Section 1
General Provisions
1. This personal data protection policy (hereinafter referred to as the Policy) determines the activities of JLLC “SYSTEM TECHNOLOGIES” (hereinafter referred to as the Company) in data protection policy.
2. The processing of personal data is carried out in accordance with the Law of the Republic of Belarus “On Personal Data Protection” of May 07, 2021 No. 99-Z and other normative legal acts had taken to implement its provisions.
3. For the purposes of this Policy, the terms and definitions contained in the Law of the Republic of Belarus of May 7, 2021 No. 99-Z “On Personal Data Protection” (hereinafter referred to as the Law on Personal Data Protection), the Law of the Republic of Belarus of November 10, 2008 No. 455-Z “On information, informatization and the protection of information”.
4. Personal data defined as any information recorded in any form that allows to identify an individual or can be used for such identification.
5. The Policy is the fundamental document regulating the processing of personal data in the Company, and defines the basic principles, goals, conditions and methods of processing personal data, the categories of personal data subjects and the amount of personal data processed, the rights and obligations of personal data subjects, as well as the requirements implemented in the Company for personal data protection.
6. The provisions of the Policy serve as the basis for the development of local legal acts regulating the processing and protecting personal data in the Company.
7. The company, in accordance with the current legislation of the Republic of Belarus, is an operator, and in some cases an authorized person for the processing of personal data on behalf of the operator or in his interests.
8. The Policy is generally available and is posted on the official Internet portal of the Company.
Section 2
Principles and purposes of personal data processing
9. The processing of personal data in the Company is carried out on a legal and fair basis, and is limited to the achievement of specific, declared in advance legitimate purposes of their processing, redundancy of the processed personal data is not allowed.
10. During personal data processing, the Company ensures the reliability of personal data, their sufficiency and, if necessary, relevance in relation to the purposes of personal data processing.
11. The terms of use of personal data are determined in accordance with the purposes they were collected.
12. Personal data belongs to confidential information.
13. The company performs processing of personal data for the following purposes:
13.1. registration of labor relations, as well as the implementation of labor and social relations with employees, including, but not limited to:
selection of candidates for vacant positions;
HR administration and organizing the accounting of employees (personnel, military, individual (personalized));
providing information about insured persons for the purposes of state social insurance, including pension insurance;
provision of statistical and other reporting in accordance with the requirements of the legislation of the Republic of Belarus;
control of the quantity and quality of work;
training and career development;
passing internships by specialists in the Company;
providing working conditions, guarantees and compensations for employees and their families, including additional (voluntary health insurance, medical care and other types of social welfare);
organizing and holding mass actions, cultural and professional events for employees and their families;
13.2. bookkeeping and tax accounting;
13.3. banking and other financial transactions in the Company;
13.4. making of statistical reporting;
13.5. conclusion and execution of civil-law contracts with counterparties of the Company;
13.6. conducting tender procedures provided by local legal acts of the Company;
13.7. keeping records of affiliated persons of the Company and preparation of lists of affiliated persons;
13.8. protection of the rights and legitimate interests of the Company and its officials in courts, dispute settlement bodies, administrative and other state bodies;
13.9. making of powers of attorney issued to employees of the Company, other organizations and individuals;
13.10. passing reference checks and audit by the Company;
13.11. providing of inter-facility and access control in administrative buildings of the Company, providing the safety of property;
3.12. creating and maintaining of corporate telephone and other information guides and materials for internal information support of the Company’s activities, publication of messages on internal corporate information resources, placement of personal data on the official Internet portal, in public information systems;
13.13. realization of marketing activities (promotions, contests, programs to encourage employees, advertising and other events);
13.14. providing various Services for personal data subjects, including through mobile applications and cloud solutions;
13.15. providing full, objective, comprehensive and timely consideration of citizens` applications and legal entities;
13.16. for other purposes provided for by the legislation and local legal acts of the Company.
Section 3
Categories of personal data subjects, list of processed personal data
14. To achieve the goals specified in Section 2 of this Policy, the Company carries out the processing of personal data of the following categories of personal data subjects:
14.1. when registering an employment relationship, as well as in the course of employment, personal data is processed:
staff of the Company, including dismissed;
individuals who apply (applied) for the positions of employees of the company;
individuals who are close relatives, or who are related to subjects of personal data;
individuals doing internships in the Company;
14.2. individuals that have concluded civil-law contracts with the Company, whose personal data is processed in bookkeeping and tax accounting;
14.3. members of the Company and affiliated persons of the Company;
14.4. employees and (or) representatives of the Company’s counterparties (including potential ones) on the basis of concluding, amending, executing and terminating contracts with them;
14.5. lawyers, notaries interacting with the Company on the basis of achieving the goals specified in subparagraphs 13.8-13.9 of paragraph 13 of the Policy;
14.6. individuals directly entering the territory of the Company on the basis of providing inter-facility and access modes, fixing the movement of personal data subjects in the buildings (spaces) of the Company;
14.7. visitors (individuals) of the official Internet portal and clients of the Company’s Services on the basis of the purposes specified in subparagraphs 13.13-13.14 of paragraph 13 of the Policy;
14.8. in order to provide a complete, objective, comprehensive and timely communication of citizens appeals and legal entities, personal data of individuals who applied to the Company in written form, in the form of electronic document or in an oral appeal, as well as their legal representatives, representatives of legal entities are processed;
14.9. other subjects of personal data who provided their personal data in another way to achieve the purposes of processing personal data specified in Section 2 of this Policy;
15. The list of personal data processed by the Company is determined in accordance with the legislation and local legal acts of the Company, taking into account the specific purposes of processing personal data specified in Section 2 of this Policy.
Section 4
Terms and conditions of data processing and storage of personal data
16. The basis for the personal data processing is the consent of the subject of personal data, except in cases provided for by the legislation of the Republic of Belarus, when the processing of personal data is carried out without such consent.
17. The consent of the subject of personal data is a free, unequivocal, informed expression of his will by means of which he allows the processing of its personal data.
18. Refusal to give consent to the processing of personal data gives the Company the right to refuse the subject of personal data to provide access to the websites and Services of the Company.
19. The processing of personal data by the Company includes the following actions with personal data: collection, recording, systematization, storage, clarification (updating, changing), usage, depersonalization, blocking, distribution, provision, deleting, as well as other actions in accordance with the legislation of the Republic Belarus.
20. The processing of personal data by the Company is carried out:
by using automated facilities;
without using automated facilities, when the search for personal data and (or) access to them according to certain criteria (filing systems, lists, magazines, etc.) is provided.
21. The processing of personal data for the purposes specified in Section 2 of this Policy is carried out by:
receiving personal data directly from personal data subjects whose data is processed for the above-mentioned purposes;
receiving the originals of the required documents;
copying the originals of the required documents;
providing information into accounting forms (on paper and electronic form);
making of personal data in personnel work;
entering personal data into automated information systems;
using of automated facilities provided for the functioning of the official Internet portal, Company Services;
performing other actions required to achieve the purposes of processing personal data.
22. The terms for processing personal data are determined in accordance with the purposes they were collected to.
23. The storage of personal data is carried out in a form that allows determining the subject of personal data, for a period not longer than required by the purposes of processing personal data, except the cases when the period of storage of personal data is established by the legislation of the Republic of Belarus.
24. The condition for stopping the processing of personal data may be the achievement of the goals of processing personal data, the expiration of the storage period for personal data established by law and local legal acts of the Company, the revocation of the subject of personal data to the processing of his personal data, as well as the identification of illegal processing of personal data. In this case, the Company stops processing the personal data of the subject, and provides their removal.
25. In order to exercise the rights of personal data subjects, the Company takes the necessary legal, organizational and technical measures to ensure the protection of personal data from unauthorized or accidental access to them, modification, blocking, copying, distribution, provision, deletion of personal data, as well as from other illegal actions with personal data.
26. The transfer (distribution, provision) of personal data subjects of personal data to third parties, whose data is processed for the purposes specified in Section 2 of this Policy, is carried out in cases and in the manner provided by the legislation of the Republic of Belarus.
Section 5
Main rights and obligations of the Company
and personal data subjects
27. The company has the right:
to receive credible information and (or) documents containing personal data from the subject of personal data;
to request from the subject of personal data information about the relevance and credibility of the provided personal data;
to reject the subject of personal data to satisfy the requirements about stopping processing his personal data and (or) delete them if there are grounds for processing provided by the legislation of the Republic of Belarus, including if they are necessary for the declared purposes of their processing.
28. The company is obliged:
to explain to the subject of personal data his rights related to the processing of personal data;
to obtain the consent of the subject of personal data to the processing of his personal data except in the cases provided for by law;
to process personal data in the manner prescribed by the legislation of the Republic of Belarus;
to provide the protection of personal data while processing;
to take measures to provide the accuracy of the processed personal data, to make changes to personal data that are incomplete, outdated or inaccurate;
to consider appeals of personal data subjects about the processing of personal data and give motivated answers to them;
to provide the subject of personal data with information about his personal data, about their provision to third parties;
to stop processing personal data, as well as delete or block it in the absence of legal grounds for their processing, as well as on request of the subject of personal data;
to perform other duties provided for by the legislation of the Republic of Belarus.
29. The subject of personal data has the right:
to receive information about the processing of his personal data by the Company;
to amend his personal data if the personal data is incomplete, outdated or inaccurate;
to revoke the consent about the processing of personal data;
to stop processing their personal data, including its deletion, if there are no grounds for their processing;
to receive information about the provision of their personal data to third parties once a calendar year free, unless otherwise prescribed by the law;
to appeal against the action (inaction) and decision of the Company that violate its rights in the processing of personal data to the National Center for the Protection of Personal Data of the Republic of Belarus in the manner prescribed by the law on the appeal of citizens and legal entities;
to exercise other rights provided for by the legislation of the Republic of Belarus.
30. The subject of personal data is obliged:
to provide the Company only with credible information about yourself;
to provide the Company with documents containing personal data for the purpose of their processing, if necessary;
to promptly inform the Company about changes in your personal data;
to carry out other obligations stipulated by the law.
Section 6
The mechanism for realizing the rights of the subject of personal data
the rights of the subject of personal data | The mechanism for realizing the rights of the subject of personal data |
1. The right to withdraw the consent of the subject of personal data, when the consent is a legal basis for the processing of personal data.
This withdrawal is not retroactive and does not affect the legality of the processing of personal data based on consent until its withdrawal. |
The Company is obliged, within fifteen days after receiving the application to stop processing personal data, delete personal data and notify the subject of personal data about this, except cases when the Company has the right to continue processing personal data if there are reasons established by law. If it is not technically possible to delete personal data, the Company takes measures to prevent further processing of personal data, including blocking of personal data, and notifies the subject of personal data about this at the same time. |
2. The right to receive information about the processing of personal data containing:
name and location of the Company; confirmation of the fact of personal data processing by the Company; list of personal data and the source of its receiving; legal grounds and purposes of personal data processing; the period for which the consent of the subject of personal data to the processing of personal data is given; other information provided by law. |
The Company is obliged within five working days after receiving the application, unless otherwise provided by legislative acts, to provide the requested information or notify about the reasons for refusal to provide it. |
3. The right to correct its personal data if it is incomplete, outdated or inaccurate. | The company is obliged within fifteen days after receiving the application to make appropriate changes to personal data and notify about the reasons for refusal, unless a different procedure for making changes to personal data is established by legislative acts. |
4. The right to receive information about the provision of personal data to the third parties once a calendar year (from January 01 to December 31) for free, unless otherwise provided by legislative acts. | The company is obliged within fifteen days after receiving the application to provide information about what personal data and to whom it shall be provided for during the year preceding the date of filling the application, or to notify the reasons for refusal to provide it. |
5. The right to free termination of the processing of personal data and (or) its deletion, in the absence of reasons for the processing of personal data provided for by legislative acts. | The Company is obliged within fifteen days after receiving the application to stop processing personal data, delete them and notify the subject of personal data about this, except the cases where the Company has the right to continue processing personal data if there are grounds established by law, including if they are necessary for declared purposes of their processing, with notification of the subject of personal data within fifteen days. If it is not technically possible to delete personal data, the Company takes measures to prevent further processing of personal data, including blocking of personal data, and notifies the subject of personal data about this at the same time. |
6. The right to appeal against actions (omissions) and decisions of the Company that violate his rights in the processing of personal data to the National Personal Data Protection Center. | The complaint is considered in accordance with the legislation on appeals of citizens and legal entities. |
31. To realize one or more of the rights specified in paragraphs 1-5 of the table, the subject of personal data has the right to submit the relevant application to the Company in one of the following ways:
in written form – 220084, Minsk, 3-10b, Akademika Kuprevicha str., 5th floor;
as an electronic document with digital signature of the subject of personal data by e-mail: info@st.by.
32. The application of the subject of personal data about realization of one or more rights specified in paragraphs 1-5 of the table of this Policy should contain:
surname, name, patronymic (if there is one) of the subject of personal data;
place of residence (place of stay);
date of birth;
identification number, in the absence of this number – personal data subject identification document number, in case if this information was indicated by the subject of personal data when giving his consent to the Company for the processing of personal data or the processing of personal data is carried out without the consent of the subject of personal data;
presentation of the essence of requirements;
individual signature or digital signature.
33. The subject of personal data has the right to withdraw his consent to the processing of personal data, including another electronic form, through which his consent was received.
34. The response to the application about the realization one or more rights specified in paragraphs 1-5 of the table should be send to the subject of personal data in the form corresponding to the application submission form, if otherwise indicated in the application.
Section 7
Implementation of personal data protection requirements
35. The Company provides all the necessary and sufficient set of measures to provide the protection of personal data
Compulsory measures to provide the protection of personal data include:
designation of a structural unit or responsible person for exercising internal control over the processing of personal data;
publication of local legal acts to develop this Policy that regulate the activities of the Company in relation to the processing of personal data;
to inform the Company’s employees and other persons directly involved in the processing of personal data with the provisions of the legislation on personal data, including the requirements for the protection of personal data, this Policy and other local legal documents that determine the Company’s activities in relation to the processing of personal data, as well as training the mentioned employees and other persons in accordance with the procedure established by the legislation of the Republic of Belarus;
establishing the procedure for access to personal data, including data processed in automated information systems;
implementation of technical and cryptographic protection of personal data in the manner established by the Operations and Analysis Center under the President of the Republic of Belarus, in accordance with the classification of information resources (systems) containing personal data.
Section 8
Cross-border transfer
36. The company prior to the start of cross-border transfer of personal data is obliged to make sure that the foreign state in whose territory it is supposed to transfer personal data, provides an appropriate level of protection of the rights of subjects of personal data.
37. Cross-border transfer of personal data on the territory of foreign states that do not correspond the above-mentioned requirements can be carried out only in cases provided for by law, including when the consent of the subject of personal data is given, provided that the subject is informed about the risks arising from the lack of an appropriate level protection, and (or) execution of the contract where the subject of personal data is one of the parties.
Section 9
Final provisions
38. Issues related to the processing of personal data that are not included in this Policy are governed by the legislation of the Republic of Belarus.
39. If any provision of the Policy is found to be contrary to the law, the other provisions corresponding to the law remain in force and are valid, and any invalid provision will be considered deleted (modified) in so far as it provides its compliance with the law.
40. The Company, if necessary, unilaterally makes appropriate changes to the Policy with further posting of the new Policy on the official Internet portal. The current version of the Policy is always available at: www.st.by.