PRIVACY POLICY

This Privacy Policy (hereinafter referred to as the Policy) is a statement regarding the privacy of your personal data, provided by the Public Union 'Center for the Promotion of Human Rights' (hereinafter referred to as the Union).

1.1. This Policy outlines the rules for processing personal data and measures to ensure the security of this data to protect human rights and freedoms, including the inviolability of private life and family.

1.2. The Union publishes this Policy on its official website (www.legalis.az) and provides data subjects unrestricted access to it.

1.3. The type of personal data collected may vary depending on whether you used an account to access the service or not. The Union does not verify and cannot assess the accuracy of the data you provide, except in cases specified in the user agreement. The Union accepts your personal data as accurate and binding for updating.

1.4. The Union may collect the following categories of data:

• personal data provided by you during registration (name, phone, email address);
• electronic data (IP address, cookies, browser identification data, software information);
• date and time of access to the services;
• other data related to the use of services necessary for processing in accordance with established rules and conditions.

1.5. The Union does not collect data related to race, ethnicity, political views, health condition, biometric information, or other sensitive data. In case such data is provided by you, the Union is obligated to process it without the need for additional consent.

1.6. The Union processes your personal data only in the following cases:

• when necessary for the fulfillment of contractual obligations, including ensuring the functioning of services;
• to comply with legal requirements.

1.7. The Union processes your data to ensure legitimate interests in the following cases:

• to better understand how you interact with services;
• to improve, change, personalize, or otherwise enhance services;
• for specific purposes, separate consent may be required for processing personal data.

1.8. The Union processes your personal data only for the following purposes:

• to provide access to services;
• to provide access to your personal account;
• to contact you for sending notifications, processing requests, and executing contracts;
• to protect the rights of the Union and your rights;
• to collect statistical data, research, and analysis.

2. PRINCIPLES AND CONDITIONS FOR PERSONAL DATA PROCESSING

2.1. The Union processes personal data in accordance with the following principles:

• legality and fairness;
• restriction of data processing to predefined and lawful purposes;
• prevention of processing personal data that is not in line with processing purposes;
• prevention of combining databases containing personal data that do not correspond to each other;
• processing only those personal data that correspond to the purposes of their processing;
• ensuring that the volume and content of processed data align with the purposes of processing;
• prevention of excessive data processing;
• ensuring the accuracy, sufficiency, and relevance of the data;
• unless required by law, deleting or anonymizing data once the purpose of processing is fulfilled.

2.2. The Union processes personal data when at least one of the following conditions is met:

• data processing is carried out with the consent of the data subject;
• data processing is necessary for the performance of international agreements or laws;
• data processing is necessary for the execution of judicial decisions or governmental requirements;
• data processing is necessary for the performance of a contract;
• data processing is necessary to protect the rights and legitimate interests of the Union or third parties, provided that it does not violate the rights and freedoms of the data subject;
• access to personal data is provided to the subject or third parties at their request;
• personal data processing may be required by law.

2.3. The Union and other parties with access to personal data are obliged not to disclose this data to third parties without the consent of the subject or when not provided by law.

2.4. The Union may create public data sources, such as catalogs or address books, containing personal data of the subjects, including their surname, first name, patronymic, date and place of birth, position, contact phone numbers, address, and email.

2.5. The Union allows the disclosure of personal data concerning race, ethnicity, political views, religious or philosophical beliefs, health condition, and other sensitive data in the following cases:

• if personal data has been disclosed by the data subject;
• if data processing is necessary for pension provision or in accordance with labor law;
• if data processing is necessary to protect the life and health of the data subject or other persons, and there is no possibility of obtaining consent from the data subject;
• if data processing is necessary for medical prevention or diagnosis, provided it is carried out by a professional within the law;
• if data processing is necessary for the execution of rights and legitimate interests of the subject or third parties;
• if data processing is carried out under insurance legislation.

2.6. The processing of special categories of personal data ceases once the reasons for processing are no longer valid.

2.7. The processing of criminal conviction data can only occur in cases provided by law.

2.8. The Union has the right to transfer personal data to third parties based on the consent of the data subject or within the framework of a contract, provided that third parties adhere to the principles and rules of data processing.

2.9. The Union must ensure that the country to which the personal data is transferred provides adequate protection of the rights of data subjects.

2.10. Data transfer to countries that do not provide adequate protection of rights can only occur in the following cases:

• if there is written consent from the data subject;
• if data transfer is necessary for the performance of a contract.

3. RIGHTS OF THE DATA SUBJECT

3.1. The data subject has the right to obtain information about how their personal data is processed.

3.2. The responsibility to prove the receipt of consent from the data subject for data processing lies with the Union.

3.3. The data subject has the right to request information about how their data is processed and to request its correction or deletion if it is incomplete or outdated.

3.4. Automated processing of personal data is prohibited unless agreed with the data subject.

3.5. The data subject has the right to file a complaint with the competent authorities if they believe their rights have been violated.

3.6. The data subject has the right to protect their rights, including compensation for damage or moral harm through the court.

4. ENSURING PERSONAL DATA SECURITY

4.1. The Union ensures the security of personal data processing through legal, organizational, and technical measures in accordance with the requirements of the legislation.

• Appointing responsible persons for organizing data processing and protecting personal data.
• Limiting the number of individuals who have access to personal data.
• Familiarizing employees with legislation and internal regulations of the Union.
• Organizing accounting, storage, and handling of information carriers.
• Identifying security threats to personal data and creating threat models.
• Developing a data protection system based on threat models.
• Checking the readiness and effectiveness of data protection measures.
• Limiting user access to programs and databases.
• Accounting and registration of user actions in the information system.
• Using antivirus and recovery tools to protect data.
• Using measures to protect against unauthorized access, monitoring, analyzing security, and cryptographic protection of data.
• Ensuring access control and security of buildings containing personal data processing means.

5. FINAL PROVISIONS

5.1. The rights and obligations of the Union as a personal data operator are governed by the legislation of the Republic of Azerbaijan.

5.2. Persons guilty of violating the rules of personal data processing and protection are held accountable in accordance with the legislation.