TauKen Group | Data Protection & Privacy Policy

1. Purpose

This Data Protection & Privacy Policy ("the Policy") sets out TauKen Group Ltd.'s commitment to safeguarding personal and corporate data. It defines principles, responsibilities, and procedures for lawful data collection, processing, storage, and disposal in accordance with Kazakhstan and UK laws.

2. Legal Framework

Kazakhstan: Law on Personal Data and Protection (2013), Law on Informatization (2015), Civil and Labour Codes.

UK: Data Protection Act 2018, UK GDPR, PECR, Companies Act 2006, Employment Rights Act 1996.

3. Scope

Applies to all employees, contractors, third-party providers, and all personal data processed by the Group including employee records, customer data, and digital communications.

4. Definitions

Personal Data: Information relating to an identified or identifiable individual. Processing: Any operation on personal data. Data Subject: Individual to whom data relates. Controller: TauKen Group Ltd. Processor: Third party acting on behalf of TauKen.

5. Data Protection Principles

Lawfulness, Fairness, Transparency; Purpose Limitation; Data Minimisation; Accuracy; Storage Limitation; Integrity and Confidentiality; Accountability.

6. Lawful Basis for Processing

Processing under: Consent, Contract performance, Legal compliance, Vital interests protection, Legitimate interests, or Public interest.

7. Rights of Data Subjects

Right to be informed, access, rectification, erasure, restrict processing, data portability, object, and not be subject to automated decision-making. Requests responded to within statutory timeframe.

8. Data Security Measures

Encryption, role-based access controls, secure servers, firewalls, multi-factor authentication, vulnerability assessments, and physical security. All employees receive mandatory data protection training.

9. Data Transfers

Cross-border transfers conducted per Kazakhstan and UK GDPR requirements, using standard contractual clauses and adequacy decisions. Third-party processors must demonstrate equivalent standards.

10. Data Breach Response

In case of breach: contain and assess, notify affected individuals, report to Kazakhstan Ministry and UK ICO, document incident, implement corrective measures. All breaches investigated by Data Protection Officer.

11. Third-Party Processors

Engaged only where necessary, subject to due diligence, written contracts, ongoing monitoring, and immediate termination for non-compliance.

12. Review and Amendment

Policy reviewed annually by ESG & Compliance Committee, updated for legislative changes, technological developments, audit lessons, and stakeholder expectations. Approved by Board.