GEXATEQ’s Policy on Personal Data Processing

1. General provisions

1.1 This GEXATEQ Policy regarding the processing of personal data (hereinafter referred to as the Policy) is developed in accordance with paragraph 1, clause 3, article 17 of the Law No. 99-Z “On the Protection of Personal Data” dated May 7, 2021 (hereinafter referred to as the Personal Data Protection Law) in order to ensure the protection of the rights and freedoms of individuals when processing their personal data, including the protection of rights to privacy, personal and family secrets.

1.2 This Policy applies to all personal data processed by GEXATEQ (hereinafter referred to as the “Operator“).

1.3 This Policy applies to relationships in the field of personal data processing that arise both before and after the approval of this Policy.

1.4 In accordance with the requirements of paragraph 4 of article 17 of the Personal Data Protection Law, this Policy is published openly on the Operator’s website.

1.5 Key concepts used in the Policy:

  • personal data – any information relating to an identified or identifiable natural person;
  • data subject – an individual whose personal data is being processed;
  • data controller (operator) – GEXATEQ independently processing personal data;
  • processing of personal data – any action (operation) or set of actions (operations) performed with personal data, whether automated or not;
    Processing of personal data includes, among others:
    – collection;
    – recording;
    – systematization;
    – accumulation;
    – storage;
    – clarification (updating, modification);
    – extraction;
    – use;
    – transfer (distribution, provision, access);
    – de-identification;
    – blocking;
    – deletion;
    – destruction;
  • automated processing of personal data – processing of personal data using computer technology;
  • distribution of personal data – actions aimed at disclosing personal data to an indefinite circle of persons.
  • provision of personal data – actions aimed at familiarizing certain individuals or groups of individuals with personal data;
  • blocking personal data – restricting access to personal data without deleting it;
  • deletion of personal data – actions that make it impossible to restore the content of personal data in the personal data information system and/or result in the destruction of material media containing personal data.
  • anonymization of personal data – actions that make it impossible, without the use of additional information, to determine the ownership of personal data to a specific subject of personal data.
  • personal data information system – a set of personal data contained in databases and ensuring their processing by information technologies and technical means.

1.6. The main rights and responsibilities of the Operator.

1.6.1 The operator has the right to:

  1. independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of duties provided for by the Personal Data Protection Law and adopted in accordance with it regulatory legal acts, unless otherwise provided by law;
  2. entrust the processing of personal data to another person, unless otherwise provided by law, based on a contract concluded with this person. The person processing personal data on behalf of the Operator is obliged to comply with the principles and rules of personal data processing provided for by the Personal Data Protection Law;
  3. in case the data subject withdraws consent to the processing of personal data, the Operator has the right to continue processing personal data without the consent of the data subject if there are grounds specified in the Personal Data Protection Law.

1.6.2 The Operator is obliged:

  1. organize the processing of personal data in accordance with the requirements of the Personal Data Protection Law;
  2. respond to inquiries and requests from data subjects in accordance with the requirements of the Personal Data Protection Law;
  3. report to the authorized body for the protection of data subjects’ rights;
  4. require the Operator to block or delete their personal data that has been unlawfully obtained or is not necessary for the stated purpose of processing, as well as to take legal measures to protect their rights;
  5. at any time, withdraw your consent to the processing of personal data without giving reasons;
  6. to comply with the requirements of the authorized body for the protection of the rights of data subjects regarding the elimination of violations of personal data legislation.

1.7 The data subject has the right:

  1. at any time without explaining the reasons to withdraw his consent by submitting a statement to the Operator in the manner prescribed by the legislation on personal data protection, or in the form through which his consent was obtained;
  2. obtain information regarding the processing of personal data, containing:
    – the name (surname, first name, patronymic (if any)) and location (residential address (place of stay)) of the Operator;
    – confirmation of the fact of processing personal data by the Operator (authorized person);
    – his personal data and the source of their receipt;
    – legal grounds and purposes of personal data processing;
    – the period for which his consent is given;
    – the name and location of the authorized person, which is a state body, a legal entity of the Republic of Belarus, or another organization, if the processing of personal data is entrusted to such a person;
    – other information provided by law;
  3. demand that the Operator make changes to his personal data in case the personal data is incomplete, outdated, or inaccurate. For this purpose, the data subject submits a statement to the Operator in the manner prescribed by the legislation on personal data protection, with the attachment of relevant documents and/or their certified copies confirming the need to make changes to personal data;
  4. receive information from the Operator about the provision of his personal data to third parties once a year free of charge, unless otherwise provided by the legislation on personal data protection and other legislative acts. To obtain this information, the data subject submits a request to the Operator. The data subject’s request must contain:
    – the surname, first name, patronymic (if any) of the data subject, the address of his place of residence (place of stay);
    – the date of birth of the data subject;
    – идентификационный номер субъекта персональных данных, при отсутствии такого номера – the identification number of the data subject, in the absence of such number – the document number confirming the identity of the data subject, in cases where this information was indicated by the data subject when giving his consent to the Operator or when the processing of personal data is carried out without the consent of the data subject;
    – an explanation of the essence of the data subject’s requirements;
    – the personal signature or electronic digital signature of the data subject;
  5. demand from the Operator the free termination of processing their personal data, including their deletion, in the absence of grounds for processing personal data provided by the legislation on the protection of personal data and other legislative acts. To exercise this right, the subject of personal data shall submit an application to the Operator in the manner prescribed by the Law on the protection of personal data.
  6. appeal against actions (inaction) and decisions of the Operator that violate his rights in the processing of personal data to the authorized body for the protection of the rights of personal data subjects in the manner established by the legislation on appeals of citizens and legal entities.

1.8 The right of the individual (data subject) to access his personal data may be restricted in accordance with the legislation of the Republic of Belarus.

1.9 All requests from subjects or their representatives in connection with the processing of their personal data are recorded in the corresponding journal.

1.10 The data subject is obligated to:

  1. provide the Operator with accurate personal data;
  2. promptly inform the Operator of any changes and additions to their personal data;
  3. exercise their rights in accordance with the legislation of the Republic of Belarus and the Operator’s local legal acts in the field of processing and protection of personal data;
  4. fulfill other obligations provided by the legislation of the Republic of Belarus and the Operator’s local legal acts in the field of processing and protection of personal data.

1.11 Compliance with the Policy requirements is monitored by the person responsible for organizing the processing of personal data at the Operator.

1.12 Responsibility for violating the requirements of the legislation of the Republic of Belarus and the Operator’s regulatory acts in the field of processing and protection of personal data is determined in accordance with the legislation of the Republic of Belarus.

2. Purposes of collecting personal data

2.1 The processing of personal data is limited to the achievement of specific, predetermined, and lawful purposes. Processing of personal data that is incompatible with the purposes of collecting personal data is not allowed.

The source of information about all personal data is directly the subject of personal data. Unless otherwise provided by law, the Operator may obtain personal data of the subject of personal data from third parties only with the notification of the subject, or with the written consent of the subject to receive his personal data from third parties.

The notification of the subject of personal data about the receipt of his personal data from third parties should include:

  1. the name of the Operator and the address of its location;
  2. the purpose of processing personal data and its legal basis;
  3. the intended users of personal data;
  4. the rights of the subject of personal data established by law;
  5. the source of obtaining personal data.

2.2 Only personal data that meets the purposes of its processing is subject to processing.

2.3 The processing of personal data by the Operator is carried out for the following purposes:
– ensuring compliance with the legislation of the Republic of Belarus;
– implementation and fulfillment of the Operator’s functions, powers, and duties in accordance with its charter and legislation;
– personnel management;
– assistance to employees in employment, education, career advancement, personal safety of employees, control of the quantity and quality of work performed, ensuring the safety of property;
– recruitment and selection of candidates for employment at the Operator;
– organization of individual (personalized) record-keeping of employees in the mandatory pension insurance system;
– filling out and submission of required reporting forms to executive authorities and other authorized organizations;
– implementation of civil law relations;
– accounting;
– performance of tax agent duties;
– implementation of access control measures;
– other purposes aimed at ensuring compliance with labor contracts, laws, and other regulatory legal acts.

2.4 The processing of employees’ personal data may only be carried out for the purpose of ensuring compliance with laws and other regulatory legal acts.

3. Legal grounds for personal data processing

3.1 The legal basis for the processing of personal data is a set of regulatory legal acts, in accordance with which the Operator carries out the processing of personal data, including:
– Constitution of the Republic of Belarus;
– Civil Code of the Republic of Belarus;
– Labor Code of the Republic of Belarus;
– Tax Code of the Republic of Belarus;
– Law on Personal Data Protection;
– other regulatory legal acts regulating relations related to the activities of the Operator.

3.2 The legal basis for the processing of personal data also includes:
– the charter of the Operator;
– contracts concluded between the Operator and the subjects of personal data;
– consent of the subjects of personal data to the processing of their personal data.

4. Volume and categories of processed personal data, categories of subjects of personal data

4.1 The content and volume of processed personal data must correspond to the stated purposes of processing, as provided in section 2 of the Policy. The processed personal data must not be excessive in relation to the stated purposes of their processing.

4.2 The Operator may process the listed personal data of the following categories of data subjects.

4.2.1 Candidates for employment with the Operator:
– surname, name, patronymic;
– gender;
– citizenship;
– date and place of birth;
– contact details;
– information on education, work experience, qualifications;
– other personal data provided by candidates in resumes and cover letters.

4.2.2 Employees and former employees of the Operator:
– surname, name, patronymic;
– gender;
– citizenship;
– date and place of birth;
– photo;
– passport details;
– address of registration at the place of residence;
– actual address of residence;
– contact details;
– individual taxpayer number;
– information on education, qualifications, professional training and development;
– marital status, presence of children, family ties;
– information on work activities, including rewards, awards, and (or) disciplinary actions;
– details of marriage registration;
– information on military registration;
– information on disability;
– information on alimony deductions;
– information on income from previous employment;
– other personal data provided by employees in accordance with labor legislation.

4.2.3 Family members of Operator’s employees:
– surname, name, patronymic;
– degree of relationship;
– year of birth;
– other personal data provided by employees in accordance with labor legislation.

4.2.4 Customers and contractors of the Operator (individuals):
– surname, name, patronymic;
– date and place of birth;
– passport details;
– address of registration at the place of residence;
– contact details;
– individual taxpayer number;
– bank account number;
– other personal data provided by clients and contractors (individuals) necessary for the conclusion and performance of contracts.

4.2.5 Representatives (employees) of the clients and contractors of the Operator (legal entities):
– surname, name, patronymic;
– passport details;
– contact details;
– position held;
– other personal data provided by representatives (employees) of clients and contractors necessary for the conclusion and performance of contracts.

4.3 Processing by the Operator of biometric personal data (such as photographs) is carried out in accordance with the legislation of the Republic of Belarus.

4.4 The Operator does not process special categories of personal data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, health, intimate life, except as provided by the legislation of the Republic of Belarus.

5. Processing of personal data

5.1 The processing of personal data is carried out by the Operator in accordance with the requirements of the legislation of the Republic of Belarus.

5.2 The processing of personal data is carried out with the consent of the subjects of personal data to process their personal data, as well as without such consent in cases provided for by the legislation of the Republic of Belarus.

5.3 The Operator carries out both automated and non-automated processing of personal data.

5.4 Employees of the Operator, whose official duties include processing of personal data, are allowed to process personal data.

5.5 The processing of personal data is carried out by:
– obtaining personal data orally and in writing directly from the subjects of personal data;
– obtaining personal data from publicly available sources;
– entering personal data into the journals, registers, and information systems of the Operator;
– using other methods of processing personal data.

5.6 Disclosure of personal data to third parties and distribution of personal data without the consent of the data subject is not allowed, unless otherwise provided by law. Consent to the processing of personal data allowed by the data subject for distribution is documented separately from other consents of the data subject to the processing of his personal data.
The written consent of the data subject to the processing of his personal data must include:

  1. last name, first name, patronymic (if any);
  2. date of birth;
  3. identification number, and in the absence of such a number – the number of the identity document;
  4. signature of the data subject. If the purposes of processing personal data do not require processing of information, this information is not processed by the Operator when obtaining consent from the data subject.

5.7 The transfer of personal data to the investigative and law enforcement agencies, tax authorities, the Social Security Fund, and other executive authorities and organizations is carried out in accordance with the requirements of the legislation of the Republic of Belarus.

5.8 The Operator takes the necessary legal, organizational, and technical measures to protect personal data from unauthorized or accidental access to them, destruction, alteration, blocking, distribution, and other unauthorized actions, including:
– identifying threats to the security of personal data during their processing;
– adopts local regulatory acts and other documents regulating relations in the field of processing and protecting personal data;
– appoints individuals responsible for ensuring the security of personal data in the structural units and information systems of the Operator;
– creating the necessary conditions for working with personal data;
– organizes the accounting of documents containing personal data;
– organizes work with information systems in which personal data are processed;
– stores personal data in conditions that ensure their safety and prevent unauthorized access to them;
– organizes training for employees of the Operator who process personal data.

5.9 The Operator stores personal data no longer than is required for the purposes of processing personal data, if the period for storing personal data is not established by the legislation of the Republic of Belarus.

5.10 When storing personal data, conditions ensuring the safety of personal data must be observed.

5.11 Documents containing personal data stored on paper are kept in specially designated areas with limited access and under conditions that ensure protection from unauthorized access. The list of document storage locations is determined by the Operator.

5.12 Personal data stored in electronic form is protected from unauthorized access using special technical and software security measures. Storing personal data in electronic form outside of the Operator’s information systems and specifically designated Operator databases (non-system storage of personal data) is not allowed.

5.13 Storage of personal data should be in a form that allows the identification of the data subject, but not longer than necessary for the purposes of their processing, unless a different period is established by the legislation of the Republic of Belarus or by a contract in which the data subject is a party, beneficiary, or guarantor.

5.14 If otherwise is not provided by law, personal data being processed shall be destroyed or depersonalized upon achieving the processing objectives, in case of loss of the need to achieve these objectives or upon expiration of the storage periods.

5.15 Destruction or depersonalization of personal data must be carried out in a way that excludes further processing of this personal data. In this case, if necessary, the possibility of processing other data recorded on the corresponding material media should be preserved (deletion, erasure).

5.16 If it is necessary to destroy or block some of the personal data, the material carrier is destroyed or blocked with prior copying of the information not subject to destruction or blocking, in a way that excludes simultaneous copying of the personal data subject to destruction or blocking.

5.17 Access to personal data is provided only to those employees of the Operator whose official duties involve working with personal data, and only for the period necessary to work with the relevant data. The list of such persons is determined by the Operator.

5.18 In case there is a need to provide access to personal data to employees who are not included in the list of individuals with access to personal data, temporary access to a limited amount of personal data may be granted by order of the director of the company or another person authorized by the director of the company.

5.19 The relevant employees must sign and familiarize themselves with all local legal acts of the Operator in the field of personal data, and must also sign a commitment to non-disclosure of personal data. Employees who process personal data without using automation tools are informed (including by familiarizing themselves with this Regulation) about the fact that they are processing personal data, the categories of personal data being processed, as well as the specifics and rules of such processing established by legislation and this Regulation.

5.20 Employees of the Operator who do not have properly documented access are prohibited from accessing personal data.

5.21 When it is necessary to use or distribute certain personal data separately from other personal data on the same physical medium, the personal data subject to distribution or use is copied in a way that excludes the simultaneous copying of personal data that are not subject to distribution and use, and a copy of the personal data is used (distributed).

5.22 Clarification of personal data during processing without the use of automation tools is carried out by updating or changing the data on the physical medium, and if this is not allowed by the technical features of the physical medium, by recording on the same physical medium information about the changes made to them or by creating a new physical medium with updated personal data.

5.23 The transfer of personal data of subjects to third parties is allowed in the minimum necessary volumes and only for the purpose of fulfilling tasks corresponding to the objective reason for collecting this data.

5.24 The transfer of personal data to third parties, including for commercial purposes, is allowed only with the consent of the data subject or other legal basis.

5.25 When transferring personal data to third parties, the subject must be notified of such transfer, except in cases defined by legislation, in particular, if:

  1. the subject of personal data has been informed about the processing of his personal data by the Operator, who received the relevant data from the Operator;
  2. personal data have been made public by the subject of personal data or obtained from a public source;
  3. personal data are processed for statistical or other research purposes, for the professional activities of a journalist, or for scientific, literary, or other creative activities, provided that the rights and legitimate interests of the subject of personal data are not violated.

5.26 The transfer of information containing personal data must be carried out in a way that ensures protection against unauthorized access, destruction, alteration, blocking, copying, distribution, as well as other unlawful actions in relation to such information.

5.27 Cross-border transfer of personal data is prohibited if a foreign country does not provide an adequate level of protection for the rights of personal data subjects, except in cases when:

  • the personal data subject has given consent, provided that the data subject is informed of the risks associated with the lack of adequate protection;
  • personal data is obtained based on a contract concluded with the data subject for the purpose of performing actions specified in the contract;
  • personal data can be obtained by any person through a request in cases and in the manner provided by law;
  • such transfer is necessary to protect the life, health, or other vital interests of the data subject or other individuals, if obtaining consent from the data subject is impossible;
  • personal data processing is carried out in accordance with Belarusian international agreements;
  • such transfer is carried out by a financial monitoring agency for the purpose of taking measures to prevent the legalization of proceeds from criminal activities, financing of terrorist activities, and financing of the proliferation of weapons of mass destruction in accordance with the law;
  • appropriate authorization has been obtained from the authorized body for the protection of the rights of personal data subjects.

5.28 Individuals receiving personal data must be informed that this data can only be used for the purposes for which it was provided, and in compliance with the confidentiality regime. The operator may require these individuals to confirm that this rule has been followed.

5.29 In cases where government agencies have the right to request personal data or personal data must be provided in accordance with the law, as well as in accordance with a court order, the relevant information may be provided to them in the manner provided by the current legislation of the Republic of Belarus.

5.30 All incoming requests must be transferred to the person responsible for organizing the processing of personal data at the Operator, for preliminary review and approval.

5.31 The Operator has the right to entrust the processing of personal data to an authorized person.

5.32 The contract between the Operator and the authorized person, legislative act or decision of a government agency must define:

  • the purposes of processing personal data;
  • a list of actions that will be taken with personal data by the authorized person;
  • responsibilities for maintaining the confidentiality of personal data;
  • measures to ensure the protection of personal data in accordance with Article 17 of the Law on Personal Data Protection.

5.33 The authorized person is not required to obtain the consent of the data subject. If obtaining the consent of the data subject is necessary for processing personal data at the Operator’s request, the Operator obtains such consent.

5.34 In case the Operator entrusts the processing of personal data to an authorized person, the Operator is responsible for the actions of the specified person towards the data subject. The authorized person is responsible to the Operator.

5.35 Protection of personal data includes a set of legal, organizational, and technical measures aimed at:

  1. ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other unauthorized actions with respect to such information;
  2. maintaining the confidentiality of restricted access information;
  3. implementing the right to access information.

5.36 To protect personal data, the Operator takes the necessary measures provided by law (including, but not limited to):

  1. limits and regulates the composition of employees whose functional duties require access to information containing personal data (including through the use of access passwords to electronic information resources);
  2. provides conditions for storing documents containing personal data in restricted access;
  3. organizes the procedure for destroying information containing personal data if there are no requirements for storing such data established by legislation;
  4. monitors compliance with requirements for ensuring the security of personal data, including those established by this Regulation (through internal audits, establishment of special monitoring tools, etc.);
  5. investigates cases of unauthorized access or disclosure of personal data, involving the responsible employees and taking other measures;
  6. implements software and technical means of protecting information in electronic form;
  7. ensures the possibility of recovering personal data that has been modified or destroyed due to unauthorized access to them.

5.37 To protect personal data during their processing in information systems, the Operator takes necessary measures provided by law (including, but not limited to):

  1. identifying threats to the security of personal data during their processing;
  2. applying organizational and technical measures to ensure the security of personal data during their processing in personal data information systems, necessary to fulfill the requirements for the protection of personal data;
  3. accounting for storage media of personal data;
  4. detecting instances of unauthorized access to personal data and taking measures;
  5. restoring personal data that has been modified or destroyed due to unauthorized access to them;
  6. establishing rules for access to personal data processed in the personal data information system, as well as ensuring registration and tracking of all actions taken with personal data in the personal data information system.

6. Updating, correcting, deleting and destroying personal data, responding to requests from individuals for access to personal data.

6.1 Confirmation of the fact of processing personal data by the Operator, legal grounds and purposes of processing personal data, as well as other information specified in paragraphs 1 and 4 of Article 11 of the Personal Data Law, are provided by the Operator to the subject of personal data upon receipt of a statement from the subject of personal data.
The information provided does not include personal data related to other subjects of personal data, except in cases where there are legal grounds for disclosing such personal data.
The statement must contain:
– surname, first name, patronymic (if any) of the subject of personal data, address of his place of residence;
– date of birth of the subject of personal data;
– identification number of the subject of personal data, in the absence of such a number – the number of the identity document of the subject of personal data, in cases where this information was provided by the subject of personal data when giving consent to the operator or processing of personal data is carried out without the consent of the subject of personal data;
– the essence of the requirements of the subject of personal data;
– personal signature or electronic digital signature of the subject of personal data.

The statement can be sent in writing, in the form of an electronic document signed with an electronic digital signature in accordance with the legislation of the Republic of Belarus.

If the statement of the subject of personal data does not reflect all the necessary information in accordance with the requirements of the Personal Data Law or the subject does not have rights to access the requested information, a reasoned refusal is sent to him.

The subject of personal data may be refused in providing information in accordance with paragraph 3 of Article 11 of the Personal Data Law.

6.2 In case of inaccurate personal data being identified upon a request from the data subject or at the request of the authorized body for the protection of personal data subjects’ rights, the Operator shall block the personal data related to this data subject from the moment of receiving such request or inquiry for the period of verification.

If the inaccuracy of the personal data is confirmed, the Operator, based on the information provided by the data subject or the authorized body for the protection of personal data subjects’ rights, or other necessary documents, shall correct the personal data within 15 days from the date of providing such information and remove the block on the personal data.

6.3 In case of unlawful processing of personal data upon receiving a statement from the data subject or a request from the authorized body for the protection of the rights of data subjects, the Operator blocks the unlawfully processed personal data related to this data subject from the moment of such request or receipt of the statement (request).

6.4 Upon achieving the purposes of processing personal data, as well as in case of withdrawal by the data subject of consent to their processing, the personal data shall be deleted, unless otherwise provided for by another agreement between the Operator and the data subject or by legislation.

For any additional information, you can contact us at info@gexateq.com