This Regulation on processing and protection of personal data (hereinafter - the Regulation) defines the policy of the open joint-stock company "Brest regional base "Bakaleya" (hereinafter - the Company) in relation to the processing of personal data, including the procedure of processing by the Company of personal data of persons who are not its employees, including the procedure of collection, storage, use, transfer and protection of personal data.
1.2 The procedure for handling personal data is aimed at ensuring the rights and freedoms of citizens in the processing of personal data, maintaining the confidentiality of personal data and their protection.
1.3 The Regulations and amendments thereto shall be approved by the General Director of the Company.
1.4 The Regulation is a local legal act of the Company, mandatory for observance and fulfillment by employees, as well as other persons involved in personal data processing in accordance with this Regulation.
1.5 The Regulation is developed on the basis of and in fulfillment of:
a) the Constitution of the Republic of Belarus;
b) the Labor Code of the Republic of Belarus;
c) the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28.01.1981;
d) the Charter of Fundamental Rights of the European Union of 12.12.2007;
e) the Law of the Republic of Belarus of 07.05.2021 N 99-З "On personal data protection" (hereinafter - the Law on personal data protection);
f) the Law of the Republic of Belarus of 21.07.2008 N 418-З "On the Population Register";
g) the Law of the Republic of Belarus dated 10.11.2008 N 455-З "On Information, Informatization and Protection of Information";
h) other normative legal acts of the Republic of Belarus.
2.1 The following basic concepts and terms shall be used in these Regulations:
a) Company or Operator - Open Joint Stock Company "Brest Regional Bakaleya Base", located at the address: 100 Ya.Kupala St., Brest, 224020;
b) personal data - any information related to an identified natural person or a natural person who can be identified;
c) special personal data - data concerning racial or national origin, political opinions, trade union membership, health or sex life, religious beliefs, as well as biometric and genetic personal data;
d) biometric personal data - information characterizing physiological and biological features of a person (fingerprints, palm prints, facial characteristics, etc.);
e) genetic personal data - information related to inherited or acquired genetic characteristics of a person, which contains unique data of a person about his/her physiology or health and can be detected during the examination of his/her biological sample;
f) personal data subject - a natural person to whom the personal data processed by the Organization relate, including a natural person who is not an employee of the Organization to whom the personal data processed by the Organization relate;
g) processing of personal data - any action or set of actions performed with personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, deletion of personal data;
h) processing of personal data with the use of automation means - processing of personal data by means of computer equipment, and such processing cannot be recognized as being carried out exclusively with the use of automation means only on the grounds that the personal data are contained in the personal data information system or have been extracted from it;
i) processing of personal data without the use of automation means - actions with personal data, such as use, clarification, dissemination, destruction, carried out with the direct participation of a human being, if the search of personal data and (or) access to them according to certain criteria (card indexes, lists, databases, journals, etc.) is ensured;
j) dissemination of personal data - actions aimed at familiarization with personal data of an indefinite number of persons;
k) provision of personal data - actions aimed at familiarization with personal data of a certain person or circle of persons;
m) blocking of personal data - termination of access to personal data without deleting them;
n) deletion of personal data - actions, as a result of which it becomes impossible to restore personal data in information resources (systems) containing personal data, and (or) as a result of which material carriers of personal data are destroyed;
o) depersonalization of personal data - actions as a result of which it becomes impossible to determine, without the use of additional information, the belonging of personal data to a particular subject of personal data;
p) trans-border transfer of personal data - transfer of personal data to the territory of a foreign state;
p) identifiable natural person - a natural person who can be directly or indirectly identified, in particular through his/her surname, proper name, patronymic, date of birth, identification number or through one or more features characteristic of his/her physical, psychological, mental, economic, cultural or social identity.
3.1 The Company processes personal data of the following categories of subjects:
4.1 The content and scope of personal data of each category of subjects is determined by the need to achieve specific purposes of their processing, as well as the need for the Company to realize its rights and obligations, as well as the rights and obligations of the respective subject.
4.2 Personal data of employees' relatives include:
surname, first name, patronymic;
date of birth
citizenship;
passport data or data of another identity document (series, number, date of issue, name of the issuing authority, etc.);
information on marital status and family composition with indication of surnames, names and patronymics of family members, date of birth, place of work and/or study;
information on registration at the place of residence (including address, date of registration);
information on the place of actual residence;
number and series of the state social insurance certificate;
information of medical nature (in cases stipulated by the legislation);
information on social benefits and payments;
contact information (including numbers of work, home and/or cell phone, e-mail, etc.).
4.3 Personal data of job candidates shall include:
surname, first name, patronymic (as well as all previous surnames);
date and place of birth;
citizenship;
passport data or data of another identity document (series, number, date of issue, name of the issuing authority, etc.);
birth certificate data (number, date of issue, name of issuing authority, etc.) (if necessary);
gender;
information on marital status and family composition, including surnames, names and patronymics of family members, date of birth, place of work and/or study;
information on registration at the place of residence (including address, date of registration);
information on the place of actual residence;
number and series of the state social insurance certificate;
data on education, advanced training and professional retraining, academic degree, academic rank;
information on labor activity (including length of service and work experience, data on employment with indication of position, subdivision, information on employer, etc.);
specialty, profession, qualification;
information on military registration;
information of medical nature (in cases stipulated by the legislation);
4.4. Personal data of employees and other representatives of the Company shall include:
surname, first name, patronymic (as well as all previous surnames);
date of birth
citizenship;
passport data or data of another identity document (series, number, date of issue, name of the issuing authority, etc.);
data of visas and other migration registration documents;
gender;
data on the place of stay;
biometric personal data (including photographs, images from video surveillance cameras, voice recordings);
information on social benefits and payments;
contact data (including work and/or cell phone numbers, e-mail, etc.);
other data necessary for the fulfillment of mutual rights and obligations.
4.5 Personal data of employees and other representatives of counterparties - legal entities shall include:
surname, first name, patronymic;
passport data or data of other identity document (series, number, date of issue, name of the issuing authority, etc.);
information on registration at the place of residence (including address, date of registration);
contact information (including work, home and/or cell phone numbers, e-mail, etc.);
position;
other data required for the fulfillment of mutual rights and obligations between the Company and the counterparty.
4.6 Personal data of counterparties - natural persons include:
surname, first name, patronymic;
citizenship;
passport data or data of other identity document (series, number, date of issue, name of the issuing authority, etc.);
information on registration at the place of residence (including address, date of registration);
number and series of the state social insurance certificate;
data on education, advanced training and professional retraining, academic degree, academic rank;
bank account details;
taxpayer identification number;
specialty, profession, qualification;
contact information (including home and/or cell phone numbers, e-mail, etc.);
data of the certificate of registration of ownership rights;
other data necessary for the fulfillment of mutual rights and obligations between the Company and the counterparty.
4.7 Personal data of other subjects include:
surname, first name, patronymic;
contact data (including home and/or cell phone numbers, e-mail, etc.);
passport data or data of another identity document (series, number, date of issue, name of the issuing authority, etc.);
gender;
information on registration at the place of residence (including address, date of registration);
number and series of the state social insurance certificate;
data on education, advanced training and professional retraining, academic degree, academic rank;
bank account details;
taxpayer identification number;
specialty, profession, qualification;
other data necessary for the fulfillment of mutual rights and obligations between the Company and the counterparty.
5.1 The processing of personal data of subjects is based on the following principles:
a) processing of personal data shall be carried out in accordance with the Law on personal data protection and other legislative acts;
b) the processing of personal data shall be proportionate to the stated purposes of their processing and ensure, at all stages of such processing, a fair balance between the interests of all interested parties;
c) processing of personal data shall be carried out with the consent of the personal data subject, except in cases provided for by the Law on personal data protection and other legislative acts;
d) processing of personal data shall be limited to the achievement of specific, previously declared legitimate purposes. Processing of personal data incompatible with the originally stated purposes of their processing is not allowed;
e) the content and scope of processed personal data shall correspond to the declared purposes of their processing. The processed personal data shall not be redundant in relation to the stated purposes of their processing;
f) the processing of personal data shall be transparent. To this end, the personal data subject shall be provided with relevant information regarding the processing of his/her personal data in cases stipulated by the Law on personal data protection;
g) the Operator shall be obliged to take measures to ensure the reliability of personal data processed by it, updating them if necessary;
h) storage of personal data shall be carried out in a form that allows to identify the personal data subject, not longer than required by the stated purposes of personal data processing.
6.1 Processing of personal data of personal data subjects shall be carried out for the following purposes:
implementation and fulfillment of functions, powers and duties assigned to the Company by the legislation of the Republic of Belarus and international treaties of the Republic of Belarus;
provision of benefits and compensations to the relatives of employees
identifying conflicts of interest
consideration of employment opportunities for candidates;
maintaining personnel records and the personnel reserve;
screening of candidates (including their qualifications and work experience);
organizing and supporting business trips;
organizing events and ensuring participation of personal data subjects in them;
ensuring security, preservation of material values and prevention of offenses;
issuing powers of attorney and other authorizing documents;
negotiating, concluding and executing contracts
counterparty verification;
advertising and promotion of products, including presentation of information about the Company's products;
processing of appeals with claims and information on the safety of goods;
processing of appeals about negative phenomena and side effects;
fulfillment of the duty of a tax agent;
other purposes aimed at ensuring compliance with labor contracts, laws and other regulatory legal acts.
6.2 Personal data is processed solely for the achievement of one or more of the legitimate purposes specified. If personal data has been collected and processed to achieve a specific purpose, in order to use this data for other purposes, it is necessary to notify the personal data subject and, if necessary, obtain a new consent for processing.
6.3 Personal data may be processed for other purposes if this is necessary in connection with ensuring compliance with the law.
7.1 General rules.
7.1.1 Processing of personal data is carried out through mixed (both with the use of automation means and without the use of automation means) processing, including the use of internal network and Internet.
7.1.2 In cases established by the legislation of the Republic of Belarus, the main condition for personal data processing is to obtain the consent of the respective personal data subject, including in writing.
7.1.3 The written consent of the personal data subject to the processing of his/her personal data shall include:
a) surname, proper name, patronymic (if any);
b) date of birth;
c) identification number, and in case of absence of such number - number of his/her identity document;
d) signature of the personal data subject. If the purposes of personal data processing do not require processing of information, this information shall not be processed by the Operator upon obtaining the consent of the personal data subject.
7.1.4 The consent of the personal data subject to the processing of his/her personal data, except for special personal data, is not required in the following cases:
7.1.5 Processing of special personal data without the consent of the personal data subject is prohibited, except for the following cases:
7.2 Collection of personal data.
7.2.1 The source of information on all personal data is the subject of personal data directly.
7.2.2 Unless otherwise provided by the Law on Personal Data Protection, the Company shall be entitled to receive personal data of the subject of personal data from third parties only upon notification of the subject thereof, or in the presence of the subject's written consent to receive his/her personal data from third parties.
7.2.3 Notification of the subject of personal data on receipt of his/her personal data from third parties shall contain:
a) the name of the Operator and the address of its location;
b) the purpose of personal data processing and its legal basis;
c) the intended users of personal data;
d) the rights of the personal data subject established by law;
e) the source of obtaining personal data.
7.3 Storage of personal data.
7.3.1 When storing personal data, conditions ensuring the safety of personal data shall be observed.
7.3.2 Documents including personal data contained on paper media shall be kept in specially designated places with limited access under conditions that ensure their protection from unauthorized access. The list of document storage locations shall be determined by the Company.
7.3.3 Personal data stored in electronic form shall be protected from unauthorized access by means of special technical and software protection means. Storage of personal data in electronic form outside the information systems used by the Company and databases specially designated by the Company (off-system storage of personal data) is not allowed.
7.3.4 The personal data shall be stored in a form that allows to identify the subject of personal data, but not longer than required by the purposes of their processing, unless another period is established by the legislation of the Republic of Belarus.
7.3.5 Unless otherwise provided for by the legislation, processed personal data shall be destroyed or depersonalized upon achievement of the processing purposes, in case of loss of necessity to achieve these purposes or upon expiration of their storage period.
7.3.6 Destruction or depersonalization of personal data shall be performed in a way that excludes further processing of such personal data. At the same time, if necessary, the possibility of processing other data recorded on the corresponding material medium (deletion) should be preserved.
7.3.7 If it is necessary to destroy or block a part of personal data, the material medium shall be destroyed or blocked with preliminary copying of data not subject to destruction or blocking in a way that excludes simultaneous copying of personal data subject to destruction or blocking.
7.3.8 If it is necessary to destroy or block a part of personal data, the tangible medium shall be destroyed or blocked with preliminary copying of information not subject to destruction or blocking, in a way that excludes simultaneous copying of personal data subject to destruction or blocking.
7.4. Utilization.
7.4.1 Personal data shall be processed and used for the purposes specified in clause 6.1 of the Regulations.
7.4.2 Access to personal data shall be granted only to those employees of the Company whose job duties involve working with personal data and only for the period necessary to work with the relevant data. The list of such persons shall be determined by the Company.
7.4.3 In case of necessity to provide access to personal data to employees who are not included in the list of persons with access to personal data, they may be granted temporary access to a limited range of personal data by order of the General Director of the Company or other person authorized by the General Director of the Company. Relevant employees shall be familiarized against signature with all local legal acts of the Company in the field of personal data, and shall sign an obligation of non-disclosure of personal data.
7.4.4 Employees processing personal data without the use of automation shall be informed (including by familiarization with this Regulation) of the fact of personal data processing by them, categories of processed personal data, as well as the peculiarities and rules of such processing established by law and this Regulation.
7.4.5 Employees of the Company who do not have duly authorized access to personal data are prohibited.
7.4.6 If it is necessary to use or distribute certain personal data separately from other personal data on the same material medium, the personal data to be distributed or used shall be copied in a way that excludes simultaneous copying of personal data not subject to distribution and use, and the copy of personal data shall be used (distributed).
7.4.7 When personal data are processed without the use of automation tools, personal data shall be clarified by updating or changing the data on a tangible medium, and if this is not allowed by the technical features of the tangible medium - by fixing on the same tangible medium information about the changes made in them or by making a new tangible medium with the clarified personal data.
7.5. Transmission.
7.5.1 The transfer of personal data of the subjects to third parties is allowed in the minimum necessary amounts and only for the purposes of fulfillment of the tasks corresponding to the objective reason for the collection of such data.
7.5.2 The transfer of personal data to third parties, including for commercial purposes, is permitted only with the subject's consent or other legal basis.
7.5.3 When transferring personal data to third parties, the subject must be notified of such transfer, except in cases defined by law, in particular if:
a) the personal data subject has been notified of the processing of his/her personal data by the Operator, who has received the relevant data from the Company;
b) the personal data is made publicly available by the subject of personal data or received from a publicly available source;
7.5.4 The transfer of information containing personal data shall be carried out in a manner that ensures protection against unauthorized access, destruction, modification, blocking, copying, dissemination, as well as other unlawful actions with regard to such information.
7.5.5 Cross-border transfer of personal data is prohibited if the territory of a foreign state does not ensure an adequate level of protection of the rights of personal data subjects, unless:
7.5.6 Persons receiving personal data shall be warned that such data may be used only for the purposes for which they were communicated and in compliance with the confidentiality regime. The Company shall have the right to demand from such persons a confirmation that this rule has been observed.
7.5.7 In cases when state authorities have the right to request personal data or personal data must be provided by virtue of legislation, as well as in accordance with a court request, the relevant information may be provided to them in accordance with the procedure stipulated by the current legislation of the Republic of Belarus.
7.5.8 All incoming requests shall be submitted to the person responsible for organization of personal data processing in the Company for preliminary review and approval.
7.6. Defense.
7.6.1 Personal data protection means a number of legal, organizational and technical measures aimed at:
a) ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, dissemination, as well as from other unlawful actions in relation to such information;
b) observance of confidentiality of restricted information;
c) realization of the right of access to information.
7.6.2 To protect personal data, the Company shall take the necessary measures required by law (including, but not limited to):
a) limits and regulates the composition of employees whose functional duties require access to information containing personal data (including by using passwords for access to electronic information resources);
b) ensure conditions for storage of documents containing personal data in restricted access;
c) organizes the procedure of destruction of information containing personal data, if the legislation does not establish requirements for storage of relevant data;
d) control the compliance with the requirements for personal data security, including those established by this Regulation (by conducting internal controls, installing special monitoring tools, etc.);
e) investigates cases of unauthorized access or disclosure of personal data with bringing the guilty employees to responsibility, taking other measures;
f) implements program and technical means of information protection in electronic form;
g) ensures the possibility of recovery of personal data modified or destroyed due to unauthorized access to them.
7.6.3 In order to protect personal data during their processing in information systems, the Company shall take the necessary measures required by law (including, but not limited to):
a) identification of threats to the security of personal data during their processing;
b) application of organizational and technical measures to ensure security of personal data during their processing in personal data information systems necessary to meet the requirements to personal data protection;
c) accounting of machine carriers of personal data;
d) detection of the facts of unauthorized access to personal data and taking measures;
e) recovery of personal data modified or destroyed due to unauthorized access to them;
f) establishing the rules of access to personal data processed in the personal data information system, as well as ensuring the registration and recording of all actions performed with personal data in the personal data information system.
7.6.4 The Company shall appoint persons responsible for organization of personal data processing.
7.6.5 The Company shall take other measures aimed at ensuring the fulfillment by the Company of its obligations in the field of personal data provided for by the current legislation of the Republic of Belarus.
8.1 The personal data subject has the right to:
a) withdraw his/her consent at any time without giving reasons by submitting an application to the Operator in the manner prescribed by Article 14 of the Law on personal data protection, or in the form through which his/her consent was obtained;
b) to obtain information regarding the processing of his/her personal data, containing:
c) request the Operator to amend his/her personal data in case the personal data are incomplete, outdated or inaccurate. For this purpose, the personal data subject shall submit an application to the Operator in accordance with the procedure established by Article 14 of the Law on Personal Data Protection, attaching the relevant documents and (or) duly certified copies thereof, confirming the need to amend the personal data;
d) receive information from the Operator about the provision of his/her personal data to third parties once a calendar year free of charge, unless otherwise provided by the Law on personal data protection and other legislative acts. In order to obtain the said information, the subject of personal data shall submit an application to the Operator. The application of the subject of personal data shall contain:
e) to demand from the Operator to stop processing of his/her personal data, including their deletion, free of charge, in the absence of grounds for personal data processing, provided by the Law on personal data protection and other legislative acts. To exercise the said right, the subject of personal data shall submit an application to the Operator in the manner prescribed by the Law on personal data protection;
f) appeal the actions (inaction) and decisions of the Operator, violating his/her rights in the processing of personal data, to the authorized body for the protection of the rights of personal data subjects in accordance with the procedure established by the legislation on appeals of citizens and legal entities.
8.2 The subject's right to access his/her personal data may be restricted in accordance with the legislation of the Republic of Belarus.
8.3 All appeals of subjects or their representatives in connection with the processing of their personal data shall be registered in the relevant journal.
8.4 The subject of personal data shall be obliged to:
a) provide the Company with reliable personal data;
b) timely inform the Company about changes and additions to his/her personal data;
c) exercise his/her rights in accordance with the legislation of the Republic of Belarus and local legal acts of the Company in the field of processing and protection of personal data;
d) fulfill other obligations provided for by the legislation of the Republic of Belarus and local legal acts of the Company in the field of processing and protection of personal data.
9.1 The Company shall have the right to:
a) establish the rules of personal data processing in the Company, amend and supplement these Regulations, independently, within the requirements of the legislation, develop and apply the forms of documents necessary for the fulfillment of the Operator's duties;
b) exercise other rights provided for by the legislation of the Republic of Belarus and local legal acts of the Company in the field of personal data processing and protection.