Confidentiality Policy

General Provisions

Joint Stock Company Bank CenterCredit (the Bank) sincerely appreciates Your interest in the Bank’s products and services (BCC Services). Protecting your personal information is very important to us; therefore, the Bank shall assume responsibility for maintaining the confidentiality of personal data processed as part of BCC Services.

BCC Services include the Bank’s mobile apps (bcc.kz, bcc business, junior bank), websites, and other online services hosted on the bcc.kz website, which enable Users of BCC Services (the Users) to interact with the Bank under concluded Banking Service Agreements and/or other agreements, as well as without such agreements, in accordance with the legislation of the Republic of Kazakhstan.

Access to and use of BCC Services implies the Users’ unconditional acceptance of the provisions outlined in this Confidentiality Policy (the Policy).

This Policy applies to the data collected by the Bank through Users’ interactions with BCC Services.

What is meant by Users’ data

The Bank places great importance on the tasks, core principles, and legal regulations related to data collection, processing, retention, and security.

User personal data refers to information provided by the User in any form when using BCC Services, as well as when interacting with the services of our partners and government organisations.

List and sources of personal data

Users are individuals, individual entrepreneurs, authorised employees and/or representatives of legal entities registered with BCC Services.

The personal data to be received by the Bank when using BCC Services includes, but is not limited to: Full Name, IIN, mobile phone number, biometric data, identity document data, financial data, information from government services and other sources.

User Data Processing Objectives

BCC Services collect and process only those personal data that are necessary for the provision and delivery of the Bank’s services. User data is collected by the Bank for the following purposes:

• providing banking and financial services, including with the involvement of the Bank’s partners and government agencies;
• ensuring access to and improving the functionality of BCC Services;
• conducting marketing and other types of research;
• complying with legal requirements and for other purposes specified in this Policy, the Bank’s internal regulations, or the terms of use of specific BCC Services.

Automatically Collected Data

This information is necessary for diagnostics and troubleshooting. The Bank collects diagnostic data as well as information about the performance of BCC Services during their use. This category includes:

1. Information about the User's device.
2. Data on actions performed (payments, transfers and other transactions).
3. IP address, unique identifiers, browser data, telemetry and other technical information.

With the User’s consent, BCC Services may obtain access to:

• phone book contacts (allows the User to select the payment’s recipient or transfer from their contacts for transfers by phone number); image gallery (for the User to upload graphic information);
• the mobile device camera (for payment of services by scanning a QR code and/or making a video recording);
• digital documents provided through integration with government services;
• the microphone (for making audio and video calls through BCC Services);
• location using geolocation services;
• information about cookie files.

Use of Cookies

BCC Services use cookies and similar technologies to ensure the proper functioning of websites, improve service quality, perform analytics, and deliver personalized content.

For more details, please visit: https://www.bcc.kz/cookies/

Provision of User Information to Third Parties

The Bank does not provide User information to third parties that do not have contractual or other legal relations with the Bank, except in the following cases:

• to comply with the requirements of the legislation of the Republic of Kazakhstan;
• to transfer information to subsidiaries, partners, affiliates, counterparties and other persons within the framework of contractual and legal relations for the purpose of providing appropriate services to Users;
• with the relevant consent of the User.

All third parties who are granted access to personal data shall maintain confidentiality and ensure the protection of the transferred information in accordance with the legislation of the Republic of Kazakhstan. These obligations shall include the requirements of this Policy, as well as the provisions of non-disclosure agreements signed with the Bank, and are not limited thereto.

The Bank shall have the right to provide partners with aggregated, anonymised data on BCC Service Users, i.e. information that does not allow the User's identity to be established without the use of additional information. Such data may be used, among other things, for statistical, analytical and other research purposes.

Personal Data of Minor Users

BCC Services are not intended for persons under the age of 16 (except for holders of additional payment cards, in cases provided for by agreements with the Bank).

The Bank shall not verify the age of BCC Services users. At the same time, the protection of minors’ confidentiality shall be regarded as a joint initiative of the Bank and their legal representatives.

Parents shall be encouraged to participate in the use of online services and to monitor their children’s digital activity.

Cross-Border Data Transfer

When transferring User information outside the Republic of Kazakhstan, the Bank shall ensure compliance with applicable laws by entering into agreements, including those that guarantee recipients of the information adhere to the appropriate level of information security. The Bank shall use secure cloud technologies and storage facilities, regardless of their location, thereby helping to ensure high service reliability, data security, and protection against unlawful interference.

Personal Data Security

The Bank shall take all reasonable administrative, legal, and technical measures to protect Users’ personal data from unauthorized attempts to access, modify, disclose, destroy, or otherwise compromise data security. The Bank shall ensure the protection of information at all stages of its “life cycle,” including collection, accumulation, storage, modification, supplementation, use, distribution, depersonalization, blocking, and destruction of personal data, and shall prevent any violation of the confidentiality of the information received.

To ensure secure data storage within information systems in accordance with legal requirements, the Bank shall use the following methods (including, but not limited to):

• differentiated access control to information resources;
• data transmission via the secure HTTPS protocol;
• use of the TLS cryptographic protocol version 1.2 or higher;
• storage and transmission of data exclusively in encrypted form;
• use of secure communication channels, among others.

The incident response process for personal data breaches shall include detection, assessment, containment, and remediation of incidents related to leakage or unauthorized access to Users’ personal data.

Additionally, the Bank has implemented an employee awareness program aimed at training and informing staff about the importance of personal data protection, compliance with legal requirements and internal policies, as well as methods for preventing data compromise incidents.

Data retention and deletion periods at the Bank shall be determined in accordance with the legislation of the Republic of Kazakhstan, the Bank’s internal regulatory documents, contracts with Users, and their consents for the processing of personal data.

Recommendations for Users on BCC Services Safe Use

• Keep account details, such as login and password, confidential from third parties.
• Immediately notify the Bank of any suspected unauthorised use of your personal account.
• Update your antivirus software in a timely manner.
• Only connect to trusted, secure Wi-Fi or cellular networks.
• Only use official, trusted sources for applications.
• Regularly update applications and operating systems on your devices (many vulnerabilities are eliminated by updates).
• Update your personal information in a timely manner.
• Do not allow third parties to use your personal mobile device.
• Do not install applications for remote device control.

For more detailed recommendations on security measures, please visit: https://www.bcc.kz/personal/other/information-security/

Users’ Rights

The collection and processing of Users’ personal data shall be carried out by the Bank only with the User’s consent, except in cases provided for by the legislation of the Republic of Kazakhstan. The Bank shall process Users’ personal data in accordance with this Policy and the Bank’s regulatory documents for as long as necessary to achieve the purposes of data collection and processing and/or to comply with the requirements of the legislation of the Republic of Kazakhstan.

Users’ rights shall be governed by the current legislation “On Personal Data and their Protection.” Users shall have the right to:

• request correction, supplementation, blocking, or destruction of their personal data when there are grounds supported by relevant documents;
• withdraw consent by submitting a written request through the Bank’s branches, except in cases stipulated by the legislation of the Republic of Kazakhstan;
• exercise other rights provided by the Law and other regulatory legal acts of the Republic of Kazakhstan.

To ensure proper service provision, the Bank shall maintain the accuracy of Users’ personal data by updating it based on:

• data provided by the User;
• data obtained from governmental and non-governmental services;
• other sources stipulated by the legislation of the Republic of Kazakhstan and the terms of contracts concluded with Users.

Amendments to the Confidentiality Policy

The Bank shall reserve the right to update and amend the provisions of this Policy at any time. The new version of this Policy shall come into effect from the moment it is posted on www.bcc.kz, unless otherwise specified in the provisions of the updated Policy. The Bank shall recommend that BCC Services Users regularly review this Policy to stay informed of the most current version.

Dispute Resolution

All disputes and disagreements arising between the User and the Bank in connection with the application of this Policy shall be resolved through negotiations, and if no agreement can be reached, in accordance with the applicable legislation of the Republic of Kazakhstan.

If the dispute cannot be resolved amicably through negotiations, the User shall have the right to appeal to the competent personal data protection authority — the Information Security Committee of the Ministry of Digital Development, Innovation, and Aerospace Industry of the Republic of Kazakhstan.

Final Provisions

If the User does not agree with the terms of this Confidentiality Policy, the User shall have the right to cease using BCC Services. To submit a written request or inquiries regarding the processing of personal data, the User may send a statement to the Bank's official address or use the contact details provided below.

Contact Details

• Email: info@bcc.kz
• Official website: www.bcc.kz
• Contact center: 505 (for individuals), 605 (for business customers)
• Bank address: 38, Al-Farabi Avenue, Medeu District, Almaty

Written requests shall be reviewed by the Bank in accordance with internal regulations and within the timeframes established by the legislation of the Republic of Kazakhstan.