A Data Subject must be notified, if his/her Personal Data is
provided to third parties, other than in cases established by law, in
a) the Data Subject has been notified
of processing his/her Personal Data by an operator, who has obtained
the respective data from the Company;
b) the Personal Data has been made
public by the Data Subject or has been received from the publicly
c) the Personal Data are processed for
the statistical or other research purposes or for the scientific,
literary or other creative activities, provided that the rights and
legitimate interests of the Data Subject are not infringed.
7.5.4. The information containing the Personal Data must be
transferred in a way that ensures protection against the unauthorized
access, destruction, modification, blocking, copying or dissemination,
as well as other illegal actions in relation to such information.
7.5.5. It may be so that the information containing the Personal
Data is transferred on the territory of a foreign state (cross-border
transfer), including the territory of a state which does not ensure
the adequate protection of the Data Subjects’ rights. Such transfer
must be date in accordance with the requirements and rules established
by the laws of the Republic of Azerbaijan concerning the cross-border
transfer of personal data.
7.5.6. Persons receiving the Personal Data have to be warned that
such data may only be used for purposes for which it has been
obtained, and in compliance with the privacy regime. The Company may
request from such persons the confirmation that this rule is observed.
7.5.7. In cases where the state bodies have the right to request the
Personal Data, or where the Personal Data must be provided in
accordance with law, as well as by a court order, the relevant
information shall be provided to them in a manner established by the
effective legislation of the Republic of Azerbaijan.
7.5.8. All incoming requests should be transferred to a person
responsible for organizing the Personal Data Processing in the Company
for preliminary review and approval.
7.6. Processing Delegation
7.6.1. The Company may delegate the Personal Data Processing to
another person, with the consent of the Data Subject, unless the laws
of the Republic of Azerbaijan provide otherwise, under an agreement
entered into with such person. The person who processes the Personal
Data on behalf of the Company must adhere to the principles and rules
of the Personal Data Processing established for by the legislation.
7.6.2. An agreement with a person who processes the Personal Data on
behalf of the Company shall include:
a) a list of actions (operations)
towards the Personal Data that will be performed by the person
processing the Personal Data;
b) processing purposes;
c) the undertaking of such a person to
observe the privacy of the Personal Data and ensure the safety of the
Personal Data while processing, as well as specify the requirements to
the protection of processed the Personal Data in accordance with the
legislation, and the liability for non-compliance with such requirements.
7.7.1. The reference to the protection of the Personal Data shall
mean a number of legal, organizational and technical measures aimed at:
a) ensuring the protection of
information against the unauthorized access, destruction,
modification, blocking, copying, provision, dissemination, or against
other illegal actions in relation to such information;
b) maintaining the privacy of
c) exercising the right of access to information.
7.7.2. To protect the Personal Data, the Company takes the necessary
measures provided for by law, including, but not limited to:
a) restricting and regulating a number
of persons, whose duties require access to the information containing
the Personal Data (including through the use of passwords for
accessing electronic information resources);
b) ensuring conditions for the
restricted-access storage of documents containing the Personal Data;
c) organizing the procedure for the
destruction of information containing the Personal Data, unless the
legislation establishes requirements for the storage of such data;
d) monitoring the compliance with the
requirements for ensuring the security of the Personal Data, including
those established by this Policy (by way of internal audits,
installing special monitoring tools, etc.);
e) investigating cases of the
unauthorized access or disclosure of the Personal Data, bringing the
guilty employees to liability, or taking other measures;
f) implementing software and technical
means of protection of electronic information;
g) ensuring the ability of restoring
the Personal Data modified or destroyed due to the unauthorized access
7.7.3. To protect the Personal Data while processing in information
systems, the Company takes the necessary measures provided for by law,
including, but not limited to:
a) locating any threat to the safety of
the Personal Data during processing;
b) implementing the organizational and
technical measures to ensure the safety of the Personal Data during
processing in personal data information systems, necessary to meet the
statutory requirements for the protection of the Personal Data at
levels established by the Government of the Republic of Azerbaijan;
c) recording machine-based storage
media of the Personal Data;
d) locating any event of unauthorized
access to the Personal Data and taking measures;
e) restoring personal data modified or
destroyed due to the unauthorized access thereto;
f) establishing rules for the access to
the Personal Data processed in the personal data information system,
as well as ensuring the registration and record of all actions
performed towards with the Personal Data in the personal data
7.7.4. The Company should have in place persons responsible for
organizing the Personal Data Processing.
7.7.5. The Company shall take other measures aimed at ensuring the
Company’s compliance with its obligations in the field of personal
data, as provided for by the effective legislation of the Republic of Azerbaijan.