| ITA Evolution LLC
OPERATOR POLICY |
APPROVED Director of ITA Evolution LLC A.E. Rusak _________ |
| 15.11.2021 N 1 | 15.11.2021 |
| Minsk | |
| With regard to the processing of personal data |
CHAPTER 1
GENERAL PROVISIONS
1.1. The policy of processing personal data in ITA Evolution LLC (hereinafter referred to as the Policy) defines the basic principles, goals, conditions and methods of processing personal data, lists of subjects and personal data processed by ITA Evolution LLC, functions of ITA Evolution LLC when processing personal data, the rights of subjects of personal data, as well as the requirements for the protection of personal data implemented by ITA Evolution LLC.
1.2. The policy was developed taking into account the requirements of the Constitution of the Republic of Belarus, legislative and other regulatory legal acts of the Republic of Belarus in the field of personal data.
1.3. The provisions of the Policy serve as the basis for the development of local legal acts regulating in ITA Evolution LLC the processing of personal data of employees of ITA Evolution LLC and other subjects of personal data.
CHAPTER 2
LEGISLATIVE AND OTHER REGULATORY LEGAL ACTS OF THE REPUBLIC OF BELARUS, IN ACCORDANCE WITH WHICH THE POLICY OF PROCESSING PERSONAL DATA IN ITIEY EVOLUTION LLC is determined
2.1. The personal data processing policy at ITA Evolution LLC is determined in accordance with the following regulatory legal acts:
The Constitution of the Republic of Belarus;
Labor Code of the Republic of Belarus;
Law of the Republic of Belarus dated 07.05.2021 N 99-З “On the protection of personal data” (hereinafter – the Law on the protection of personal data);
Law of the Republic of Belarus of 21.07.2008 N 418-З “On the population register”;
Law of the Republic of Belarus of 10.11.2008 N 455-З “On Information, Informatization and Protection of Information”;
other regulatory legal acts of the Republic of Belarus and regulatory documents of authorized government bodies.
2.2. In order to implement the provisions of the Policy, ITA Evolution LLC develops appropriate local legal acts and other documents, including:
Regulation on the processing and protection of personal data in ITA Evolution (Appendix 1 to this Policy);
other local legal acts and documents regulating the processing of personal data in ITA Evolution.
CHAPTER 3
BASIC TERMS AND DEFINITIONS USED IN THE LOCAL LEGAL ACTS OF “ITEI EVOLUTION” LLC REGULATING THE ISSUES OF PERSONAL DATA PROCESSING
3.1. Biometric personal data – information characterizing the physiological and biological characteristics of a person, which is used for his unique identification (fingerprints, palms, iris, characteristics of the face and its image, etc.).
3.2. Blocking of personal data – termination of access to personal data without deleting it.
3.3. Genetic personal data – information related to the inherited or acquired genetic characteristics of a person, which contains unique data about his physiology or health and can be identified, in particular, when examining his biological sample.
3.4. Depersonalization of personal data – actions as a result of which it becomes impossible to determine the belonging of personal data to a specific subject of personal data without using additional information.
3.5. Processing of personal data – any action or set of actions performed with personal data, including the collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, deletion of personal data.
3.6. Publicly available personal data – personal data disseminated by the subject of personal data either with his consent or disseminated in accordance with the requirements of legislative acts.
3.7. Personal data – any information relating to an identified natural person or natural person who can be identified.
3.8. Provision of personal data – actions aimed at familiarizing with the personal data of a particular person or circle of persons.
3.9. Dissemination of personal data – actions aimed at familiarizing with the personal data of an indefinite circle of persons.
3.10. Special personal data – personal data concerning race or nationality, political views, membership in trade unions, religious or other beliefs, health or sex life, administrative or criminal prosecution, as well as biometric and genetic personal data.
3.11. Personal data subject is an individual in respect of whom the processing of personal data is carried out.
3.12. Cross-border transfer of personal data – transfer of personal data to the territory of a foreign state.
3.13. Deletion of personal data – actions as a result of which it becomes impossible to restore personal data in information resources (systems) containing personal data, and (or) as a result of which tangible carriers of personal data are destroyed.
3.14. A natural person who can be identified is a natural person who can be directly or indirectly determined, in particular, through the surname, first name, patronymic, date of birth, identification number, or through one or more signs characteristic of his physical, psychological, mental, economic, cultural, or social identity.
3.15. Information – information (messages, data) about persons, objects, facts, events, phenomena and processes, regardless of the form of their presentation.
3.16. Automated processing of personal data – processing of personal data using computer technology.
CHAPTER 4
PRINCIPLES AND PURPOSES OF PERSONAL DATA PROCESSING
4.1. ITA Evolution, being the operator of personal data, processes personal data of employees of ITA Evolution LLC and other subjects of personal data that are not in labor relations with ITA Evolution LLC.
4.2. The processing of personal data at ITA Evolution LLC is carried out taking into account the need to ensure the protection of the rights and freedoms of ITA Evolution LLC employees and other subjects of personal data, including the protection of the right to privacy, personal and family secrets, based on the following principles:
the processing of personal data is carried out on a legal and fair basis;
processing of personal data is carried out in proportion to the stated purposes of their processing and ensures a fair balance of interests of all interested parties at all stages of such processing;
processing of personal data is carried out with the consent of the subject of personal data, with the exception of cases provided for by legislative acts;
the processing of personal data is limited to the achievement of specific, predetermined legitimate goals. Processing of personal data that is incompatible with the originally stated purposes of their processing is not allowed;
the content and volume of processed personal data correspond to the stated purposes of their processing. The processed personal data are not redundant in relation to the stated purposes of their processing;
the processing of personal data is transparent. The subject of personal data may be provided with relevant information regarding the processing of his personal data;
the operator takes measures to ensure the accuracy of the personal data processed by him, if necessary, updates them;
the storage of personal data is carried out in a form that allows the identification of the subject of personal data, no longer than the stated purposes of the processing of personal data require.
4.3. Personal data is processed by ITA Evolution LLC in order to:
ensuring compliance with the Constitution of the Republic of Belarus, legislative and other regulatory legal acts of the Republic of Belarus, local legal acts of ITA Evolution LLC;
performing the functions, powers and duties assigned by the legislation of the Republic of Belarus to ITA Evolution LLC, including the provision of personal data to government bodies, to the Social Protection Fund of the Ministry of Labor and Social Protection of the Republic of Belarus, as well as to other government bodies;
regulation of labor relations with employees of ITA Evolution LLC (assistance in employment, training and promotion, ensuring personal safety, monitoring the quantity and quality of work performed, ensuring the safety of property);
protection of life, health or other vital interests of subjects of personal data;
preparation, conclusion, execution and termination of contracts with counterparties;
ensuring access and intra-facility modes at the facilities of ITA Evolution LLC;
formation of reference materials for the internal information support of the activities of ITA Evolution LLC;
execution of judicial acts, acts of other bodies or officials subject to execution in accordance with the legislation of the Republic of Belarus on enforcement proceedings;
exercising the rights and legitimate interests of ITA Evolution LLC within the framework of the activities provided for by the Charter and other local legal acts of ITA Evolution LLC, or achieving socially significant goals;
for other lawful purposes.
CHAPTER 5
LIST OF SUBJECTS WHOSE PERSONAL DATA PROCESSED IN “ITEY EVOLUTION” LLC
5.1. ITA Evolution LLC processes personal data of the following categories of subjects:
employees of ITA Evolution LLC;
other subjects of personal data (to ensure the implementation of the processing purposes specified in Chapter 4 of the Policy).
CHAPTER 6
LIST OF PERSONAL DATA PROCESSED IN “ITEY EVOLUTION” LLC
6.1. The list of personal data processed by ITA Evolution LLC is determined in accordance with the legislation of the Republic of Belarus and local legal acts of ITA Evolution LLC, taking into account the purposes of personal data processing specified in Ch. 4 Politicians.
6.2. Processing of special personal data concerning race or nationality, political views, membership in trade unions, religious or other beliefs, health or intimate life, bringing to administrative or criminal liability, as well as biometric and genetic personal data, in ITA Evolution LLC not carried out.
CHAPTER 7
FUNCTIONS OF “ITEI EVOLUTION” LLC WHEN PERFORMING THE PROCESSING OF PERSONAL DATA
7.1. ITA Evolution LLC when processing personal data:
takes measures necessary and sufficient to ensure compliance with the requirements of the legislation of the Republic of Belarus and local legal acts of ITA Evolution LLC in the field of personal data;
takes legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, alteration, blocking, copying, provision, dissemination of personal data, as well as from other illegal actions in relation to personal data;
appoints a structural unit or a person responsible for the implementation of internal control over the processing of personal data;
publishes local legal acts defining the policy and issues of processing and protecting personal data at ITA Evolution LLC;
familiarizes the employees of ITA Evolution LLC with the provisions of the legislation of the Republic of Belarus and local legal acts of ITA Evolution LLC in the field of personal data, including the requirements for the protection of personal data, and training these employees;
publishes or otherwise provides unrestricted access to this Policy;
informs in the prescribed manner to the subjects of personal data or their representatives information about the availability of personal data relating to the relevant subjects, provides an opportunity to familiarize themselves with these personal data when contacting and (or) receiving requests from these subjects of personal data or their representatives, unless otherwise provided by the legislation of the Republic Belarus;
stops processing and destroys personal data in cases provided for by the legislation of the Republic of Belarus in the field of personal data;
performs other actions provided for by the legislation of the Republic of Belarus in the field of personal data.
CHAPTER 8
TERMS OF PROCESSING PERSONAL DATA IN “ITEY EVOLUTION” LLC
8.1. The processing of personal data in ITA Evolution LLC is carried out with the consent of the subject of personal data to the processing of his personal data, unless otherwise provided by the legislation of the Republic of Belarus in the field of personal data.
8.2. ITA Evolution LLC does not disclose to third parties and does not distribute personal data without the consent of the subject of personal data, unless otherwise provided by the legislation of the Republic of Belarus.
8.3. ITA Evolution LLC has the right to entrust the processing of personal data on behalf of ITA Evolution LLC or in its interests to an authorized person on the basis of an agreement concluded with this person. The contract must contain:
the purposes of personal data processing;
a list of actions that will be performed with personal data by an authorized person;
obligations to maintain the confidentiality of personal data;
measures to ensure the protection of personal data in accordance with Art. 17 of the Law on the Protection of Personal Data.
The authorized person is not required to obtain the consent of the personal data subject. If for the processing of personal data on behalf of ITA Evolution LLC it is necessary to obtain the consent of the subject of personal data, such consent is obtained by ITA Evolution LLC.
8.4. For the purpose of internal information support, ITA Evolution LLC may create internal reference materials, which, with the written consent of the subject of personal data, unless otherwise provided by the legislation of the Republic of Belarus, may include his last name, first name, patronymic, place of work, position, year and place birth, address, subscriber number, e-mail address, other personal data provided by the subject of personal data.
8.5. Access to personal data processed by ITA Evolution LLC is permitted:
to employees of ITA Evolution LLC, whose official duties involve working with personal data, and only for the period necessary to work with the relevant data:
the head of the Society;
Deputy Heads of the Society;
employees of the accounting department (of the Company or other organizations involved in accounting work);
employees of the personnel department (of the Company or other organizations involved in the conduct of personnel work);
employees of the legal department (of the Company or other organizations involved in legal work);
employees of the secretariat of the Company (information on the actual place of residence and contact details of employees);
When hiring employees, the above-listed persons undertake an obligation not to disclose personal data that have become known to them in connection with the performance of their labor duties.
employees of audit organizations conducting audits at ITA Evolution LLC (to the extent necessary for the audit).
legal entities and individuals in respect of which ITA Evolution LLC will consider the issue of entering into contractual relations; counterparties of the Company; employees of the Company’s counterparties; clients of the Company’s counterparties; to employees of clients of the Company’s counterparties – with the consent of the subject of personal data.
insurance organizations.
At the same time, the above persons and organizations have the right to receive only those personal data that are necessary to perform specific functions.
CHAPTER 9
LIST OF ACTIONS WITH PERSONAL DATA AND METHODS OF THEIR PROCESSING
9.1. ITE Evolution LLC processes personal data (any action or set of actions performed with personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, deletion of personal data).
9.2. The processing of personal data in ITA Evolution LLC is carried out in the following ways:
using automation tools;
without the use of automation tools, if this provides for the search for personal data and (or) access to them according to certain criteria (filing cabinets, lists, databases, journals, etc.).
CHAPTER 10
RIGHTS OF PERSONAL DATA SUBJECTS
10.1. Personal data subjects have the right to:
withdrawal of the consent of the subject of personal data;
obtaining information regarding the processing of personal data and changing personal data;
the requirement to terminate the processing of personal data and (or) their deletion;
appeal against actions (inaction) and decisions of the operator related to the processing of personal data.
CHAPTER 11
MEASURES TAKEN BY “ITEY EVOLUTION” LLC TO ENSURE THE OPERATOR’S OBLIGATIONS DURING THE PROCESSING OF PERSONAL DATA
11.1. Measures necessary and sufficient to ensure that ITA Evolution LLC fulfills its obligations as an operator stipulated by the legislation of the Republic of Belarus in the field of personal data, include:
providing personal data subjects with the necessary information before receiving their consent to the processing of personal data;
explaining to the subjects of personal data their rights related to the processing of personal data;
obtaining written consent of the subjects of personal data to the processing of their personal data, with the exception of cases provided for by the legislation of the Republic of Belarus;
appointment of a structural unit or a person responsible for internal control over the processing of personal data at ITA Evolution LLC;
publication of documents defining the policy of ITA Evolution LLC in relation to the processing of personal data;
familiarization of employees who directly process personal data in ITA Evolution with the provisions of the legislation on personal data;
establishment of the procedure for access to personal data, including those processed in the information resource (system);
implementation of technical and cryptographic protection of personal data in ITA Evolution in accordance with the procedure established by the Operational and Analytical Center under the President of the Republic of Belarus, in accordance with the classification of information resources (systems) containing personal data;
provision of unrestricted access, including using the global computer network, to the documents defining the policy of ITA Evolution LLC in relation to the processing of personal data, prior to the start of such processing;
termination of the processing of personal data in the absence of grounds for their processing;
immediate notification of the authorized body for the protection of the rights of personal data subjects about violations of the personal data protection systems;
modification, blocking, deletion of false or unlawfully obtained personal data;
limitation of the processing of personal data to the achievement of specific, pre-declared legitimate goals;
storage of personal data in a form that allows the identification of personal data subjects for no longer than the stated purposes of personal data processing require.
CHAPTER 12.
CONTROL OF COMPLIANCE WITH THE LEGISLATION OF THE REPUBLIC OF BELARUS AND LOCAL LEGAL ACTS OF ITEI EVOLUTION LLC IN THE FIELD OF PERSONAL DATA, INCLUDING PERSONAL DATA PROTECTION MEASURES
12.1. Control over the compliance of ITA Evolution LLC with the legislation of the Republic of Belarus and local legal acts of ITA Evolution LLC in the field of personal data, including the requirements for the protection of personal data, is carried out in order to verify the compliance of the processing of personal data in ITA Evolution LLC with the legislation of the Republic Belarus and the local legal acts of ITA Evolution in the field of personal data, including the requirements for the protection of personal data, as well as measures taken to prevent and identify violations of the legislation of the Republic of Belarus in the field of personal data, identify possible channels of leakage and unauthorized access to personal data, elimination of the consequences of such violations.
12.2. Internal control over compliance by ITA Evolution with the legislation of the Republic of Belarus and local legal acts of ITA Evolution in the field of personal data, including requirements for the protection of personal data, is carried out by the person responsible for organizing the processing of personal data in ITAEvolution LLC.
Appendix 1
to the Operator’s Policy
regarding the processing of personal data
| ITA Evolution LLC
POSITION |
APPROVED Director of ITA Evolution LLC A.E. Rusak _________ |
| 15.11.2021 N 1 | 15.11.2021 |
| Minsk | |
| On the processing and protection of personal data |
CHAPTER 1
GENERAL PROVISIONS
1.1. This Regulation on the processing and protection of personal data (hereinafter referred to as the Regulation) determines the policy of ITA Evolution LLC (hereinafter referred to as the Organization) in relation to the processing of personal data, including the procedure for the processing by the Organization of personal data of persons who are not its employees, including the procedure for collecting, storage, use, transfer and protection of personal data.
1.2. Streamlining the handling of personal data is aimed at ensuring the rights and freedoms of citizens when processing personal data, maintaining the confidentiality of personal data and protecting them.
1.3. The position and changes to it are approved by the director of the Organization.
1.4. The Regulation is a local legal act of the Organization, mandatory for compliance and execution by employees, as well as other persons involved in the processing of personal data in accordance with this Regulation.
1.5. The regulation was developed on the basis of and in pursuance of:
- a) the Constitution of the Republic of Belarus;
b) the Labor Code of the Republic of Belarus;
c) the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data dated 01.28.1981;
d) Charter of the European Union on Fundamental Rights of 12.12.2007;
e) the Law of the Republic of Belarus dated 07.05.2021 N 99-З “On the protection of personal data” (hereinafter – the Law on the protection of personal data);
f) Law of the Republic of Belarus of 21.07.2008 N 418-З “On the population register”;
g) Law of the Republic of Belarus of 10.11.2008 N 455-З “On Information, Informatization and Protection of Information”;
h) other regulatory legal acts of the Republic of Belarus.
CHAPTER 2
BASIC CONCEPTS
2.1. The following basic concepts and terms are used in this Regulation:
- a) Organization or Operator – Limited Liability Company “ITA Evolution”, located at the address: 220092 Minsk, st. Pritytskogo, 29, office 517A;
b) personal data – any information relating to an identified natural person or natural person who can be identified;
c) subject of personal data – an individual to whom the personal data processed by the Organization belong, including an individual who is not an employee of the Organization, to whom the personal data processed by the Organization belong;
d) processing of personal data – any action or set of actions performed with personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, deletion of personal data;
e) processing of personal data using automation means – processing of personal data using computer technology, while such processing cannot be recognized as carried out exclusively using automation tools only on the basis that personal data is contained in the personal data information system or has been extracted from her;
f) processing of personal data without the use of automation tools – actions with personal data, such as use, clarification, distribution, destruction, carried out with the direct participation of a person, if this provides for the search for personal data and (or) access to them according to certain criteria (filing cabinets , lists, databases, magazines, etc.);
g) dissemination of personal data – actions aimed at familiarizing with the personal data of an indefinite circle of persons;
h) provision of personal data – actions aimed at familiarizing with the personal data of a particular person or circle of persons;
i) blocking of personal data – termination of access to personal data without their deletion;
j) deletion of personal data – actions as a result of which it becomes impossible to restore personal data in information resources (systems) containing personal data, and (or) as a result of which material carriers of personal data are destroyed;
k) depersonalization of personal data – actions as a result of which it becomes impossible to determine the ownership of personal data to a specific subject of personal data without using additional information;
l) cross-border transfer of personal data – transfer of personal data to the territory of a foreign state;
m) an individual who can be identified – an individual who can be directly or indirectly determined, in particular, through the surname, first name, patronymic, date of birth, identification number or through one or more signs characteristic of his physical, psychological , mental, economic, cultural, or social identity.
CHAPTER 3
CATEGORIES OF PERSONAL DATA SUBJECTS
3.1. The organization processes personal data of the following categories of subjects:
relatives of workers;
job candidates;
employees and other representatives of the Organization;
employees and other representatives of counterparties – legal entities;
counterparties – individuals;
consumers;
other subjects whose interaction with the Operator creates the need for the processing of personal data.
CHAPTER 4
CONTENT AND VOLUME OF PERSONAL DATA
4.1. The content and volume of personal data of each category of subjects is determined by the need to achieve specific purposes of their processing, as well as the need for the Organization to exercise its rights and obligations, as well as the rights and obligations of the relevant subject.
4.2. Personal data of employees’ relatives include:
surname, name, patronymic;
date of birth;
citizenship;
passport data or data of another identity document (series, number, date of issue, name of the issuing authority, etc.);
information about the marital status and composition of the family, indicating the surnames, names and patronymics of family members, date of birth, place of work and / or study;
information about registration at the place of residence (including address, date of registration);
information about the place of actual residence;
number and series of insurance certificate of state social insurance;
medical information (in cases stipulated by law);
information about social benefits and payments;
contact information (including work, home and / or mobile phone numbers, e-mail, etc.).
4.3. The personal data of job candidates include:
surname, name, patronymic (as well as all previous surnames);
date and place of birth;
citizenship;
passport data or data of another identity document (series, number, date of issue, name of the issuing authority, etc.);
data of the birth certificate (number, date of issue, name of the issuing authority, etc.) (if necessary);
floor;
information about the marital status and composition of the family, indicating the surnames, names and patronymics of family members, date of birth, place of work and / or study;
information about registration at the place of residence (including address, date of registration);
information about the place of actual residence;
number and series of insurance certificate of state social insurance;
data on education, advanced training and professional retraining, academic degree, academic rank;
taxpayer identification number;
information about labor activity (including seniority and work experience, data on employment with an indication of the position, department, information about the employer, etc.);
specialty, profession, qualifications;
information about military registration;
medical information (in cases stipulated by law);
biometric personal data (including photographs, images from CCTV cameras, voice recordings);
information about social benefits and payments;
contact information (including home and / or mobile phone numbers, e-mail, etc.);
information about awards and incentives;
information provided by the candidate himself during filling out personality questionnaires and passing psychometric testing activities, as well as the results of such testing (psychometric profile, abilities and characteristics);
other data that may be indicated in the resume or application form of the candidate.
4.4. Personal data of employees and other representatives of the Organization include:
surname, name, patronymic (as well as all previous surnames);
date of birth;
citizenship;
passport data or data of another identity document (series, number, date of issue, name of the issuing authority, etc.);
data of visas and other documents of migration registration;
floor;
information about the place of stay;
biometric personal data (including photographs, images from CCTV cameras, voice recordings);
information about social benefits and payments;
contact information (including work and / or mobile phone numbers, e-mail, etc.);
other data necessary for the fulfillment of mutual rights and obligations.
4.5. Personal data of employees and other representatives of counterparties – legal entities include:
surname, name, patronymic;
passport data or data of another identity document (series, number, date of issue, name of the issuing authority, etc.);
information about registration at the place of residence (including address, date of registration);
contact information (including work, home and / or mobile phone numbers, e-mail, etc.);
position;
other data necessary for the fulfillment of mutual rights and obligations between the Organization and the counterparty.
4.6. Personal data of counterparties – individuals include:
surname, name, patronymic;
citizenship;
passport data or data of another identity document (series, number, date of issue, name of the issuing authority, etc.);
information about registration at the place of residence (including address, date of registration);
number and series of insurance certificate of state social insurance;
data on education, advanced training and professional retraining, academic degree, academic rank;
bank account details;
taxpayer identification number;
specialty, profession, qualifications;
contact information (including home and / or mobile phone numbers, e-mail, etc.);
data of the certificate of registration of property rights;
other data necessary for the fulfillment of mutual rights and obligations between the Organization and the counterparty.
4.7. Consumer personal data includes:
surname, name, patronymic;
Contact details;
date of birth;
floor;
Height Weight;
other data required for registration and analysis of the appeal.
4.8. Personal data of other subjects includes:
surname, name, patronymic;
contact information (including home and / or mobile phone numbers, e-mail, etc.);
passport data or data of another identity document (series, number, date of issue, name of the issuing authority, etc.);
information about registration at the place of residence (including address, date of registration);
number and series of insurance certificate of state social insurance;
data on education, advanced training and professional retraining, academic degree, academic rank;
bank account details;
taxpayer identification number;
specialty, profession, qualifications;
other data necessary for the fulfillment of mutual rights and obligations between the Organization and the counterparty.
CHAPTER 5
PRINCIPLES OF PERSONAL DATA PROCESSING
5.1. The processing of personal data of subjects is based on the following principles:
a) the processing of personal data is carried out in accordance with the Law on the Protection of Personal Data and other legislative acts;
b) the processing of personal data should be proportionate to the stated purposes of their processing and ensure a fair balance of interests of all interested parties at all stages of such processing;
c) the processing of personal data is carried out with the consent of the subject of personal data, with the exception of cases provided for by the Law on the Protection of Personal Data and other legislative acts;
d) the processing of personal data should be limited to the achievement of specific, predetermined legitimate goals. Processing of personal data that is incompatible with the originally stated purposes of their processing is not allowed;
e) the content and volume of processed personal data must correspond to the stated purposes of their processing. The processed personal data should not be redundant in relation to the stated purposes of their processing;
f) the processing of personal data must be transparent. For these purposes, the subject of personal data, in the cases provided for by the Law on the Protection of Personal Data, is provided with relevant information regarding the processing of his personal data;
g) The operator is obliged to take measures to ensure the accuracy of the personal data processed by him, if necessary, update them;
h) the storage of personal data must be carried out in a form that allows the identification of the subject of personal data, no longer than the stated purposes of the processing of personal data require.
CHAPTER 6
PURPOSES OF PERSONAL DATA PROCESSING
6.1. The processing of personal data of subjects of personal data is carried out for the following purposes:
implementation and performance of functions, powers and duties assigned to the Organization by the legislation of the Republic of Belarus and international treaties of the Republic of Belarus;
provision of benefits and compensation to relatives of employees;
identification of conflicts of interest;
consideration of the employment opportunities of candidates;
maintaining a personnel reserve;
verification of candidates (including their qualifications and work experience);
organization and support of business trips;
holding events and ensuring the participation of personal data subjects in them;
ensuring security, preserving material values and preventing offenses;
issuance of powers of attorney and other authorizing documents;
negotiation, conclusion and execution of contracts;
counterparty verification;
advertising and promotion of products, including the presentation of information about the products of the Organization;
processing of complaints and information on the safety of goods;
processing of complaints about negative phenomena and side effects;
fulfillment of the duty of a tax agent;
other purposes aimed at ensuring compliance with employment contracts, laws and other regulatory legal acts.
6.2. Personal data is processed solely to achieve one or more of the specified legitimate purposes. If personal data has been collected and processed to achieve a specific purpose, in order to use this data for other purposes, it is necessary to notify the subject of personal data about this and, if necessary, obtain a new consent to processing.
6.3. The processing of personal data may be carried out for other purposes, if necessary in connection with ensuring compliance with the law.
CHAPTER 7
RULES FOR PROCESSING PERSONAL DATA
7.1. General rules.
7.1.1. The processing of personal data is carried out by mixed (both with the use of automation tools and without the use of automation tools) processing, including using the internal network and the Internet.
7.1.2. In the cases established by the legislation of the Republic of Belarus, the main condition for the processing of personal data is to obtain the consent of the relevant subject of personal data, including in writing.
7.1.3. The written consent of the subject of personal data to the processing of his personal data must include:
a) surname, proper name, patronymic (if any);
b) date of birth;
c) identification number, and in the absence of such a number – the number of the document proving his identity;
d) the signature of the subject of personal data. If the purposes of processing personal data do not require processing of information, this information is not subject to processing by the Operator upon obtaining the consent of the subject of personal data.
7.1.4. The consent of the subject of personal data to the processing of his personal data, with the exception of special personal data, is not required in the following cases:
for the purposes of conducting administrative and (or) criminal proceedings, carrying out operational-search activities;
for the administration of justice, the execution of court orders and other executive documents;
in order to exercise control (supervision) in accordance with legislative acts;
when implementing the norms of legislation in the field of national security, combating corruption, preventing legalization of proceeds from crime, financing terrorist activities and financing the proliferation of weapons of mass destruction;
when implementing the norms of legislation on elections, referendums, recalling a deputy of the House of Representatives, a member of the Council of the Republic of the National Assembly of the Republic of Belarus, a deputy of a local Council of Deputies;
to maintain individual (personified) records of information about insured persons for the purposes of state social insurance, including professional pension insurance;
when registering labor (service) relations, as well as in the process of labor (official) activities of the subject of personal data in cases stipulated by law;
to carry out notarial activities;
when considering issues related to citizenship of the Republic of Belarus, granting refugee status, subsidiary protection, asylum and temporary protection in the Republic of Belarus;
for the purpose of assigning and paying pensions, benefits;
for the organization and conduct of state statistical observations, the formation of official statistical information;
for scientific or other research purposes, subject to the mandatory depersonalization of personal data;
when accounting, calculating and calculating payments for housing and communal services, payments for the use of residential premises and reimbursement of electricity costs, payments for other services and tax refunds, as well as in the provision of benefits and collection of arrears in payments for housing and communal services, payment for the use of residential premises and reimbursement of electricity costs;
upon receipt of personal data by the Operator on the basis of an agreement concluded (concluded) with the subject of personal data, in order to perform the actions established by this agreement;
when processing personal data, when they are indicated in a document addressed to the Operator and signed by the subject of personal data, in accordance with the content of such a document;
in order to carry out the legitimate professional activities of a journalist and (or) the activities of a mass media, organization carrying out publishing activities aimed at protecting the public interest, which is the need of society to detect and disclose information about threats to national security, public order, public health and the environment , information affecting the performance of their duties by public officials holding a responsible position, public figures, except for cases provided for by civil procedural, economic procedural, criminal procedural legislation, legislation that determines the procedure for the administrative process;
to protect the life, health or other vital interests of the subject of personal data or other persons, if it is impossible to obtain the consent of the subject of personal data;
in relation to previously distributed personal data, prior to the moment the personal data subject claims to stop processing the disseminated personal data, as well as to delete them in the absence of other grounds for processing personal data provided for by the Law on the Protection of Personal Data and other legislative acts;
in cases where the processing of personal data is necessary to fulfill the duties (powers) provided for by legislative acts;
in cases where the Personal Data Protection Law and other legislative acts directly provide for the processing of personal data without the consent of the personal data subject.
7.1.5. The processing of special personal data without the consent of the personal data subject is prohibited, with the exception of the following cases:
if special personal data is made publicly available personal data by the subject of personal data himself;
when registering labor (service) relations, as well as in the process of labor (official) activities of the subject of personal data in cases stipulated by law;
when public associations, political parties, trade unions, religious organizations process personal data of their founders (members) to achieve statutory goals, provided that these data are not subject to dissemination without the consent of the subject of personal data;
in order to organize the provision of medical care, provided that such personal data is processed by a medical, pharmaceutical or other health care worker who is entrusted with the responsibility to ensure the protection of personal data and, in accordance with the law, is subject to the obligation to maintain medical secrecy;
for the administration of justice, the execution of court orders and other executive documents, the execution of a writ of execution, registration of inheritance rights;
for the purposes of conducting administrative and (or) criminal proceedings, carrying out operational-search activities;
in cases stipulated by the criminal executive legislation, legislation in the field of national security, defense, anti-corruption, anti-terrorism and counter-extremism, prevention of legalization of proceeds from crime, financing of terrorist activities and financing the proliferation of weapons of mass destruction, legislation on the State Border Of the Republic of Belarus, citizenship, the procedure for leaving the Republic of Belarus and entering the Republic of Belarus, refugee status, subsidiary protection, asylum and temporary protection in the Republic of Belarus;
in order to ensure the functioning of the unified state system for registration and accounting of offenses;
for the purpose of conducting forensic records;
for the organization and conduct of state statistical observations, the formation of official statistical information;
for the implementation of administrative procedures;
in connection with the implementation of international agreements of the Republic of Belarus on readmission;
when documenting the population;
to protect the life, health or other vital interests of the subject of personal data or other persons, if it is impossible to obtain the consent of the subject of personal data;
in cases where the processing of special personal data is necessary to fulfill the duties (powers) provided for by legislative acts;
in cases where the Law on the Protection of Personal Data and other legislative acts explicitly provide for the processing of special personal data without the consent of the subject of personal data. Processing of special personal data is allowed only if a set of measures is taken to prevent risks that may arise when processing such personal data for the rights and freedoms of subjects of personal data.
7.2. Collection of personal data.
7.2.1. The source of information about all personal data is directly the subject of personal data.
7.2.2. Unless otherwise provided by the Law on the Protection of Personal Data, the Organization has the right to receive the personal data of the subject of personal data from third parties only upon notification of the subject, or if the subject has written consent to receive his personal data from third parties.
7.2.3. The notification of the subject of personal data about the receipt of his personal data from third parties must contain:
- a) the name of the Operator and the address of its location;
b) the purpose of processing personal data and its legal basis;
c) prospective users of personal data;
d) the rights of the subject of personal data established by law;
e) the source of obtaining personal data.
7.3. Storage of personal data.
7.3.1. When storing personal data, conditions must be observed to ensure the safety of personal data.
7.3.2. Documents containing personal data contained in paper form are kept in specially designated places with limited access under conditions that ensure their protection from unauthorized access. The list of document storage locations is determined by the Organization.
7.3.3. Personal data stored in electronic form are protected from unauthorized access using special technical and software protection tools. The storage of personal data in electronic form outside the information systems used by the Organization and databases specially designated by the Organization (non-system storage of personal data) is not allowed.
7.3.4. The storage of personal data should be carried out in a form that allows identifying the subject of personal data, but no longer than the purpose of their processing requires, unless another period is established by the legislation of the Republic of Belarus or by an agreement to which the subject of personal data is a party, beneficiary or guarantor.
7.3.5. Unless otherwise provided by law, the processed personal data are subject to destruction or depersonalization upon achievement of the processing goals, in case of loss of the need to achieve these goals or after the expiration of their storage period.
7.3.6. Destruction or depersonalization of personal data should be carried out in a way that excludes further processing of this personal data. At the same time, if necessary, it is necessary to preserve the possibility of processing other data recorded on the corresponding material medium (deletion, deletion).
7.3.7. If it is necessary to destroy or block a part of personal data, the material medium is destroyed or blocked with preliminary copying of information that is not subject to destruction or blocking, in a way that excludes the simultaneous copying of personal data to be destroyed or blocked.
7.3.8. If it is necessary to destroy or block a part of personal data, the material medium is destroyed or blocked with preliminary copying of information that is not subject to destruction or blocking, in a way that excludes the simultaneous copying of personal data to be destroyed or blocked.
7.4. Usage.
7.4.1. Personal data is processed and used for the purposes specified in clause 6.1 of the Regulation.
7.4.2. Access to personal data is provided only to those employees of the Organization whose official duties involve working with personal data, and only for the period necessary to work with the relevant data. The list of such persons is determined by the Organization.
7.4.3. If it becomes necessary to provide access to personal data to employees who are not included in the list of persons with access to personal data, they may be provided with temporary access to a limited range of personal data by order of the director of the company or another person authorized by the director of the company. Relevant employees must be familiarized with signature with all local legal acts of the Organization in the field of personal data, and must also sign a commitment to non-disclosure of personal data.
7.4.4. Employees who process personal data without using automation tools are informed (including by familiarizing themselves with this Regulation) about the fact of their processing of personal data, categories of processed personal data, as well as about the features and rules for such processing established by law and this Regulation.
7.4.5. Employees of the Organization who do not have a properly issued admission are prohibited from accessing personal data.
7.4.6. If it is necessary to use or disseminate certain personal data separately from other personal data located on the same material carrier, the personal data to be disseminated or used are copied in a way that excludes the simultaneous copying of personal data that are not subject to dissemination and use, and a copy of personal data is used (distributed) data.
7.4.7. Clarification of personal data during their processing without the use of automation tools is carried out by updating or changing the data on the material carrier, and if this is not allowed by the technical features of the material carrier – by fixing on the same material carrier information about the changes made to them or by making a new material carrier with updated personal data.
7.5. Broadcast.
7.5.1. The transfer of personal data of subjects to third parties is allowed in the minimum necessary volumes and only for the purpose of performing tasks corresponding to the objective reason for collecting this data.
7.5.2. The transfer of personal data to third parties, including for commercial purposes, is allowed only with the consent of the subject or other legal basis.
7.5.3. When transferring personal data to third parties, the subject must be notified of such transfer, with the exception of cases determined by law, in particular if:
- a) the subject of personal data is notified of the processing of his personal data by the Operator, who received the relevant data from the Organization;
b) personal data is made publicly available by the subject of personal data or obtained from a publicly available source;
c) personal data is processed for statistical or other research purposes, for the implementation of the professional activity of a journalist or scientific, literary or other creative activity, if this does not violate the rights and legitimate interests of the subject of personal data.
7.5.4. The transfer of information containing personal data must be carried out in a way that provides protection against unauthorized access, destruction, modification, blocking, copying, distribution, as well as other illegal actions in relation to such information.
7.5.5. Cross-border transfer of personal data is prohibited if an adequate level of protection of the rights of subjects of personal data is not ensured on the territory of a foreign state, except for cases when:
the consent of the subject of personal data is given, provided that the subject of personal data is informed about the risks arising from the lack of an adequate level of their protection;
personal data was obtained on the basis of an agreement concluded (concluded) with the subject of personal data in order to perform the actions established by this agreement;
personal data can be obtained by any person by sending a request in the cases and in the manner prescribed by law;
such transfer is necessary to protect the life, health or other vital interests of the subject of personal data or other persons, if it is impossible to obtain the consent of the subject of personal data;
the processing of personal data is carried out within the framework of the execution of international treaties of the Republic of Belarus;
such transfer is carried out by the financial monitoring body in order to take measures to prevent the legalization of proceeds from crime, the financing of terrorist activities and the financing of the proliferation of weapons of mass destruction in accordance with the law;
the relevant permission of the authorized body for the protection of the rights of subjects of personal data has been obtained.
7.5.6. Persons receiving personal data should be warned that these data can only be used for the purposes for which they were communicated, and in compliance with the confidentiality regime. The organization has the right to demand from these persons confirmation that this rule has been observed.
7.5.7. In cases where state bodies have the right to request personal data or personal data must be provided by virtue of the law, as well as in accordance with the court’s request, the relevant information may be provided to them in the manner prescribed by the current legislation of the Republic of Belarus.
7.5.8. All incoming requests should be transmitted to the person responsible for organizing the processing of personal data in the Organization for preliminary consideration and approval.
7.6. Processing order.
7.6.1. The organization has the right to entrust the processing of personal data to an authorized person.
7.6.2. The agreement between the Operator and the authorized person, an act of legislation or a decision of a state body must define:
the purposes of personal data processing;
a list of actions that will be performed with personal data by an authorized person;
obligations to maintain the confidentiality of personal data;
measures to ensure the protection of personal data in accordance with Art. 17 of the Law on the Protection of Personal Data.
7.6.3. The authorized person is not required to obtain the consent of the personal data subject. If for the processing of personal data on behalf of the Operator it is necessary to obtain the consent of the subject of personal data, such consent is obtained by the Operator.
7.6.4. If the Operator entrusts the processing of personal data to an authorized person, the Operator bears responsibility to the subject of personal data for the actions of this person. The authorized person is responsible to the Operator.
7.7. Protection.
7.7.1. Personal data protection means a number of legal, organizational and technical measures aimed at:
- a) ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to such information;
b) observance of confidentiality of information of limited access;
c) the exercise of the right to access information.
7.7.2. To protect personal data, the Organization takes the necessary measures provided by law (including, but not limited to):
- a) limits and regulates the composition of employees whose functional duties require access to information containing personal data (including by using passwords for access to electronic information resources);
b) provides conditions for storing documents containing personal data in limited access;
c) organizes the procedure for the destruction of information containing personal data, if the legislation does not establish requirements for storing the relevant data;
d) controls compliance with the requirements for ensuring the security of personal data, including those established by this Regulation (by conducting internal checks, establishing special monitoring tools, etc.);
e) conducts an investigation of cases of unauthorized access or disclosure of personal data, bringing the guilty employees to justice, taking other measures;
f) introduces software and technical means of protecting information in electronic form;
g) provides the ability to recover personal data modified or destroyed due to unauthorized access to them.
7.7.3. To protect personal data during their processing in information systems, the Organization takes the necessary measures provided for by law (including, but not limited to):
- a) identification of threats to the security of personal data during their processing;
b) the use of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems, necessary to meet the requirements for the protection of personal data;
c) accounting of machine carriers of personal data;
d) detection of facts of unauthorized access to personal data and taking measures;
e) recovery of personal data modified or destroyed due to unauthorized access to them;
f) establishing rules for accessing personal data processed in the personal data information system, as well as ensuring registration and accounting of all actions performed with personal data in the personal data information system.
7.7.4. The Organization appoints persons responsible for organizing the processing of personal data.
7.7.5. The Organization takes other measures aimed at ensuring that the Organization fulfills its obligations in the field of personal data, provided for by the current legislation of the Republic of Belarus.
CHAPTER 8
RIGHTS AND OBLIGATIONS OF PERSONAL DATA SUBJECTS
8.1. The subject of personal data has the right:
a) at any time, without giving reasons, withdraw your consent by submitting an application to the Operator in the manner prescribed by Art. 14 of the Law on the Protection of Personal Data, or in the form through which his consent was obtained;
b) receive information regarding the processing of their personal data, containing:
name (surname, proper name, patronymic (if any)) and location (address of residence (place of stay)) of the Operator;
confirmation of the fact of processing of personal data by the Operator (authorized person);
his personal data and the source of their receipt;
legal grounds and purposes of personal data processing;
the period for which his consent was given;
the name and location of the authorized person, which is a state body, a legal entity of the Republic of Belarus, another organization, if the processing of personal data is entrusted to such a person;
other information provided by law;
c) require the Operator to make changes to his personal data if the personal data is incomplete, outdated or inaccurate. For these purposes, the subject of personal data submits an application to the Operator in the manner prescribed by Art. 14 of the Law on the Protection of Personal Data, with the attachment of the relevant documents and (or) their duly certified copies, confirming the need to amend the personal data;
d) receive information from the Operator about the provision of their personal data to third parties once a calendar year, free of charge, unless otherwise provided by the Law on the Protection of Personal Data and other legislative acts. To obtain this information, the subject of personal data submits an application to the Operator. The statement of the subject of personal data must contain:
last name, first name, patronymic (if any) of the subject of personal data, address of his place of residence (place of stay);
date of birth of the subject of personal data;
identification number of the subject of personal data, in the absence of such a number – the number of the identity document of the subject of personal data, in cases where this information was indicated by the subject of personal data when giving his consent to the Operator or the processing of personal data is carried out without the consent of the subject of personal data;
a statement of the essence of the requirements of the subject of personal data;
personal signature or electronic digital signature of the subject of personal data;
e) demand from the Operator a free cessation of the processing of his personal data, including their deletion, in the absence of grounds for the processing of personal data provided for by the Law on the Protection of Personal Data and other legislative acts. To exercise this right, the subject of personal data submits an application to the Operator in the manner prescribed by the Law on the Protection of Personal Data;
f) appeal against the actions (inaction) and decisions of the Operator that violate his rights when processing personal data to the authorized body for the protection of the rights of subjects of personal data in the manner prescribed by the legislation on appeals of citizens and legal entities.
8.2. The subject’s right to access his personal data may be limited in accordance with the legislation of the Republic of Belarus.
8.3. All requests from subjects or their representatives in connection with the processing of their personal data are recorded in the corresponding journal.
8.4. The subject of personal data is obliged:
- a) provide the Organization with reliable personal data;
b) promptly inform the Organization about changes and additions to their personal data;
c) exercise their rights in accordance with the legislation of the Republic of Belarus and local legal acts of the Organization in the field of processing and protection of personal data;
d) fulfill other obligations stipulated by the legislation of the Republic of Belarus and local legal acts of the Organization in the field of processing and protection of personal data.
CHAPTER 9
RIGHTS AND OBLIGATIONS OF THE ORGANIZATION
9.1. The organization has the right:
- a) establish the rules for the processing of personal data in the Organization, make changes and additions to this Regulation, independently, within the framework of the requirements of the legislation, develop and apply the forms of documents necessary to fulfill the duties of the Operator;
b) exercise other rights provided for by the legislation of the Republic of Belarus and local legal acts of the Organization in the field of processing and protection of personal data.