个人资料处理政策

GENERAL PROVISIONS
1. This POLICY of the administration of the FEZ "Vitebsk" regarding the processing of personal data (hereinafter referred to as the Policy) has been developed in compliance with the requirements of paragraph 3 of clause 3 of Article 17 of the Law of May 7, 2021 No. 99-Z "On the Protection of Personal Data" (hereinafter referred to as the Law on the Protection of Personal Data) in order to ensure the protection of the rights and freedoms of a person and citizen when processing his personal data, including the protection of the rights to privacy, personal and family secrets.
2. The Policy applies to all personal data processed by the administration of the FEZ "Vitebsk" (hereinafter referred to as the Administration, the Operator). The requirements of this Policy are mandatory for all employees of the Administration who have received access to personal data in the prescribed manner.
3. When making changes to legislative acts, as well as in the event of the adoption of other regulatory legal acts on issues regulated by this Policy, it is necessary to be guided by such changes, other regulatory legal acts until the relevant changes are made to the Policy.
4. The Policy has been drawn up in accordance with the legislation of the Republic of Belarus and defines the principles, goals, conditions and methods of processing personal data, the list of personal data subjects and processed personal data, the functions of the Administration in processing personal data, the rights of personal data subjects, as well as the requirements for the protection of personal data implemented in the Administration.
5. The provisions of this Policy serve as the basis for the development of local legal acts regulating the issues of processing, protection, and ensuring the confidentiality of personal data in the Administration. In the event of a change in the names of the structural divisions of the Administration that carry out actions in accordance with this Policy, the requirements for the processing of personal data established by the Policy shall be implemented by the relevant structural divisions of the Administration until changes are made to this Policy.
6. The policy is determined in accordance with the following regulatory legal acts:
  - Constitution of the Republic of Belarus;
  - Labor Code of the Republic of Belarus;
  - Law on the Protection of Personal Data;
  - Law of the Republic of Belarus of July 21, 2008 No. 418-Z "On the Population Register";
  - Law of the Republic of Belarus of November 10, 2008 No. 455-Z "On Information, Informatization and Information Protection";
  - Charter of the Administration;
  - other regulatory legal acts of the Republic of Belarus and regulatory documents of authorized state authorities.
MAIN TERMS AND DEFINITIONS
1. Operator - a person who, independently or jointly with other persons, organizes and (or) carries out the processing of personal data, and determines the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data.
2. Personal data - any information related to an identified individual or an individual who can be identified.
3. Subject of personal data - an individual whose personal data is processed;
4. Cross-border transfer of personal data - transfer of personal data to the territory of a foreign state.
5. Processing of personal data - any action or set of actions performed with personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, deletion of personal data. Processing of personal data includes, among other things:
  - collection;
  - recording;
  - systematization;
  - accumulation;
  - storage;
  - clarification (update, change);
  - retrieval;
  - transfer (dissemination, provision, access);
  - use;
  - depersonalization;
  - blocking;
  - deletion;
  - destruction.
6. Provision of personal data - actions aimed at disclosing personal data to a specific person or a specific group of persons.
7. Dissemination of personal data - actions aimed at familiarizing an indefinite group of persons with personal data.
8. Protection of personal data - a set of measures (organizational, administrative, technical, legal) aimed at protecting against unauthorized or accidental access to personal data, destruction, modification, blocking, copying, distribution, as well as other illegal actions.
9. Biometric personal data - information characterizing the physiological and biological characteristics of a person, which is used for his unique identification (fingerprints, palms, iris, facial characteristics and its image, etc.).
10. Genetic personal data - information related to the inherited or acquired genetic characteristics of a person, which contains unique data on his physiology or health and can be revealed, in particular, during the examination of his biological sample.
11. Special personal data - personal data concerning racial or national affiliation, political views, membership in trade unions, religious or other beliefs, health or sex life, administrative or criminal liability, as well as biometric and genetic personal data.
12. Publicly available personal data - personal data disseminated by the subject of personal data himself or with his consent or disseminated in accordance with the requirements of legislative acts.
13. Automated processing of personal data - processing of personal data using computer technology (automation).
14. Information - data (messages, data) regardless of the form of their presentation.
15. Candidate - an individual applying for a vacant position in the administration of the FEZ "Vitebsk".
16. Counterparty - an individual or legal entity, including an individual entrepreneur, acting as one of the parties to the transaction.
17. Authorized person - a government agency, a legal entity of the Republic of Belarus, another organization, an individual who, in accordance with a legislative act, a decision of a government agency that is an operator, or on the basis of an agreement with the operator, process personal data on behalf of the operator or in its interests.
18. Authorized body - the National Center for Personal Data Protection of the Republic of Belarus.
19. An identifiable individual - an individual who can be directly or indirectly identified, in particular by his/her surname, first name, patronymic, date of birth, identification number or by one or more features specific to his/her physical, psychological, mental, economic, cultural or social identity.
SCOPE AND CATEGORIES OF PROCESSED PERSONAL DATA
1. The content and scope of processed personal data must correspond to the stated purposes of processing, provided for in Section 4 of the Policy. The processed personal data must not be excessive in relation to the stated purposes of their processing.
2. The Administration may process the listed personal data of the following categories of personal data subjects:
3. Job candidates:
  - first name, last name, patronymic (when applicable);
  - gender;
  - citizenship;
  - date and place of birth;
  - contact information;
  - information about education, work experience, qualifications;
  - military registration documents;
  - reference from the previous place of work;
  - health certificate;
  - other personal data provided by candidates in their resumes and cover letters and in other ways.
4. Employees and former employees of the Administration:
  - first name, last name, patronymic (when applicable);
  - gender;
  - citizenship;
  - date and place of birth;
  - image (photograph);
  - passport details;
  - registered address of residence;
  - actual address of residence;
  - contact details;
  - individual taxpayer identification number;
  - information on education, qualifications, professional training and advanced training;
  - marital status, children, family ties;
  - information on work experience, including prior incentives, awards and (or) disciplinary sanctions;
  - information on marriage registration;
  - information on military registration;
  - information on disability;
  - information on alimony withholding;
  - information on income from the previous place of work;
  - information on wages and deductions;
  - other personal data provided by employees in accordance with the requirements of labor legislation.
5. Family members of the Administration employees:
  - first name, last name, patronymic (when applicable);
  - degree of kinship;
  - year of birth;
  - other personal data provided by employees in accordance with the requirements of labor legislation.
6. Counterparties (individuals) of the Administration:
  - first name, last name, patronymic (when applicable);
  - date and place of birth;
  - passport details;
  - address of registration at the place of residence;
  - contact details;
  - individual taxpayer identification number;
  - bank account number;
  - other personal data provided by counterparties (individuals) necessary for the conclusion and execution of contracts.
7. Representatives (employees) of the Operator's counterparties (legal entities):
  - first name, last name, patronymic (when applicable);
  - passport details;
  - contact details;
  - position held;
  - other personal data provided by representatives (employees) of clients and counterparties, necessary for the conclusion and execution of contracts.
8. The Operator processes biometric personal data in accordance with the legislation of the Republic of Belarus.
9. The Administration does not process special personal data related to race, nationality, political views, religious or philosophical beliefs, health status, intimate life, except for cases stipulated by the legislation of the Republic of Belarus.
PRINCIPLES AND PURPOSE OF PERSONAL DATA PROCESSING
1. The processing of personal data in the Administration is carried out taking into account the need to ensure the protection of the rights and freedoms of the Administration's employees, its contractors and other subjects of personal data, including the protection of the right to privacy, personal and family secrets, based on the following principles:
  - personal data is processed on a legal and fair basis;
  - personal data is processed in proportion to the stated purposes of their processing and ensures a fair balance of interests of all interested parties at all stages of such processing;
  - personal data is processed with the consent of the subject of personal data, except for cases stipulated by legislative acts;
  - the processing of personal data is limited to the achievement of specific, pre-declared legitimate purposes. Processing of personal data that is incompatible with the originally stated purposes of their processing is not permitted;
  - the content and scope of the personal data being processed correspond to the stated purposes of their processing. The personal data being processed are not excessive in relation to the stated purposes of their processing;
  - the processing of personal data is transparent. The subject of personal data is provided with relevant information regarding the processing of his personal data in the manner and under the conditions established by the Law on the Protection of Personal Data;
  - the necessary and sufficient measures are taken to protect personal data from illegal (unauthorized or accidental) access to them, modification, blocking, copying, distribution, provision, deletion, as well as from other illegal actions;
  - the storage of personal data in a form that allows identification of the subject of personal data is ensured for no longer than required by the stated purposes of their processing;
  - when processing personal data, the accuracy of personal data, their sufficiency, and, where necessary, relevance in relation to the purposes of processing personal data are ensured;
  - the processed personal data are destroyed or anonymized upon achievement of the processing purposes or in the event of loss of need to achieve these purposes, unless otherwise provided by the Law on the Protection of Personal Data.
2. Personal data are processed in the Administration for the following purposes:
  - regulation of labor relations with candidates and employees of the Operator (assistance in employment, training, maintaining a personnel reserve, attracting and selecting candidates for work in the Administration, ensuring personal safety, monitoring the quantity and quality of work performed, ensuring the safety of property and material assets);
  - organizing the registration of employees for individual (personalized) records in the compulsory pension insurance system;
  - implementation of civil law relations;
  - implementation of the functions, powers and duties imposed on the Administration by the legislation of the Republic of Belarus, including the provision of personal data to the Ministry of Labor and Social Protection, the Social Protection Fund, as well as other government agencies;
  - provision of additional guarantees and compensation to employees of the Administration;
  - protection of life, health or other vital interests of personal data subjects;
  - ensuring access and internal facility regimes at the Administration's facilities;
  - consolidation of reference materials for internal and external information support for the activities of the Administration;
  - implementation of the rights and legitimate interests of the Administration within the framework of the implementation of types of activities stipulated by the Charter and other local legal acts of the Administration, or the achievement of socially significant goals;
  - identification of conflicts of interest;
  - execution of judicial acts, acts of state bodies and other organizations, as well as officials, subject to execution in accordance with the legislation on enforcement proceedings;
  - for other purposes arising from the requirements of the legislation.
LIST OF SUBJECTS WHOSE PERSONAL DATA IS PROCESSED BY THE ADMINISTRATION
The Administration processes personal data of the following categories of personal data subjects:
- employees of the Administration, including those who have resigned, their close relatives (in-laws);
- counterparties of the Administration;
- candidates:
- individuals with whom the Administration has concluded (plans to conclude) civil law contracts;
- individuals whose personal data they have made publicly available, and their processing does not violate their rights and legitimate interests and meets the requirements established by law;
- other individuals who have expressed consent to the processing of their personal data by the Administration, or individuals whose personal data processing is necessary for the Administration to achieve the goals stipulated by law;
- individuals who have submitted (are submitting) an application;
- individuals who have applied (are applying) for the implementation of an administrative procedure;
- other subjects of personal data, the processing of whose personal data by the Administration is provided for in accordance with the legislation and LLA, taking into account the purposes of processing personal data specified in Section 4 of this Policy.
MAIN FUNCTIONS AND RIGHTS OF THE PERSON RESPONSIBLE FOR IMPLEMENTING INTERNAL CONTROL OVER PERSONAL DATA PROCESSING
1. The organization of work on implementing internal control over the processing of personal data is assigned to the head of the legal department.
2. The organization of work on implementing internal control over the processing of personal data includes:
  - developing, together with interested structural divisions of the Administration, LLA on issues of personal data protection;
  - monitoring compliance in the structural divisions of the Administration with the requirements of legislation and LLA in the field of personal data protection, as well as monitoring the presence in the said divisions of conditions that ensure the safety of personal data and exclude unauthorized access to them;
  - familiarizing the Administration employees and other persons directly involved in the processing of personal data with the norms of legislation and LLA in the field of personal data protection, including the requirements for the protection of personal data, and training of the said employees.
3. The person responsible for the implementation of internal control over the processing of personal data has the right to:
  - request and receive, in the established manner, from the structural divisions and employees of the Administration information and materials necessary for the proper performance of the functions defined by this Policy and other LLA in the field of personal data protection;
  - submit for consideration by authorized persons of the Administration proposals aimed at eliminating the causes and conditions that contribute to the commission of violations of legislation and LLA in the field of personal data protection;
  - participate in events held in the structural divisions of the Administration on issues related to ensuring the protection of personal data;
  - require that the structural divisions and officials of the Administration take the necessary measures to comply with the requirements of legislation and LLA in the field of personal data protection, within their competence;
  - involve employees of the Administration with the necessary knowledge and competence in technical or other areas, in training employees of the Administration and other persons directly involved in the processing of personal data;
  - submit, in accordance with the established procedure, proposals on bringing to disciplinary responsibility employees who violate the requirements of legislation and local legal acts in the field of personal data protection;
  - perform other duties stipulated by local legal acts and organizational and administrative documents of the Administration./li>
CONDISTIONS AND METHODS OF PROCESSING PERSONAL DATA
1. Personal data in the Administration are processed with the consent of the subject of personal data to the processing of his personal data, unless otherwise provided by legislation in the field of personal data protection.
2. The Administration does not disclose to third parties or distribute personal data without the consent of the subject of personal data, unless otherwise provided by law.
3. The Administration has the right to entrust the processing of personal data on its behalf or in its interests to an authorized person on the basis of an agreement concluded with this person.
  The agreement must include:
  - purpose of processing personal data;
  - a list of actions that will be performed with personal data by an authorized person;
  - obligations to maintain the confidentiality of personal data;
  - measures to ensure the protection of personal data in accordance with Article 17 of the Law on the Protection of Personal Data.
4. Personal data in the Administration are processed, as a rule, using automation tools. Processing of personal data in the established manner is permitted without the use of automation tools, if this ensures the search for personal data and (or) access to them according to certain criteria (log, list, etc.).
5. Access to personal data processed by the Administration is permitted only to employees authorized to work with personal data.

BASIC RIGHTS AND RESPONSIBILITIES OF PERSONAL DATA SUBJECTS

Subjects of personal data	Operator's Obligations
Has the right to revoke their consent at any time without giving reasons by submitting an application to the Administration in the form by which the consent was obtained.	Must stop processing personal data, delete them and notify the subject of personal data about it within 15 days after receiving the application of the subject of personal data in accordance with its content.
Have the right to receive information regarding the processing of their personal data, containing the name and location of the Administration, confirmation of the fact of processing of personal data by the Administration, their personal data and the source of their receipt, the legal grounds and purposes of processing personal data, the period for which their consent is given.	If it is not technically possible to delete personal data, the party is obliged to take measures to prevent further processing of personal data, including blocking them, and notify the subject of personal data of this within the same period.
The right to demand that the Administration make changes to their personal data if the personal data is incomplete, outdated or inaccurate.	Obliged to provide the subject of personal data with information in an accessible form or notify him of the reasons for refusing to provide it within 5 working days after receiving the relevant application.
Have the right to receive information from the Administration about the provision of their personal data to third parties once per calendar year free of charge.	Obliged to make the appropriate changes to the personal data of the subject of personal data within 15 days after receiving the application and notify the subject of personal data of this or notify him of the reasons for refusing to make such changes.
Have the right to demand that the Administration stop processing their personal data free of charge, including their deletion, if there are no grounds for processing personal data.	ВObliged, within 15 days after receiving the application from the subject of personal data, to provide him with information about what personal data of this subject and to whom were provided during the year preceding the date of filing the application, or to notify the subject of personal data of the reasons for refusing to provide it.
Have the right to appeal the actions (inaction) and decisions of the Administration that violate their rights when processing personal data to the authorized body for the protection of the rights of personal data subjects.	Obliged to stop processing personal data within 15 days after receiving the application from the subject of personal data, as well as to delete them (ensure that the processing of personal data is stopped, as well as their deletion by an authorized person) and notify the subject of personal data of this.

MEASURES APPLIED TO PROTECT PERSONAL DATA OF SUBJECTS
1. The Administration takes the necessary and sufficient legal, organizational and technical measures to protect the personal data of subjects from unauthorized or accidental access to them, destruction, modification, blocking, copying, distribution, as well as from other illegal actions.
2. The legal measures taken by the Administration include:
  - development and application of regulatory documents on the processing and protection of personal data in the Administration;
  - inclusion in agreements concluded by the Administration with counterparties of requirements for maintaining confidentiality and ensuring the security of personal data of subjects during their processing;
  - publication of internal documents on the processing of personal data, as well as local legal acts that establish procedures aimed at preventing and identifying violations when working with personal data, eliminating the consequences of such violations;
3. The organizational measures taken by the Operator include:
  - familiarization of the Administration employees with the requirements of the legislation of the Republic of Belarus and LPA in the field of working with personal data;
  - application of organizational and technical measures to ensure the security of personal data during their processing, necessary to meet the requirements for the protection of personal data;
  - implementation of internal control over compliance by the Administration employees working with personal data of subjects with the requirements of the legislation of the Republic of Belarus and LLA, as well as control over the measures taken to ensure the security of personal data;
  - ensuring the registration and accounting of all actions performed with personal data processed using computer devices;
  - implementation of delimitation and restriction of employee access to documents, information resources, technical means and information carriers, information systems and work related to their use;
  - regular monitoring of the security of personal data, improvement of the system of their protection;
  - organizing training and conducting methodological work with employees of the structural divisions of the Administration that process personal data;
  - obtaining consent from personal data subjects for the processing of their personal data, except for cases stipulated by the legislation of the Republic of Belarus, when such consent is not required;
  - separation of personal data processed without the use of automation tools from other information, in particular, by recording them on separate tangible personal data carriers;
  - ensuring separate storage of personal data and their tangible media, the processing of which is carried out for different purposes and which contain different categories of personal data;
  - ensuring the security of personal data when transmitted over open communication channels;
  - storage of tangible media of personal data in compliance with conditions that ensure the safety of personal data and prevent unauthorized access to them;
  - appointment of persons responsible for organizing the processing of personal data in the Administration;
  - notification in the established manner to subjects of personal data or their representatives of information about the availability of personal data related to the relevant subjects, providing the opportunity to become familiar with this personal data upon request and (or) receipt of requests from the said subjects of personal data or their representatives, unless otherwise established by the legislation of the Republic of Belarus;
  - termination of processing and destruction of personal data in cases stipulated by the legislation of the Republic of Belarus in the field of personal data;
  - performance of other actions stipulated by the legislation of the Republic of Belarus in the field of personal data.
CONTROL OVER COMPLIANCE WITH LEGISLATION AND LOCAL LEGAL ACTS OF THE ADMINISTRATION OF THE FEZ "VITEBSK" IN THE FIELD OF PERSONAL DATA. LIABILITY
1. Control over compliance by structural divisions and employees of the Administration with legislation and LLA when processing personal data is carried out in order to assess the compliance of the personal data processing process in the Administration with legislation and LLA, as well as the completeness of the measures taken aimed at preventing and promptly identifying violations of legislation when processing personal data, possible leakage channels and unauthorized access to personal data, and eliminating the consequences of such violations.
2. Internal control over compliance by employees and structural divisions of the Administration with the legislation of the Republic of Belarus and LLA in the field of personal data, including requirements for the protection of personal data, is carried out by an appointed person.
3. Personal responsibility for compliance with the requirements of the legislation of the Republic of Belarus and LLA in the field of personal data of employees of the Administration is assigned to persons appointed by the order of the head of the administration.
4. For violation of the law and LLA when processing personal data, the employees of the Administration, through whose fault such violation occurred, depending on the nature and extent of the violation, may be brought to disciplinary, administrative or criminal liability.
5. Moral damage caused to the subject of personal data due to the violation of his rights, violation of the rules for processing personal data established by the legislation of the Republic of Belarus and the LLA of the Administration in the field of personal data, as well as the requirements for the protection of personal data, is subject to compensation in accordance with the legislation of the Republic of Belarus. Compensation for moral damage is carried out regardless of compensation for property damage and losses incurred by the subject of personal data.