Политика конфиденциальности
APPROVED
Director of MONTBRUK LLC
D. M. Lashkunov November 15, 2021
REGULATION
No. 1-OZD/2021
on the processing and protection of personal data
MONTBRUK Limited Liability Company
Minsk
Shall come into effect on November 15, 2021
CHAPTER 1
GENERAL PROVISIONS
1.1. This Regulation on the processing and protection of personal data (hereinafter referred to as the Regulation) defines the policy of MONTBRUK Limited Liability Company (hereinafter referred to as the Enterprise) regarding the processing of personal data, including the procedure for the Enterprise to process personal data of persons who are not its employees, including the procedure for collecting, storing, using, transferring and protecting personal data.
1.2. Streamlining the handling of personal data is aimed at ensuring the rights and freedoms of citizens in the processing of personal data, maintaining the confidentiality of personal data and protecting them.
1.3. The Regulation is a local legal act of the Enterprise, mandatory for compliance and execution by employees, as well as other persons involved in the processing of personal data in accordance with this Regulation.
1.4. The Regulation has been developed on the basis of and in pursuance of:
- The Constitution of the Republic of Belarus;
- The Labor Code of the Republic of Belarus;
- The Law of the Republic of Belarus dated 07.05.2021 No. 99-Z "On the Protection of Personal Data" (hereinafter referred to as the Law on the Protection of Personal Data);
- The Law of the Republic of Belarus dated 21.07.2008 No. 418-Z "On the Population Register";
- The Law of the Republic of Belarus dated 10.11.2008 No. 455-Z "On Information, Informatization and Information Protection";
- other regulatory legal acts of the Republic of Belarus.
1.5. The concepts contained in Art. 1 of the Law on the Protection of Personal Data are used in this Policy with the same meaning.
CHAPTER 2
CATEGORIES OF PERSONAL DATA SUBJECTS
2.1. The Company processes personal data of the following categories of subjects:
relatives of employees; job candidates;
employees and other representatives of the Company;
employees and other representatives of counterparties - legal entities; counterparties - individuals;
consumers;
other subjects whose interaction with the Operator creates the need to process personal data.
CHAPTER 3
CONTENT AND SCOPE OF PERSONAL DATA
3.1. The content and scope of personal data of each category of subjects is determined by the need to achieve specific purposes of their processing, as well as the need for the Company to exercise its rights and obligations, as well as the rights and obligations of the relevant subject.
3.2. Personal data of job candidates include: last name, first name, patronymic (as well as all previous last names);
date and place of birth; citizenship;
Passport details or details of another identity document (series, number, date of issue, name of the issuing authority, etc.);
birth certificate details (number, date of issue, name of the issuing authority, etc.) (if necessary);
gender;
information on marital status and family composition, indicating the last names, first names and patronymics of family members, date of birth, place of work and/or study;
information on registration at the place of residence (including address, date of registration); information on the place of actual residence;
number and series of the state social insurance certificate;
information on education, advanced training and professional retraining, academic degree, academic title;
taxpayer identification number;
information on work experience (including length of service and work experience, employment details indicating the position, department, details of the employer, etc.);
specialty, profession, qualification; information on military registration;
medical information (in cases stipulated by law);
biometric personal data (including photographs, images from CCTV cameras, voice recordings);
information on social benefits and payments;
contact information (including home and/or mobile phone numbers, e-mail, etc.);
information provided by the candidate during the completion of personality questionnaires and psychometric testing events, as well as the results of such testing (psychometric profile, abilities and characteristics);
other data that may be indicated in the candidate's resume or application form.
3.3. Personal data of employees include:
last name, first name, patronymic (as well as all previous last names); date and place of birth;
citizenship;
passport details or details of another identity document (series, number, date of issue, name of the issuing authority, etc.);
birth certificate details (number, date of issue, name of the issuing authority, etc.) (if necessary);
gender;
information on marital status and family composition, indicating the last names, first names and patronymics of family members, date of birth, place of work and/or study;
information on registration at the place of residence (including address, date of registration); information on the place of actual residence;
number and series of the state social insurance certificateinsurance;
information on education, advanced training and professional retraining, academic degree, academic title;
taxpayer identification number;
information on work activity (including length of service and work experience, employment data indicating the position, department, information about the employer, etc.);
specialty, profession, qualification; information on military registration;
medical information (in cases stipulated by law);
biometric personal data (including photographs, images from CCTV cameras, voice recordings);
information on social benefits and payments;
contact information (including home and/or mobile phone numbers, e-mail, etc.);
information on awards and incentives;
information provided by the candidate himself during the completion of personality questionnaires and psychometric testing events, as well as the results of such testing (psychometric profile, abilities and characteristics);
other data that may be specified in the candidate's resume or application form.
3.4. Personal data of employees and other representatives of counterparties - legal entities include:
last name, first name, patronymic;
contact details (including work, home and/or mobile phone numbers, e-mail, etc.);
position;
other data necessary for the performance of mutual rights and obligations between the Enterprise and the counterparty.
3.5. Personal data of counterparties - individuals include: last name, first name, patronymic;
citizenship;
passport details or details of another identity document (series, number, date of issue, name of the issuing authority, etc.);
information on registration at the place of residence (including address, date of registration); contact details (including home and/or mobile phone numbers,
e-mail, etc.);
details of the certificate of registration of ownership;
other data necessary for the performance of mutual rights and obligations between
the Enterprise and the counterparty.
3.6. Personal data of consumers include:
last name, first name, patronymic; contact details; date of birth;
gender;
other data necessary for registration and analysis of the request.
CHAPTER 4
PRINCIPLES OF PERSONAL DATA PROCESSING
4.1. The processing of personal data of subjects is based on the following principles:
a) personal data is processed in accordance with the Law on the Protection of Personal Data and other legislative acts;
b) personal data processing must be proportionate to the stated purposes of their processing and ensure a fair balance of interests of all interested parties at all stages of such processing;
c) personal data is processed with the consent of the subject of personal data, except for cases stipulated by the Law on the Protection of Personal Data and other legislative acts;
d) personal data processing must be limited to achieving specific, pre-stated legitimate purposes. Processing of personal data that is incompatible with the originally stated purposes of their processing is prohibited;
d) the content and volume of the processed personal data must correspond to the stated purposes of their processing. The processed personal data must not be excessive in relation to the stated purposes of their processing;
e) the processing of personal data must be transparent. For these purposes, the subject of personal data, in cases stipulated by the Law on the Protection of Personal Data, is provided with relevant information regarding the processing of his personal data;
g) the Operator is obliged to take measures to ensure the accuracy of the personal data processed by him, and update them if necessary;
h) the storage of personal data must be carried out in a form that allows identification of the subject of personal data, for no longer than required by the stated purposes of processing the personal data.
CHAPTER 5
PURPOSES OF PERSONAL DATA PROCESSING
5.1. The processing of personal data of personal data subjects is carried out for the following purposes:
implementation and performance of functions, powers and duties imposed on the Enterprise by the legislation of the Republic of Belarus and international treaties of the Republic of Belarus;
provision of benefits and compensation to relatives of employees; identification of conflicts of interest;
consideration of the possibility of employing candidates; maintenance of a personnel reserve;
verification of candidates (including their qualifications and work experience);
organization and support of business trips;
holding events and ensuring the participation of personal data subjects in them;
ensuring security, preserving material assets and preventing offenses;
issuing powers of attorney and other authorizing documents; negotiating, concluding and executing contracts; verification of the counterparty;
advertising and promotion of products, including the provision of information on the Company's products;
processing of requests for claims and information on product safety; performance of the duties of a tax agent;
other tspurposes aimed at ensuring compliance with employment contracts, laws and other regulatory legal acts.
5.2. Personal data are processed solely to achieve one or more of the specified legitimate purposes. If personal data have been collected and processed to achieve a specific purpose, in order to use this data for other purposes, it is necessary to notify the subject of personal data about this and, if necessary, obtain new consent for processing.
5.3. Personal data may be processed for other purposes if this is necessary in connection with ensuring compliance with the law.
CHAPTER 6
RULES FOR PROCESSING PERSONAL DATA
6.1. General rules.
6.1.1. Personal data is processed by mixed (both with the use of automation tools and without the use of automation tools) processing, including using the internal network and the Internet.
6.1.2. In cases established by the legislation of the Republic of Belarus, the main condition for processing personal data is obtaining the consent of the relevant subject of personal data, including in writing.
6.1.3. The written consent of the personal data subject to the processing of his personal data must include:
a) surname, first name, patronymic (if any); b) date of birth;
c) identification number, and in the absence of such number - the number of the document certifying his identity;
d) signature of the personal data subject. If the purposes of processing personal data do not require the processing of information, this information is not subject to processing by the Operator upon receipt of the consent of the personal data subject.
6.1.4. The consent of the personal data subject to the processing of his personal data, with the exception of special personal data, is not required in the following cases:
for the purposes of administrative and (or) criminal proceedings, the implementation of operational-search activities;
for the administration of justice, the execution of court orders and other executive documents;
for the purpose of exercising control (supervision) in accordance with legislative acts;
in the implementation of legislative norms in the field of national security, the fight against corruption, the prevention of legalization of proceeds from crime, the financing of terrorist activities and the financing of the proliferation of weapons of mass destruction;
in the implementation of legislative norms on elections, referendums, the recall of a deputy of the House of Representatives, a member of the Council of the Republic of the National Assembly of the Republic of Belarus, a deputy of the local Council of Deputies;
for maintaining individual (personalized) records of information on insured persons for the purposes of state social insurance, including professional pension insurance;
when formalizing labor (service) relations, as well as in the process of labor (service) activity of the subject of personal data in cases stipulated by law;
for the implementation of notarial activities;
when considering issues related to the citizenship of the Republic of Belarus, the granting of refugee status, additional protection, asylum and temporary protection in the Republic of Belarus;
for the purpose of assigning and paying pensions, benefits;
for organizing and conducting state statistical observations, the formation of official statistical information;
for scientific or other research purposes, subject to mandatory anonymization of personal data;
when recording, calculating and charging for housing and communal services, charges for the use of residential premises and reimbursement of electricity costs, charges for other services and tax reimbursement, as well as when providing benefits and collecting debts for housing and communal services, charges for the use of residential premises and reimbursement of electricity costs;
when receiving personal data by the Operator on the basis of an agreement concluded (being concluded) with the subject of personal data, for the purpose of performing the actions established by this agreement;
when processing personal data, when they are specified in a document addressed to the Operator and signed by the subject of personal data, in accordance with the content of such document;
for the purpose of carrying out the lawful professional activities of a journalist and (or) the activities of a mass media outlet, an organization carrying out publishing activities, aimed at protecting the public interest, which is the need of society to detect and disclose information about threats to national security, public order, public health and the environment, information that affects the performance of their duties by government officials holding a responsible position, public figures, with the exception of cases provided for by civil procedural, economic procedural, criminal procedural legislation, legislation determining the procedure for administrativeth process;
to protect the life, health or other vital interests of the personal data subject or other persons, if it is impossible to obtain the consent of the personal data subject;
with respect to previously disseminated personal data until the personal data subject submits demands to stop processing
the disseminated personal data, as well as to delete them in the absence of other grounds for processing personal data stipulated by the Personal Data Protection Law and other legislative acts;
in cases where the processing of personal data is necessary to perform duties (powers) stipulated by legislative acts;
in cases where the Personal Data Protection Law and other legislative acts expressly provide for the processing of personal data without the consent of the personal data subject.
6.1.5. Processing of special personal data without the consent of the personal data subject is prohibited, except for the following cases:
if special personal data are made publicly available personal data by the personal data subject him/herself;
when formalizing labor (service) relations, as well as in the course of labor (service) activities of the personal data subject in cases stipulated by law;
when public associations, political parties, trade unions, religious organizations process personal data of their founders (members) to achieve their statutory goals, provided that such data is not subject to distribution without the consent of the subject of the personal data;
for the purpose of organizing the provision of medical care, provided that such personal data is processed by a medical, pharmaceutical or other healthcare worker who is responsible for ensuring the protection of personal data and is subject to the obligation to maintain medical confidentiality in accordance with the law;
for the administration of justice, the execution of court orders and other executive documents, the execution of an executive inscription, the registration of inheritance rights;
for the purposes of conducting administrative and (or) criminal proceedings, implementing operational-search activities;
in cases stipulated by the criminal-executive legislation, legislation in the field of national security, defense, the fight against corruption, the fight against terrorism and countering extremism, the prevention of legalization of proceeds from crime, the financing of terrorist activities and the financing of the proliferation of weapons of mass destruction, the legislation on the State Border of the Republic of Belarus, citizenship, the procedure for leaving the Republic of Belarus and entering the Republic of Belarus, refugee status, additional protection, asylum and temporary protection in the Republic of Belarus;
in order to ensure the functioning of the unified state system of registration and recording of offenses;
for the purpose of maintaining forensic records;
for the organization and conduct of state statistical observations, the formation of official statistical information;
for the implementation of administrative procedures;
in connection with the implementation of international treaties of the Republic of Belarus on readmission;
when documenting the population;
to protect the life, health or other vital interests of the subject of personal data or other persons, if obtaining the consent of the subject of personal data is impossible;
in cases where the processing of special personal data is necessary to perform duties (powers) stipulated by legislative acts;
in cases where the Law on the Protection of Personal Data and other legislative acts expressly provide for the processing of special personal data without the consent of the personal data subject. The processing of special personal data is permitted only if a set of measures is taken to prevent risks that may arise during the processing of such personal data for the rights and freedoms of personal data subjects.
6.2. Collection of personal data.
6.2.1. The source of information about all personal data is directly the personal data subject.
6.2.2. Unless otherwise provided by the Law on the Protection of Personal Data, the Enterprise has the right to receive personal data of the personal data subject from third parties if there is a written consent of the subject to the provision of his personal data to third parties.
6.3. Storage of personal data.
6.3.1. When storing personal data, the conditions ensuring the safety of personal data must be observed.
6.3.2. Documents containing personal data contained on paper media are located in specially designated places with limited access under conditions that ensure their protection from unauthorized access.
6.3.3. Personal data stored in electronic form are protected from unauthorized access using special hardware and softwarex means of protection. Storage of personal data in electronic form outside the information systems used by the Enterprise and databases specially designated by the Enterprise (non-systemic storage of personal data) is not permitted.
6.3.4. Personal data must be stored in a form that allows identification of the subject of personal data, but no longer than required by the purposes of their processing, unless another period is established by the legislation of the Republic of Belarus or an agreement to which the subject of personal data is a party, beneficiary or guarantor.
6.3.5. Unless otherwise provided by law, processed personal data are subject to destruction or depersonalization upon achievement of the processing purposes, in the event of loss of the need to achieve these purposes, or upon expiration of their storage periods.
6.3.6. Destruction or depersonalization of personal data must be carried out in a manner that excludes further processing of these personal data. At the same time, if necessary, the possibility of processing other data recorded on the appropriate tangible medium must be preserved.
6.4. Use.
6.4.1. Personal data shall be processed and used for the purposes specified in paragraph 5.1 of the Regulation.
6.4.2. Access to personal data shall be granted only to those employees of the Enterprise whose job responsibilities involve working with personal data, and only for the period necessary to work with the relevant data. The list of such persons shall be determined by the Enterprise.
6.4.3. If it becomes necessary to provide access to
personal data to employees who are not included in the list of persons with access to personal data, they may be granted temporary access to a limited range of personal data by order of the director or another person authorized to do so by the director. The relevant employees must be familiarized with all local legal acts of the Enterprise in the field of personal data and must also sign an obligation to non-disclosure of personal data.
6.5. Transfer.
6.5.1. The transfer of personal data of subjects to third parties is permitted in the minimum necessary volumes and only for the purpose of performing tasks corresponding to the objective reason for collecting this data.
6.5.2. Transfer of personal data to third parties, including for commercial purposes, is permitted only with the consent of the subject or other legal basis.
6.5.3. Transfer of information containing personal data must be carried out in a manner that ensures protection against unauthorized access, destruction, modification, blocking, copying, distribution, as well as other illegal actions in relation to such information.
6.5.4. Cross-border transfer of personal data is prohibited if the territory of a foreign state does not ensure an adequate level of protection of the rights of personal data subjects, except in cases where:
the consent of the personal data subject has been given, provided that the personal data subject has been informed of the risks arising from the lack of an adequate level of protection;
the personal data have been obtained on the basis of an agreement concluded (being concluded) with the personal data subject, for the purpose of performing the actions established by this agreement;
personal data may be obtained by any person by sending a request in the cases and in the manner stipulated by law;
such transfer is necessary to protect the life, health or other vital interests of the personal data subject or other persons, if it is impossible to obtain the consent of the personal data subject;
the processing of personal data is carried out within the framework of the implementation of international treaties of the Republic of Belarus;
such transfer is carried out by the financial monitoring body for the purpose of taking measures to prevent the legalization of proceeds from crime, the financing of terrorist activities and the financing of the proliferation of weapons of mass destruction in accordance with the law;
the relevant permission has been obtained from the authorized body for the protection of the rights of personal data subjects.
6.5.5. Persons receiving personal data must be warned that these data can only be used for the purposes for which they were communicated and in compliance with the confidentiality regime. The enterprise has the right to require these persons to confirm that this rule has been observed.
6.5.6. In cases where government agencies have the right to request personal data or personal data must be provided by law, as well as in accordance with a court request, the relevant information may be provided to them in the manner prescribed by the current legislation of the Republic of Belarus.
6.5.7. All incoming requests must be forwarded to the person responsible for
organizing the processing of personal data at the Enterprise for preliminary consideration and approval.
6.6. Processing order.
6.6.1. The Enterprise has the right toteach the processing of personal data to an authorized person.
6.6.2. The agreement between the Operator and the authorized person, the legislative act or the decision of the state body must define:
the purposes of personal data processing;
the list of actions that will be performed with personal data by the authorized person;
obligations to maintain the confidentiality of personal data;
measures to ensure the protection of personal data in accordance with Art. 17 of the Law on the Protection of Personal Data.
6.6.3. The authorized person is not required to obtain the consent of the personal data subject. If the processing of personal data on behalf of the Operator requires the consent of the personal data subject, such consent is obtained by the Operator.
6.6.4. If the Operator entrusts the processing of personal data to an authorized person, the Operator shall be liable to the personal data subject for the actions of the said person. The authorized person shall be liable to the Operator.
6.7. Protection.
6.7.1. The protection of personal data shall mean a number of legal, organizational and technical measures aimed at:
a) ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other illegal actions in relation to such information;
b) maintaining the confidentiality of restricted information;
c) exercising the right to access information.
6.7.2. In order to protect personal data, the Company shall take the necessary measures provided for by law (including, but not limited to):
a) limit and regulate the composition of employees whose functional duties require access to information containing personal data (including through the use of passwords for access to electronic information resources);
b) ensure conditions for storing documents containing personal data in restricted access;
c) organize the procedure for the destruction of information containing personal data, unless the legislation establishes requirements for storing the relevant data;
d) monitors compliance with the requirements for ensuring the security of personal data, including those established by this Regulation (by conducting internal audits, installing special monitoring tools, etc.);
d) investigates cases of unauthorized access or disclosure of personal data, holding the guilty employees accountable and taking other measures;
e) implements software and hardware to protect information in electronic form.
6.7.3. The Enterprise shall take other measures aimed at ensuring
the fulfillment by the Enterprise of its obligations in the field of personal data stipulated by the current legislation of the Republic of Belarus.
CHAPTER 7
RIGHTS AND RESPONSIBILITIES OF PERSONAL DATA SUBJECTS
7.1. The personal data subject has the right to:
a) revoke his consent at any time without explanation by submitting an application to the Operator in the manner prescribed by Article 14 of the Law on the Protection of Personal Data, or in the form by which his consent was obtained;
b) receive information regarding the processing of their personal data, containing:
the name (last name, first name, patronymic (if any)) and location (address of place of residence (place of stay)) of the Operator;
confirmation of the fact of processing of personal data by the Operator (authorized person);
his personal data and the source of their receipt; legal grounds and purposes of processing of personal data; the term for which his consent is given;
the name and location of the authorized person, who is a government agency, a legal entity of the Republic of Belarus, another organization, if the processing of personal data is entrusted to such person;
other information stipulated by law;
c) demand that the Operator make changes to his personal data if the personal data is incomplete, outdated or inaccurate. For these purposes, the subject of personal data submits to the Operator an application in the manner prescribed by Article 14 of the Law on the Protection of Personal Data, with the relevant documents attached and (or) their copies certified in the prescribed manner, confirming the need to make changes to the personal data;
d) receive information from the Operator about the provision of their personal data to third parties once per calendar year free of charge, unless otherwise provided by the Law on the Protection of Personal Data and other legislative acts. To obtain the specified information, the personal data subject submits an application to the Operator. The application of the personal data subject must contain:
last name, first name, patronymic (if any) of the personal data subject, address of his/her place of residence (place of stay);
date of birth of the personal data subject;
identification number of the personal data subject, in the absence of such number - the number of the identity document of the personal data subject, in the event ofteas, if this information was specified by the personal data subject when giving his consent to the Operator or the personal data is processed without the consent of the personal data subject;
statement of the essence of the personal data subject's demands;
personal signature or electronic digital signature of the personal data subject;
d) demand that the Operator stop processing his personal data free of charge, including their deletion, in the absence of grounds for processing personal data stipulated by the Law on the Protection of Personal Data and other legislative acts. To exercise this right, the personal data subject shall submit an application to the Operator in the manner prescribed by the Law on the Protection of Personal Data;
e) appeal the actions (inaction) and decisions of the Operator that violate his rights when processing personal data, to the authorized body for the protection of the rights of personal data subjects in the manner prescribed by the legislation on appeals of citizens and legal entities.
7.2. The personal data subject is obliged to:
a) provide the Enterprise with reliable personal data;
b) promptly inform the Enterprise of changes and additions to his personal data;
c) exercise their rights in accordance with the legislation of the Republic of Belarus and local legal acts of the Enterprise in the field of processing and protection of personal data;
d) fulfill other obligations stipulated by the legislation of the Republic of Belarus and local legal acts of the Enterprise in the field of processing and protection of personal data.
CHAPTER 8
RIGHTS AND RESPONSIBILITIES OF THE ENTERPRISE
8.1. The Enterprise has the right to:
a) establish rules for processing personal data at the Enterprise, make changes and additions to this Regulation, independently, within the framework of the requirements of the legislation, develop and apply forms of documents necessary for the performance of the duties of the Operator;
b) exercise other rights stipulated by the legislation of the Republic of Belarus and local legal acts of the Enterprise in the field of processing and protection of personal data.