1 General Provisions
1 Policy of JSC Belshina, legal address: sh. Minskoe, 4, 213824, Bobruisk, UNP 700016217, official websites www.belshina.by, www.san-shinnik.by, belshina.bel, kzri.belshina.by, shinnik.by, regarding the processing of personal data (hereinafter - the Policy) is a fundamental document that defines the conceptual basis for the activities of JSC «Belshina» (hereinafter - the Company) in the processing and protection of personal data.
1.2 This Policy is developed in accordance with the Law of the Republic of Belarus No. 99-3 «On Personal Data Protection» dated May 7, 2021 (hereinafter - the Law).
1.3 This Policy uses terms and their definitions in the meaning defined in the Law.
1.4 The purpose of this Policy is to protect the interests of personal data subjects and the Company, as well as to comply with the requirements of the Personal Data Legislation of the Republic of Belarus.
1.5 This Policy shall apply to all business processes of the Company related to the processing of personal data.
1.6 The requirements of this Policy apply to any personal data, regardless of the type of media on which they are recorded.
1.7 The Policy is binding for all employees and all structural subdivisions of the Company. The requirements of the Policy shall also apply to other persons if their participation in the Company's processing of personal data is necessary, as well as in cases where personal data is duly transferred to them on the basis of agreements and contracts.
1.8 The Policy is publicly available and is posted both on the Company's official website in the global computer network Internet and at the Company's location on the first floor of the AIC building at 4, Minskoye sh.
1.9 This Policy is applicable only to the official website of the Company. The Company does not control and is not responsible for other websites and mobile applications that contain information about the Company
1.10 The Policy is intended for familiarization by the subject of personal data, which may be an employee of the Company, a consumer of services rendered by the Company, other person providing the Company with his/her personal data both in writing on paper and electronically by any available means, including, but not limited to: by marking in the field on the Company's official websites «I agree», with a reference to the Policy.
1.11 The provisions of the Policy serve as a basis for the development of local legal acts regulating the issues of processing personal data of the Company's employees and other subjects of personal data.
1.12 In the event that after the issuance of this Policy a legislative act is adopted which establishes rules other than those which were in effect when this Policy was issued, the provisions and requirements stipulated by the regulatory legal acts of the Republic of Belarus shall apply.
2 Purposes of personal data processing
2.1 The Company processes personal data for the following purposes:
- ensuring compliance with legislative and other normative legal acts of the Republic of Belarus
- exercising the rights and legitimate interests of the Company within the framework of the activities provided for by the Charter and other local legal acts of the Company
- conducting personnel work and organizing records of the Company's employees
- consideration of the issue of employment in the Company for the period of the employer's (General Director's) decision to hire or refuse to hire the employee
- execution of labor relations, as well as in the course of labor activity of the personal data subject in cases stipulated by the legislation, including processing of special personal data
- inclusion of the candidate in the personnel reserve
- keeping individual (personified) records of information on insured persons for the purposes of state social insurance, including professional pension insurance
- implementation of anti-corruption legislation
- organization and carrying out of state statistical observations, generation of official statistical information, including processing of special personal data
- processing of personal data when they are specified in a document addressed to the operator and signed by the personal data subject in accordance with the content of such document
- accounting and tax accounting
- accrual and transfer of salaries, assignment and payment of pensions and benefits
- accrual and transfer of travel expenses
- drawing up cash vouchers
- completing and submitting the required reporting forms to the executive authorities and other authorized organizations
- organization of accounting and other work on social protection of employees, relatives (family members) of the Company's employees, pensioners
- organizing professional training, retraining, advanced training, training courses, internships for the Company's employees
- protection of life, health or other vital interests of the Company's employees
- obtaining invitations from foreign companies and partners, for issuing entry visas to foreign countries
- execution of documents for business trips of the Company's employees (hotel reservations, airline tickets, passes and other documents required for participation in exhibitions and other events)
- preparation, conclusion, execution and termination of contracts with counterparties
- sending notices, commercial offers
- maintenance of military records
- issuing powers of attorney and other authorizing documents
- ensuring access control and security at the Company's premises
- preparation of reference materials for internal information support of the Company's activities
- execution of judicial acts, acts of other bodies or officials subject to execution in accordance with the legislation of the Republic of Belarus
- organization of health resort treatment
- provision of paid medical services
- placement of information in informational materials on the official websites of the Company
- collection of information through feedback forms, reservation forms, collection of statistical information, administration of the Company's official websites
- reviewing appeals of citizens and legal entities
- digital signature registration
- activities of the editorial office of the Shinnik newspaper
- ensuring measures for notification and gathering of the Company's employees during training, drills and liquidation of emergency situations
- insurance of fire brigade members
- keeping statistics on visits to the Company's Internet resources
2.2 Only those personal data that meet the purposes of their processing shall be processed.
3 Categories of personal data subjects whose personal data are processed by the Company
3.1 The Company shall process personal data belonging to the following subjects of personal data received in accordance with the established procedure:
- job candidates and employees of the Company, relatives (family members) of the Company's employees, pensioners, former employees of the Company registered with the Company
- students, other persons who came to the Company for practical training, internship
- persons who are candidates for the reserve of managerial personnel
- employees of branches, representative offices, subsidiaries and organizations of the Company
- counterparties, representatives of potential counterparties, individuals
- visitors to official websites
- other subjects of personal data (to ensure realization of the processing purposes specified in Chapter 2 of this Policy)
4 List of personal data
4.1 The list of personal data, including special personal data, processed by the Company shall be determined in accordance with the legislation and local legal acts of the Company taking into account the purposes of personal data processing specified in Chapter 2 of this Policy.
4.2 In accordance with the stated purposes, the Company processes the following personal data of personal data subjects:
- surname, first name, patronymic (if any), previous surname (in case of its change)
- gender
- date and place of birth
- marital status
- information on family composition
- information on registration at the place of residence, place of actual residence
- citizenship
- autobiographical data
- criminal record and other offenses
- numbers of work, home (landline) and cell phones, e-mail address
- identification number
- passport data
- series, number, date of issue and expiration date of disability certificate, pension certificate, certificate of civil status registration (birth, death, marriage, other), certificate of incapacity for work, documents on education, their annexes, documents on training, documents on conferring state awards, victim of the Chernobyl catastrophe, other radiation accidents, veteran of combat operations (warrior-internationalist)
- information on the attitude to military duty
- information on occupation (type of activity, place of work and position held, date of employment, dismissal from work, name of organization)
- Information on education, academic degree, academic rank, vocational training, retraining, advanced training and training courses
- information on wages and social benefits
- information on social benefits and payments
- information on bank accounts and cards
- digital portrait
- information on foreign language skills, including proficiency level
- anthropometric data (height, size of clothes, shoes, etc.)
- information on health status (existing diseases, vaccinations, etc.)
- information about awards and incentives
- pension, monthly insurance payment under compulsory insurance against industrial accidents and occupational diseases (type of pension (insurance payment), date of assignment, termination of payment)
- disability (disability group, degree of loss of health (for minors), date of establishment of disability, period, reason)
- information on income and property (with respect to oneself and adult family members living together and maintaining a common household)
- information on belonging to a political party or public organization
- ID card details
- internet user name
- IP address
- login credentials to the Company's local network
5 Procedure and conditions of personal data processing
5.1 The Company shall process personal data, including collection, systematization, storage, modification, use, depersonalization, blocking, distribution, provision, deletion of personal data, in accordance with the procedure and on the terms and conditions defined by the Law and local legal acts of the Company.
5.2 Personal data shall be processed by the Company's employees on paper and (or) automatically by means of the Company's information systems.
5.3 In the course of its activities, the Company may carry out trans-border transfer of personal data in accordance with the Law, taking into account the purposes of personal data processing specified in Chapter 2 of this Policy.
5.4 In cases stipulated by the law, in particular those stipulated by Articles 6 and 8 of the Law, the Company shall process personal data without special consent of the personal data subject. In other situations, the Company shall offer the personal data subject to execute a consent to the processing of personal data. The subject of personal data may revoke his/her consent to the processing at any time.
5.5 The condition for termination of personal data processing may be the achievement of the purposes of personal data processing, expiration of the personal data subject's consent to the processing of his/her personal data or withdrawal of the personal data subject's consent to the processing of his/her personal data, except for cases defined by law.
5.6 When the purposes of personal data processing are achieved, as well as in case of withdrawal of consent to processing by the subject of personal data, personal data shall be deleted or blocked, except for cases provided for by the Law or other legislative acts.
5.7 The Company shall provide the subject of personal data with information regarding the processing of his/her personal data at his/her request, in the form, scope and terms established by law.
5.8 The Company shall not disclose or distribute personal data to third parties without the consent of the subject of personal data, unless otherwise provided for by law.
5.9 The Company's employees whose job description includes personal data processing shall be allowed to process personal data.
5.10 Transfer of personal data to the bodies of inquiry and investigation, tax authorities, Federal Social Security Fund, Belgosstrakh and other executive authorities and organizations shall be carried out in accordance with the requirements of the legislation.
5.11 The Company shall take the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, distribution and other unauthorized actions.
6 Rights and obligations of personal data subjects and the Company
6.1 The subject of personal data has the right to:
- to receive information regarding the processing of his/her personal data
- to receive information from the Company on the provision of his/her personal data to third parties under the conditions defined by the Law
- withdraw consent to the processing of personal data
- to appeal to the authorized body for protection of the rights of personal data subjects or in court against unlawful actions or omissions of the Company in processing his/her personal data
- demand from the Company to change his/her personal data if the personal data is incomplete or outdated
- receive any explanations on the issues of interest related to the processing of his/her personal data
- exercise other rights provided for by the legislation
6.2 The subject of personal data shall:
- provide the Company with reliable data about himself/herself
- timely notify the Company about clarification (update, change) of his/her personal data
6.3 The Company shall have the right to:
- receive from the subject of personal data reliable information and (or) documents containing personal data
- request from the subject of personal data information on the relevance and reliability of the personal data provided
- in case the personal data subject revokes his/her consent to the processing of personal data, to continue the processing of personal data without the consent of the personal data subject if there are grounds specified in the Law
- if necessary to achieve the objectives of personal data processing, transfer personal data to third parties in compliance with legal requirements
- independently determine the composition and the list of measures necessary and sufficient to ensure the fulfillment of the obligations stipulated by the Law
6.4 The Company shall:
- explain to the subject of personal data his/her rights related to the processing of personal data
- obtain the personal data subject's consent to the processing of personal data, except for cases provided for by the Law and other legislative acts
- ensure the protection of personal data in the process of their processing
- to provide the personal data subject with information about his/her personal data, as well as about the provision of his/her personal data to third parties, except in cases provided for by the Law and other legislative acts
- make changes to personal data that are incomplete, outdated or inaccurate, except in cases when another procedure for making changes to personal data is established by legislative acts or if the purposes of personal data processing do not imply subsequent changes to such data
- to stop processing of personal data, as well as to delete or block them in the absence of grounds for personal data processing provided by the Law and other legislative acts
- to notify the authorized body for the protection of the rights of personal data subjects about the breaches of personal data protection systems immediately, but not later than three working days after the Company became aware of such breaches, except in cases provided for by the authorized body for the protection of the rights of personal data subjects
- to modify, block or delete unreliable or illegally obtained personal data of the personal data subject at the request of the authorized body for the protection of the rights of personal data subjects, unless another procedure for amending, blocking or deleting personal data is established by legislative acts
- to fulfill other requirements of the authorized body for the protection of the rights of personal data subjects on elimination of violations of the legislation on personal data
- fulfill other obligations stipulated by the Law and other legislative acts.
7 Measures taken to ensure fulfillment of the operator's obligations
7.1 . Measures necessary and sufficient to ensure that the Company fulfills the obligations of the operator as stipulated by the legislation in the field of personal data include:
- providing personal data subjects with the necessary information before obtaining their consents to the processing of personal data
- explaining to the subjects of personal data their rights related to the processing of personal data
- obtaining written consents of personal data subjects for processing of their personal data, except for the cases provided for by the legislation
- appointment of a structural unit or a person responsible for internal control over personal data processing in the Company
- issuance of documents defining the Company's policy with regard to personal data processing
- familiarization of employees directly involved in the processing of personal data in the Company with the provisions of personal data legislation
- establishing the procedure for access to personal data, including the following
- processed in a formal resource (system)
- implementation of technical and cryptographic protection of personal data in the Company in accordance with the procedure established by the Operational and Analytical Center under the President of the Republic of Belarus, in accordance with the classification of information resources (systems) containing personal data
- termination of personal data processing in the absence of grounds for their processing
7.2 Measures to ensure the security of personal data during their processing in information systems shall be established in accordance with the Company's local legal acts regulating the security of personal data during their processing in the Company's information systems.
8 Responsibility for violations
8.1 Persons guilty of violating the Law shall be held liable in accordance with the legislative acts.
8.2 Employees and other persons guilty of violating this Policy, as well as the legislation in the field of personal data, may be brought to disciplinary and material responsibility, as well as may be brought to civil, administrative and criminal liability in accordance with the procedure established by the legislation of the Republic of Belarus.