1. General provisions

1.1. This Policy regarding the processing of personal data (hereinafter referred to as the Policy) defines the activities of Open Joint Stock Company Belshina, registered and located at: 213824, Minskoe shosse, 4, Bobruisk, UNP 700016217 (hereinafter referred to as the Company), as well as official websites www.belshina.by , belshina.bel, kzri.belshina.by, shinnik.for example, in relation to the processing of personal data, including persons who are not its employees, including the procedure for collecting, storing, using, transferring and protecting personal data.

1.2. This Policy has been developed in accordance with the Law of the Republic of Belarus dated May 7, 2021 No. 99-3 "On Personal Data Protection" (hereinafter referred to as the Law).

1.3. This Policy uses the terms and their definitions in the meaning defined in the Law. 

1.4. The purpose of this Policy is to protect the rights and interests of personal data subjects and the Company, as well as to comply with the requirements of the legislation of the Republic of Belarus on personal data.

1.5. This Policy applies to all business processes of the Company related to the processing of personal data.

1.6. The Company itself is the operator of personal data. The Company, guided by the legislation of the Republic of Belarus on personal data, determines the purposes of personal data processing, the composition and volume of personal data being processed, as well as the procedure and conditions for their processing. The Company ensures compliance with the rights of personal data subjects, sets the retention periods for personal data based on legal requirements and stated goals, and implements organizational and technical measures to protect them.

1.7. This Policy is a local legal act of the Company, the requirements of which are mandatory for compliance and execution by employees, as well as other persons involved in the processing of personal data, regardless of the type of operations, categories and carriers of personal data.

1.8. The Policy is mandatory for all employees and all structural divisions of the Company involved in the processing of personal data. The requirements of the Policy also apply to other persons if their participation in the process of processing personal data by the Company is necessary, as well as in cases where personal data is transferred to them in accordance with the established procedure on the basis of agreements and contracts.

1.9. The Policy is publicly available and is posted both on the Company's official websites on the global computer network Internet and at the Company's location on the first floor of the AIC building at 4 Minskoye Highway.

1.10. This Policy applies only to the official websites of the Company. The Company does not control and is not responsible for other websites and mobile applications that contain information about the Company.

1.11. The Policy is intended for familiarization by the personal data subject, which may be an employee of the Company, a consumer of goods and (or) works provided by the Company, or another person who provides the Company with his personal data both in writing on paper and electronically in any available way.

1.12. The provisions of the Policy serve as the basis for the development of local legal acts regulating the processing of personal data of the Company's employees and other subjects of personal data in the Company.

1.13. This Policy and its amendments are approved by the General Director of JSC Belshina and come into force from the moment of their approval.

1.14. If, after the publication of this Policy, a legislative act has been adopted establishing rules other than those in force at the time of publication of this Policy, the provisions and requirements provided for by the regulatory legal acts of the Republic of Belarus shall apply.

2. Principles and purposes of personal data processing

2.1. The processing of personal data in the Company is carried out taking into account the need to ensure the protection of the rights and freedoms of the Company's employees, its counterparties, users and other subjects of personal data, including the protection of the right to privacy, personal and family secrets, based on the following principles:

• personal data is processed on a lawful and fair basis;
• The processing of personal data is carried out in proportion to the stated purposes of their processing and ensures a fair balance of interests of all interested parties at all stages of such processing.;
• The processing of personal data is carried out with the consent of the personal data subject, except in cases provided for by legislative acts.;
• The processing of personal data is limited to achieving specific, pre-stated legitimate goals. Processing of personal data incompatible with the originally stated purposes of their processing is not allowed.;
• the content and volume of personal data processed correspond to the stated purposes of their processing. The personal data being processed is not redundant in relation to the stated purposes of their processing;
• The processing of personal data is transparent.

2.2. The Company processes personal data for the following purposes:

• ensuring compliance with legislative and other regulatory legal acts of the Republic of Belarus;
• performing the functions, powers and duties assigned to the Company;
• protection of the rights and legitimate interests of the Company within the framework of its activities, in accordance with the legislation, the Charter and other local legal acts of the Company;
• management of personnel work and organization of accounting of the Company's employees;
• consideration of the issue of employment in the Company for the period of the employer's (CEO's) decision on admission or refusal of employment;
• registration of employment relations, as well as in the course of the personal data subject's employment in cases provided for by law.;
• inclusion of a candidate in the personnel reserve;
• maintaining individual (personalized) records of insured persons' information for the purposes of state social insurance, including occupational pension insurance;
• performing the functions, powers and duties assigned to the Company by the legislation of the Republic of Belarus, including providing personal data to the Ministry of Labor and Social Protection, the Social Protection Fund, as well as other government agencies;
• implementation of anti-corruption legislation;
• organization and conduct of state statistical observations, formation of official statistical information;
• processing of personal data when they are indicated in a document addressed to the operator and signed by the personal data subject in accordance with the content of such document;
• accounting and tax accounting;
• accruals and transfers of salaries, appointments and payments of pensions and benefits;
• accruals and transfers of travel expenses; execution of cash expense orders;
• filling in and submitting required reporting forms to the executive authorities and other authorized organizations;
• organization of accounting and other work on social protection of employees, relatives (family members) of employees of the Company, pensioners;
• provision of additional guarantees and compensations to the Company's employees and their family members;
• providing corporate benefits to the Organization's employees;
• organization of professional training, retraining, advanced training, training courses, internships for the Company's employees;
• protection of the life, health or other vital interests of the Company's employees;
• receiving invitations from foreign companies and partners to apply for entry visas to foreign countries;
• registration of documents for business trips of the Company's employees (booking hotels, air tickets, registration of passes and other documents necessary for participation in exhibitions and other events);
• implementation of cross-border transfer of personal data of subjects to authorized persons;
• preparation, conclusion, execution and termination of contracts with counterparties;
• sending notifications and commercial offers;
• maintaining military records;
• issuance of powers of attorney and other authorizing documents;
• ensuring access and intra-facility regimes in Society;
• formation of reference materials for internal information support of the Company's activities;
• execution of judicial acts, acts of state bodies and other organizations, as well as officials subject to execution in accordance with the legislation on enforcement proceedings of the Republic of Belarus;
• organization of sanatorium-resort treatment;
• provision of paid medical services;
• posting information in information materials on the official websites of the Company;
• identification of a user registered in internal information systems (resources) Societies;
• collecting information through feedback forms, booking forms;
• administration of the official websites of the Company;
• determining the user's location (if necessary);
• confirmation of the accuracy and completeness of the personal data provided by the user (if necessary);
• sending out newsletters about the products and services of the resource (if necessary). The parties (the Company and the subject) confirm that this information is not spam and the user agrees to receive it.;
• maintaining statistics on visits to Internet resources in Society.
• consideration of appeals from citizens and legal entities;
• digital signature registration;
• activities of the editorial office of the newspaper "Shinnik";
• provision of measures to notify and collect employees of the Company during training, exercises and emergency response;
• insurance for members of fire brigades.

2.3. Only those personal data that meet the stated purposes of their processing are subject to processing.

3. Categories of subjects of personal data whose personal data is processed in the Company

3.1. The Company processes personal data received in accordance with the established procedure, belonging to the following personal data subjects:

• candidates for employment and employees of the Company, relatives (family members) of employees of the Company, pensioners, former employees of the Company who are registered with the Company;
• students and other persons who have arrived at the Society for practical training, internship;
• persons who are candidates for the leadership reserve;
• employees of the Company;
• employees of branches, representative offices, subsidiaries and organizations of the Company;
• to the Company's counterparties, representatives of potential counterparties;
• individuals with whom the Company has concluded (or plans to conclude) civil law contracts;
• visitors to official websites;
• other individuals who have consented to the processing of their personal data by the Company, or individuals whose personal data processing is necessary for the Company to achieve the goals stipulated by law.;
• other entities whose interaction with the Company creates the need for personal data processing to ensure the implementation of the processing objectives specified in Chapter 2 of this Policy.

4. List and content of personal data processed

4.1. The list of personal data, including special personal data processed by the Company, is determined in accordance with the legislation and local legal acts of the Company, as well as taking into account the purposes of personal data processing specified in Chapter 2 of this Policy.

4.2. In accordance with the stated objectives, the Company processes the following personal data of personal data subjects: 

• last name, first name and patronymic (if any), previous last name (if changed);
• floor;
• date and place of birth;
• citizenship;
• place of registration and actual residence;
• marital status;
• information about the composition of the family;
• passport data or data of another identity document (series, number, date of issue, name of the issuing authority, etc.);
• identification number;
• ID card data;
• autobiographical information;
• criminal record and other offenses;
• the number of the insurance certificate of the state social insurance;
• biometric personal data (including photos, images from surveillance cameras, voice recordings, digital photo portrait);
• information about social benefits and payments;
• the series, number, date of issue and period of validity of the disability certificate, pension certificate, certificate of registration of acts of civil status (birth, death, marriage, etc.), disability certificate, documents on education, applications to them, documents on education, documents on awarding state awards, victims of the Chernobyl disaster, others radiation accidents, combat veteran (international soldier);
• information about awards and promotions;
• about pension, monthly insurance payment for compulsory insurance against industrial accidents and occupational diseases (type of pension (insurance payment), date of appointment, termination of payment);
• about disability (disability group, degree of loss of health (for minors), date of disability, term, reason);
• information about income and property (in relation to themselves and adult family members who live together and run a common household);
• information about membership in a political party or public organization;
• information about military registration;
• Contact information: phone number (home, personal and/or work) email address;
• information about bank accounts and cards;
• information about education, academic degree, academic title, professional training, retraining, advanced training and training courses;
• information about foreign language proficiency, including proficiency level;
• information about the type of activity (type of activity, place of work and position held, date of employment, dismissal from work, name of the organization, including length of service and work experience, employment data indicating the position, department, information about the employer);
• information about wages and social benefits;
• medical information (in cases provided for by law);
• information about the state of health (existing diseases, vaccinations, etc.);
• anthropometric data (height, size of clothes, shoes, etc.);
• user's name on the Internet;
• the Company's local network login credentials;
• other information (the specified list may be reduced or expanded depending on the specific case and purposes of personal data processing).

4.3. In order to analyze the operation of its Internet resources, the Operator processes the following personal data of their visitors:

• email address;
• phone number;
• IP address;
• browser information;
• cookie data;
• addresses of the requested pages;
• access time.

4.4. The Operator ensures that the content and volume of the personal data being processed correspond to the stated purposes of their processing and, if necessary, takes measures to eliminate their redundancy in relation to the stated purposes of processing.

5. The procedure, conditions and methods of personal data processing by the Company

5.1. The Company processes personal data, including collection, systematization, storage, modification, use, transfer, distribution, provision, access, depersonalization, blocking, deletion of personal data in accordance with the procedure and on the terms defined by the Law and local legal acts of the Company.

5.2. Personal data is processed by the Company's employees on paper and/or automated using information systems (resources) Societies.

5.3. In the course of its activities, the Company may transfer personal data across borders in accordance with the Law, taking into account the purposes of personal data processing specified in Chapter 2 of this Policy.

5.4. In cases stipulated by law, in particular Articles 6 and 8 of the Law, the Company may process personal data without the special consent of the personal data subject. In all other cases, the Company offers the personal data subject to provide consent to the processing of personal data in the form provided in Appendix 1 to this Policy.

5.5. The condition for termination of personal data processing may be the achievement of the purposes of personal data processing, the expiration of the consent of the personal data subject to the processing of his personal data, or the revocation of the consent of the personal data subject to the processing of his personal data, except in cases specified by law.

5.6. Upon achieving the purposes of personal data processing, as well as in the event that the personal data subject withdraws consent to their processing, personal data is subject to deletion or blocking, except in cases provided for by Law or other legislative acts.

5.7. The Company provides the personal data subject with information regarding the processing of his/her personal data upon request, in the form, volume and within the time period established by law.

5.8. The Company does not disclose or distribute personal data to third parties without the consent of the personal data subject, unless otherwise provided by law.

5.9. Employees of the Company whose job responsibilities include processing personal data are allowed to process personal data.

5.10. The transfer of personal data to the bodies of inquiry and investigation, to the tax authorities, the Federal Tax Service, Belgosstrakh and other executive authorities and organizations is carried out in accordance with the requirements of the legislation.

5.11. The Company takes the necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access, destruction, modification, blocking, dissemination and other unauthorized actions.

6. Basic rights and obligations of personal data subjects and the Company

6.1. In accordance with Chapter 3 of the Law, the personal data subject has the following rights:

• receive information regarding the processing of his personal data;
• to receive information from the Company about the provision of personal data to third parties;
• revoke your consent to the processing of personal data at any time without giving reasons.;
• make changes to personal data if they are incomplete, outdated or inaccurate.;
• to demand free termination of the processing of their personal data, including their deletion in the absence of grounds for their processing;
• to appeal against the Company's actions/omissions related to the processing of its personal data to the authorized body for the protection of the rights of personal data subjects in accordance with the procedure established by law.;
• receive any clarifications on issues of interest related to the processing of his personal data;
• to exercise other rights stipulated by the legislation.

6.2. In order to exercise these rights, the Operator must submit an application in writing to the address: 213824, Minskoye highway, 4, Bobruisk, or in the form of an electronic document to the email address: obrpd@belshina.by . The application must contain:

• last name, proper name, patronymic (if any), address of the place of residence (place of stay), date of birth of the personal data subject;
• date of birth of the personal data subject;
• the identification number of the personal data subject, in the absence of such a number – the number of the identity document of the personal data subject, in cases where this information was indicated by the personal data subject when giving his consent or the processing of personal data is carried out without the consent of the personal data subject.;
• statement of the essence of the personal data subject's requirements;
• a personal signature or an electronic digital signature of the personal data subject.

6.3. In order to ensure the legality of personal data processing and the Company's fulfillment of its duties, the personal data subject must:

• provide the Company with reliable information about themselves;
• promptly inform the Company about the clarification (updating, modification) of their personal data.

6.4. Within the framework of personal data processing activities and for the purposes provided for in this Policy, the Company has the right to:

• receive reliable information and/or documents containing personal data from the personal data subject;
• request information from the personal data subject about the relevance and reliability of the personal data provided;
• if the personal data subject withdraws consent to the processing of personal data, continue processing personal data without the consent of the personal data subject if there are grounds specified in the Law.;
• if necessary, in order to achieve the purposes of processing personal data, transfer them to third parties in compliance with legal requirements.;
• independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of duties stipulated by Law.

6.5. In order to comply with the principles of personal data processing established by law and this Policy, as well as to respect the rights of personal data subjects, the operator undertakes:

• explain to the personal data subject his/her rights related to the processing of personal data established by the legislation of the Republic of Belarus on the protection of personal data, the procedure for their implementation, as well as provide other information to the extent and in the manner prescribed by Law.;
• obtain the consent of the personal data subject to the processing of personal data, except in cases provided for by Law and other legislative acts;
• take necessary and sufficient legal, organizational and technical measures to ensure the protection of personal data from unauthorized or accidental access to them;
• at the request of the subject, provide information about his personal data, as well as about the provision of his personal data to third parties, except in cases provided for by Law and other legislative acts.;
• to make changes to personal data that are incomplete, outdated or inaccurate, except in cases where a different procedure for making changes to personal data is established by legislative acts or if the purposes of personal data processing do not imply subsequent changes to such data.;
• terminate the processing of personal data, as well as delete or block them if there are no grounds for processing personal data provided for by Law and other legislative acts.;
• notify the authorized body for the protection of the rights of personal data subjects of violations of personal data protection systems immediately, but no later than three working days after the Company became aware of such violations, except in cases stipulated by the authorized body for the protection of the rights of personal data subjects.;
• to modify, block or delete personal data that is unreliable or illegally obtained at the request of the authorized body for the protection of the rights of personal data subjects, unless another procedure for making changes to personal data, blocking or deleting them is established by legislative acts.;
• comply with other requirements of the authorized body for the protection of the rights of personal data subjects on the elimination of violations of the legislation on personal data;
• perform other duties stipulated by the Law and other legislative acts.

7. Measures applied to protect personal data of subjects

7.1. The following measures are applied to ensure that the Company fulfills the obligations of the operator provided for by the legislation in the field of personal data:

• providing personal data subjects with the necessary information before obtaining their consent to the processing of personal data;
• explaining to the subjects of personal data their rights related to the processing of personal data;
• obtaining written consent of personal data subjects to the processing of their personal data, except in cases provided for by law;
• appointment of a structural unit or person responsible for internal control over the processing of personal data in the Company;
• identification of the circle of persons directly involved in the processing of personal data;
• establishment of the procedure for access to personal data, including those processed in an information resource (system);
• publication of documents defining the Company's policy on personal data processing and other documents on personal data processing;
• familiarization of employees who directly process personal data in the Company with the provisions of the legislation on personal data, this Policy and other documents of the Company on personal data processing;
• employee training in accordance with the procedure established by law;
• implementation of technical and cryptographic protection of personal data in the Company in accordance with the procedure established by the Operational and Analytical Center under the President of the Republic of Belarus, in accordance with the classification of information resources (systems) containing personal data;
• termination of the processing of personal data in the absence of grounds for their processing.

7.2. Paper documents containing personal data are stored in lockable cabinets or safes, access to which is restricted only to authorized employees. The issuance and return of such documents is carried out in accordance with the established procedure. When deleting (destroying) personal data on paper, a method is used that excludes the possibility of information recovery.

7.3. Measures to ensure the security of personal data during their processing in information systems are established in accordance with the Company's local legal acts regulating the issues of ensuring the security of personal data during their processing in the Company's information systems.

7.4. It is prohibited to transfer personal data to employees of the Company who are not responsible for internal control over the processing of personal data, as well as to employees of the Company who do not directly process personal data.

7.5. It is prohibited to process personal data without legal grounds for such processing, including cases where there is no consent to perform certain actions with personal data, or for purposes not provided for by such consent.

7.6. In case of assignment of personal data processing to third parties, the relevant agreement must specify:

• purposes of personal data processing;
• the list of actions that will be performed with personal data by an authorized person;
• obligations to respect the confidentiality of personal data;
• measures to ensure the protection of personal data in accordance with article 17 of the Law.

7.7. If there are reasonable doubts about the legality of the processing of personal data or questions regarding the application of legislation on personal data, as well as the Company's documents on personal data (including this Policy), an employee of the Company must seek clarification from the person responsible for internal control over the processing of personal data in the Company.

7.8. For violation of the legislation on the protection of personal data, the guilty person is responsible, as established by legislative acts.

8. The main functions and rights of those responsible for the implementation of internal control over the processing of personal data

8.1. Specialist in Internal control over the processing of personal data in the Company (hereinafter referred to as the Specialist)  performs organizational, advisory, control, information, educational and other functions related to ensuring comprehensive work on compliance with the legislation on personal data in the Company.

8.2. In accordance with the established procedure, the Specialist performs the duties assigned to him both directly and in cooperation with the relevant structural divisions and employees on issues of the work performed.

8.3. Examines and analyzes the processes of personal data processing in the Company, identifies the risks associated with the processing of personal data, and suggests measures to minimize them.

8.4. Develops and proposes to implement legal and organizational measures to ensure the protection of personal data, including developing and maintaining up-to-date documents defining the Company's policy regarding the processing of personal data.

8.5. Develops documents in the field of personal data processing, coordinates their management and up-to-date maintenance, evaluates the completeness and correctness of information entry in them.

8.6. Organizes the compilation, maintenance and up-to-date maintenance of the register of personal data processing.

8.7. Participates in the definition and implementation of measures for the technical and cryptographic protection of personal data.

8.8. Monitors the Company's compliance with the requirements of legislation and local legal acts, as well as other requirements applicable to the Company regarding the protection of personal data.

8.9. Coordinates and organizes the activities of the Company's structural divisions in matters of personal data processing and protection.

8.10. Monitors the timely introduction by employees of changes to personal data that are incomplete, outdated or inaccurate, termination of processing of personal data, as well as their deletion or blocking in the absence of grounds for processing personal data provided for by legislative acts.

8.11. Develops an audit program and conducts checks on compliance with the requirements of legislation and local legal acts on personal data in the Company's structural divisions to identify violations and prevent their occurrence.

8.12. Identifies violations by employees of the requirements for the processing of personal data, makes proposals to bring the perpetrators to justice.

8.13. Advises the Company's employees on the processing and protection of personal data.

8.14. Coordinates local legal acts and contracts for their compliance with the legislation on personal data.

8.15. Participates in the organization of training for employees who process personal data on the processing and protection of personal data in accordance with the procedure established by law.

8.16. Offers optimal forms of employee training based on their work functions.

8.17. Considers (participates in the consideration of) applications and complaints of personal data subjects regarding the processing of personal data, takes the necessary measures to restore their violated rights.

8.18. Ensures cooperation with the National Center for Personal Data Protection of the Republic of Belarus, other government agencies and organizations on personal data protection issues, including notification of violations of personal data protection systems, compliance with the requirements of the authorized body for the protection of the rights of personal data subjects to eliminate violations of the legislation on personal data.

8.19. Prepares reports within the scope of his official duties.

8.20. Performs other duties as ordered by the Company's legal department, which are within its competence and do not contradict the current legislation.

9. Control over compliance with the legislation and local legal acts of the Company in the field of personal data. Liability for violations

9.1. The Organization's compliance with the legislation of the Republic of Belarus and local legal acts of the Company in the field of personal data, including requirements for personal data protection, is monitored in order to verify the compliance of personal data processing in the organization with the legislation of the Republic of Belarus and local legal acts of the Organization in the field of personal data, including requirements for personal data protection, as well as measures taken to prevent and detect violations of the legislation of the Republic of Belarus in the field of personal data, identify possible channels of leakage and unauthorized access to personal data, and eliminate the consequences of such violations.

9.2. Internal control over compliance by the organization and internal structural divisions with the legislation of the Republic of Belarus, local legal acts of the organization in the field of personal data, including requirements for personal data protection, is carried out by the person responsible for internal control over the processing of personal data in the Company.

9.3. Employees and other persons guilty of violating this policy, as well as legislation in the field of personal data, may be brought to civil, administrative and criminal liability in accordance with the procedure established by the legislation of the Republic of Belarus.

9.4. Employees of the Company who are allowed to process personal data of employees, for disclosing information obtained in the course of their work, are subject to disciplinary, administrative or criminal liability in accordance with the current legislation of the Republic of Belarus.

9.5. Personal responsibility for compliance with the requirements of the legislation of the Republic of Belarus and local legal acts of the Company in the field of personal data in the structural unit, as well as for ensuring the confidentiality and security of personal data in these units is assigned to the heads of these units.

9.6. This Policy applies to all clients and employees, as well as employees of the Company who have access to and perform a list of actions with personal data of clients and employees. The Company's clients, as well as their legal representatives, have the right to review this Policy. The Company's employees are required to familiarize themselves with these Regulations.

9.7 Employees and other persons guilty of violating the legislation in the field of personal data, this Policy and other local legal acts may be brought to disciplinary and financial responsibility, as well as to civil, administrative and criminal liability in accordance with the procedure provided for by the legislation of the Republic of Belarus.

10. Final provisions

10.1. Issues related to the processing of personal data that are not specified in this Policy are regulated by the legislation of the Republic of Belarus.

10.2. If any provision of the Policy is found to be contrary to the law, the remaining provisions remain in force and are valid, and any invalid provision will be considered deleted or amended to the extent necessary to ensure its compliance with the law.

10.3. The Company has the right, at its discretion, to change and (or) supplement the terms of this Policy without prior notification to the subjects of personal data.

10.4. This Policy comes into force from the date of its approval.

10.5. If it is necessary to bring this Policy in line with the newly adopted legislative acts, changes are made on the basis of the Order of the head.